Can Firebase Phone Authentication be used simply for device-ownership verification? - firebase

I'm using Firebase in a react-native project, and I want to incorporate an SMS one-time-pin while in the registration process. I don't want to use Phone Number Authentication for login purposes. Is this possible and how can it be done if so? If not, what are recommended options for an SMS OTP service?
Edit: phone number ownership verification

Firebase Authentication only validates that the end user owns the phone number that they entered. It says nothing about the device they used to sign up. They could easily remove the SIM card, sell the original device, put the SIM card in another device, and sign in again with no trouble.
Recommendations for offsite resources, including services and products, is off-topic for Stack Overflow, so you should do a web search or ask in another forum in order to find alternatives.

Related

Why does Firebase Analytics show 4800 users for my app but Authentication show only 1027?

My app uses Firebase for authentication and I'm having trouble understanding the discrepancy between the number of authenticated users (1027) and the number of installs (4800):
This suggests that a lot of people installed the app but very few logged into it. If so, why would anyone go to the trouble of installing but not using it? Or am I reading Analytics wrong?
Stack Overflow isn't really the right place to ask about human behavior. There could be any number of reasons why someone installed an app and deleted it without even signing into it.
We also don't know if you allow users to delete their accounts after signing in, which could also explain a difference.
We don't know if your users have multiple devices, which would each count as different (anonymized) users in Analytics, but the same user account in Authentication.
There could even be robotic crawlers trying to use the app, especially if it's a web app.
If you're having problem reconciling what you see in the console, you're probably better off contacting Firebase support to see if something is wrong. But something is probably not wrong at all. Consider instead putting some effort into instrumenting your app with more analytics events to figure out exactly how people are using it, and where they might be falling off before they ever sign in, or if they sign in with multiple devices.
I received an answer from Firebase Support and here's what they said:
The active user calculation in our dashboard is based on the user_engagement of your user who access your application while the app is in foreground state. With that, the active user count is not based on the total count of your authenticated user because we track it using the user_engagement event. This is expected that there would be greater number of active users than your authenticated user count if your user didn’t authenticate and they’re using the app within foreground state.
I turns out that the number of 4800 is the number of "engagements" by the app's users, not the number of users. If the user logs in, then goes to another page, that's two engagements. Firebase Analytics is a great way to analyze what people are doing in the app. I love it!

What service to use to send text message to user's phone?

Is anybody sending out text messages to user's phones with AppMaker? If so, would you mind posting your preferred solution that has been tried and works with AppMaker/Google Cloud?
Thanks!
Neither App Maker or App Script or Cloud Platform provide SMS services as first party.
So, you can to make market research, choose service that suits your needs best and then if you have any hurdles making it friends with App Maker come back here and ask more specific question, for instance how to authenticate 3rd party service.

Firebase 3 - We have blocked all requests from this device due to unusual activity

I was testing my login/sign up feature and for some reason I can't understand Firebase now is blocking all requests from my device.
I've waited one day to try again, but I still have the same problem.
ERROR:
"We have blocked all requests from this device due to unusual activity. Try again later."
What should I do to have access to my database again?
If you use Phone Authentication, Here is what to do:
Go to Firebase Console
Authentication ==> Sign-in-method
Go to "Phone" and pop-up will show
Add your phone number at "Phone Numbers for testing" along with a verification code from your choice.
And it works now :)
One of the possible solutions:
Go to your Firebase console -> Auth -> Users table
Locate the user you are testing.
Delete this user.
Retest.
I contacted firebase support and received this message:
The error "We have blocked all requests from this device due to
unusual activity. Try again later." is usually thrown when a user is
making SMS authentication requests to a certain number of times using
the same phone number or IP address. These repeated requests are
considered as a suspicious behavior which temporarily blocks the
device or IP address.
Additionally, there's a limit of 5 SMS per phone number per 4 hours.
With this, you may try doing the following to resolve the issue:
Reduce the frequency of attempts to avoid triggering the anti-abuse
system Try using whitelisted phone numbers for testing your app
Use multiple testing devices (as the limits are applied per IP or
device) Wait for an hour for the quota to lift
I tried to increase the quota as per #lhk answer but there answer is the
following:
You also mentioned that you have increased the quota to
1000 but it didn't work. Do note that this "Manage to sign up quota"
field is intended for Email/Password and Anonymous sign-ups.
I've run into the same problem.
By default (for the free plan), firebase caps sign-ins to 100 per hour, per IP-address.
This broke our automated testing. You can change the setting like this:
open console
open your project
go to "authentication"
go to "sign-in method"
scroll down to "manage sign-in quota"
That's it. Currently the maximum setting for this quota is 1000 per hour
.
This is one of many quirks that I am running into. While Firebase seems to be a nice framework/product/service, at the moment it doesn't seem to be totally ready for broad production deployment yet. In this case I only used one particular (fake) user for testing/debugging and only after just a few attempts (probably no more than 10 sign-ins), I ran into this issue. The funny thing is that my tests delete the fake test-user after each run so I couldn't see any user in my auth user table afterwards. The solution for me was to manually add that user via the "ADD USER" button and then delete it. I think they should have (at least as a workaround) a definable user that is for testing/debugging, who is not subject to this restriction, if they really feel they have to have such a (low) limit.
I have added my phone as a test number in the Sign-in method tab.
Actually this error occurs when your quota limit is exceeded.
Just add your number and testing OTP to get it worked.
Note: The testing number will not get any message of OTP as we already
defined static OTP code.
See my answer at https://stackoverflow.com/a/39291794/18132
I went into firebase > Authentication > sign-in method > google and added my client id to the whitelist.
I managed to get this working straight away by resetting the users password.
Steps are as follows:
Go into your admin console, Authentication, Users
Locate the user
Click on the menu dots in the far right hand column
Choose reset password, then click ok
Follow the steps in the email when it comes through
The error "We have blocked all requests from this device due to unusual activity. Try again later." is usually thrown when a user is making SMS authentication requests to a certain number of times using the same phone number or IP address. These repeated requests are considered as a suspicious behavior which temporarily blocks the device or IP address.
Additionally, there's a limit of 5 SMS per phone number per 4 hours. With this, you may try doing the following to resolve the issue:
Reduce the frequency of attempts to avoid triggering the anti-abuse system Try using whitelisted phone numbers for testing your app Use multiple testing devices (as the limits are applied per IP or device) Wait for an hour for the quota to lift
Add that number of yours to Firebase as a tester. This way you can test it as many times as you can.
Else multiple requests from one number to a project. Firebase deals it as a hacker and blocks it.
Add your number as Tester as:
Go to
-> Firebase Console -> Authentication -> Sign-in-method -> Edit Phone -> Phone numbers for testing (optional)
Add your phone number and verification code of your choice and that number will then work.
You will not get verification code from firebase, but you can give the verification code you set as a tester and can login through phone
One of the causes can be sending too may verification email to a user's email within a short duration of time. Try adding a duration timer and check if the verification message has been sent within the time duration.
If you are doing tests a better way to go about it is to add the phone number as a test number Authentication > Sign in method > Phone. Then add the test number + the verification code you'll use
I was facing the same issue and I solved this problem by Buying Blaze plan. This blocking seemed like a security measure on Firebase's side.
If you are using Firebase for development purpose, buying the Blaze plan won't cost you any thing as it has the same quota of free services offered in Spark plan.
Also, setting up Firebase Auth test phone numbers should help.
Per https://firebase.google.com/docs/auth/ios/phone-auth#test-with-fictional-phone-numbers:
Test with fictional phone numbers
You can set up fictional phone numbers for development via the Firebase console. Testing with fictional phone numbers provides these benefits:
Test phone number authentication without consuming your usage quota.
Test phone number authentication without sending an actual SMS message.
Run consecutive tests with the same phone number without getting throttled. This minimizes the risk of rejection during App store review process if the reviewer happens to use the same phone number for testing.
Test readily in development environments without any additional effort, such as the ability to develop in an iOS simulator or an Android emulator without Google Play Services.
Write integration tests without being blocked by security checks normally applied on real phone numbers in a production environment.
Fictional phone numbers must meet these requirements:
Make sure you use phone numbers that are indeed fictional, and do not already exist. Firebase Authentication does not allow you to set existing phone numbers used by real users as test numbers.
One option is to use 555 prefixed numbers as US test phone numbers, for example: +1 650-555-3434
Phone numbers have to be correctly formatted for length and other constraints. They will still go through the same validation as a real user's phone number.
You can add up to 10 phone numbers for development.
Use test phone numbers/codes that are hard to guess and change those frequently.
Create fictional phone numbers and verification codes
In the Firebase console, open the Authentication section.
In the Sign in method tab, enable the Phone provider if you haven't already.
Open the Phone numbers for testing accordion menu.
Provide the phone number you want to test, for example: +1 650-555-3434.
Provide the 6-digit verification code for that specific number, for example: 654321.
Add the number. If there's a need, you can delete the phone number and its code by hovering over the corresponding row and clicking the trash icon.

Registering mobile phones on my web site

I am using a variety of mobile device clients such as Blackberry, Android, Windows Phone iPhone. At the moment I am focusing on Windows Mobile 6.5 (I know it is dated but I actually have one of these phones to test with).
I want to be able to register the app installed on the device with my web server. Now, I could just let the User create a Username+password combination but I thought It would be cool that the registration/activation process would involve telephone number or/and IMEI being automatically (in code) sent to my server. The benefits of this are obvious, seamless registration and as an added security measure in case the phone was lost/stolen.
Now,I know all about SMS gateways and I guess I would probably have to pay for this service to do what I want - or just let the User enter their telephone number in the login page. I also know that you can send emails to some telephone providers (not all).
Does any one have any knowledge of any free SMS gateways for small business use or pay-as-you-go service or/and clever way to register a telephone number with a web site either via GPRS or SMS?
Additionally, any knowledge of where to look to get the IMEI/UUI of the phone in code? It has to cover different devices so a generic way is a must (which rules out OpenCF).
I appreciate it is highly unlikely that are solutions to this without using a SMS gateway provider but there are some clever people on this site so open to ideas.
Thanks
The IMEI (and phone) number is locked down in the Windows Phone 8 API (for security reasons) so, if you want to make your solution future proof - you are going to have to force the user to find it on their handset and type it in manually. Other platforms (or previous versions of Windows Phone) may not be so strict on this.

Custom message for push registry alert j2me

When I receive a push notification in my j2me application it shows its built-in message at start, what I want to do is to place my own message say "Do You Want to Launch App?" when a notification of invoking application is received! How to change it?
It is unlikely that application developer would be allowed to do stuff like that in the real phone, and here's why.
This functionality is a part of security sensitive features (if you're interested in details, check documentation like The Recommended Security Policy for GSM/UMTS Compliant Devices).
If this would be allowed, malware applications could transform not just wording but the very meaning of a standard system message, thus tricking user into doing something wrong.
For an example, imagine an application doing tracking of user location, or sending paid SMS, or something similarly sensitive to one's privacy or budget, having mentioned message changed to:
Click Yes to win million dollars.
As a phone user, the last thing I would want of my device would be to allow tricks like that.

Resources