I don't want to authenticate the user via their phone number that I have already done by using their email id and password. I just want to confirm that they are entering a valid phone number by sending them an OTP and verifying it. All the solutions that I have looked up go on to straight up authenticate the user. I am using firestore as my database.
Firebase allows you to link multiple authentication methods. You can find more details at https://firebase.google.com/docs/auth/web/account-linking
So, once the user is authenticated with email/password, initiate phone number authentication. When you get AuthCredential link it to current firebase user as mentioned in above link.
Other solutions would be to use external SMS gateway like twilio and doing phone number verification on your own. Which isn't required for your use case. In case you still want to try this, there is a free SMS gateway (which uses your own mobile number to send SMS) at https://www.sg.yagnyam.in/.
Related
I'm using a Firebase phone auth as primary authentication. Since the phone is vulnerable, I want to link an email address to it that the user can use to access his account to change his phone number in case he lost his phone or got stolen. I can't find a way how to do it.
I saw a method currentUser.linkWithPhoneNumber(). However, reading its documentation, it says it is only supported on web platforms. Is there any other way to make this possible?
When you authenticate a user with a phone number, the only data that you have inside the FirebaseUser object when the authentication completes, are the UID and the phone number. If you need to add an email address to an existing account, you can request the user to provide an email address. Once you have that, you can update the email address using the FirebaseUser#updateEmail(String email) function. As soon as the account is updated, you can add any functionality related to that email address.
Since you didn't specify a programming language, I linked that function to the Android docs, but certainly, you can do the same thing in the case of any other programming languages.
upon further reading, i found Email Link Authentication that answered everything i've asked.
Linking/re-authentication with email link You can also link this method of authentication to an existing user. For example a user previously authenticated with another provider, such as a phone number, can add this method of sign-in to their existing account.
https://firebase.google.com/docs/auth/flutter/email-link-auth
Is it possible to send an SMS containing a one-time-token to a specific phone number through Firebase Authentication?
Conditions:
My App is a multi-user web app.
There are 2 user roles in My App: Admin, and Member.
I want to:
Member user clicks a button.
Send an SMS containing a one-time token to the admin phone number.
Admin user tell a one-time-token member user.
Member user fills out a form and presses submit.
Token is sent back to the Firebase and verified.
What you're describing is not a built-in flow for Firebase Authentication. The closest equivalent is Firebase's phone number authentication, but in that scenario the one-time password (OTP) is sent to the user who signs in to the app.
So you can either modify your flow to use another step for involving the admin user, or you can build your own provider for Firebase Authentication. In the latter case, you won't be able to use Firebase to send the SMS messages though, but will have to use another provider for that.
Can I use the telephone Firebase Auth code sent by SMS in a Dialogflow agent?
Like this: user receives the code by SMS and is prompted to call the Dialogflow agent that will ask for this code to finish the auth process.
Is it possible?
The final step of Firebase's phone number authentication to sign the user in with their verification code as shown here. As far as I can see this is only possible with the client-side SDKs of Firebase, which means that the sign-in must be completed on the device itself.
In DialogFlow you'd typically use the Firebase Admin SDK. While the Admin SDK supports related operations ("Create a new user with a phone number without having to go through the SMS verification flow" and "Change a user's phone number without having to go through the SMS verification flow"), it doesn't allow you to verify that the user has control of the phone number based on the code that was texted to them.
I've created an account in Firebase using phone authentication. However, from the documentation, it mention that:
If you use phone number based sign-in in your app, you should offer it
alongside more secure sign-in methods, and inform users of the
security tradeoffs of using phone number sign-in
I couldn't find a field to inject the password into the users database.
Should I enable the password/email sign in method? Is there any documentation to refer to?
I added email and password using:
createUserWithEmail:email:password:completion:
2 accounts are created:
I should rephrase my question to:
If the user logout, when they sign in again should they use the phone number, or email and password?
This is what it says in the documentation:
Authentication using only a phone number, while convenient, is less secure than the other available methods, because possession of a phone number can be easily transferred between users. Also, on devices with multiple user profiles, any user that can receive SMS messages can sign in to an account using the device's phone number.
If you use phone number based sign-in in your app, you should offer it alongside more secure sign-in methods, and inform users of the security tradeoffs of using phone number sign-in.
So all it means is that it is better to use another method with it, like email/password method.
When you enable that, then the user can create an account using his email, and you do not need the password, only the user id after he creates an account.
more info here:
https://firebase.google.com/docs/auth/ios/password-auth
Base on #Peter Haddad answer:
Updated the code to link the phone authenticated user and email/password authentication method.
FIRAuthCredential *credential =
[FIREmailAuthProvider credentialWithEmail:userEmail
password:userPassword];
[[FIRAuth auth]
.currentUser linkWithCredential:credential
completion:^(FIRUser *_Nullable user, NSError *_Nullable error) {
// ...
FIRUser *tmpUser = user;
}];
You should see these in the console (with only one row with 2 authentication type instead of 2 rows) :
I have got the firebase.auth().signInWithPhoneNumber(number, appVerifier) to work nicely, but realized something that I didn't before. As soon as you put in the sms verification code it creates a whole other user under the phone auth, which makes since.
What I want to do however is just allow my current email/password users to add a phone number and then before they sign in have to go through a process of getting a verification sms code and put it in and only then through the success block log that user in.
My current solution is to add the phone number to the email/password account. Go through the phone auth process and if successful log out the phone auth account and then log the email/password account in with the same phone number. This sounds like a bad idea in the long run however, so is there a sms verification without authentication in firebase?
What you can do is to link your email/password user with a phone number credential using linkWithPhoneNumber method of User.
Check out the docs here: https://firebase.google.com/docs/auth/web/phone-auth
Linking to a phone number credential requires the user to verify their phone number with SMS code.
That case does sound like a bad idea.
Unfortunately, Firebase doesn't yet provide SMS verifications without Phone Auth. You'll have to look for a different way to do that.