Is there a way to implement multi-factor authentication on Firebase Authentication? From my research it seems impossible since Firebase authentication has public REST api of which, assumingly, someone knowing API_KEY and user's email/pass could directly sign in to that user's account using
https://www.googleapis.com/identitytoolkit/v3/relyingparty/verifyPassword?key=[API_KEY]
Thank you
Update: June 2020
From March 12, 2020, It is now possible to set up multi-factor authentication using SMS as 2nd factor with Firebase for Google Cloud Identity Platform projects but this is a paid service. This article shows you how to add SMS multi-factor authentication to your web app.
I am quoting from github firebase repo. here.
Firebase Auth does not support multi-factor authentication. FirebaseUI
cannot support this feature until the underlying SDK supports it. For
2-factor auth, 2 credentials need to be passed to get a Firebase ID
token. Currently, one is enough to get an ID token. You can submit an
official request for multi-factor auth with Firebase support.
However Multi-factor authentication itself works fine with Google account and FirebaseUI if it is enabled from Google settings.
hope it helps.
Firebase Authentication with multi-factor authentication should soon be available according to this Google I/O video
Firebase Authentication now supports Multi-Factor Authentication, but it only works for apps using Google Cloud Identity Platform, which is a paid service.
The logic is:
You ask the user to sign in with one of the providers bellow and also ask them to verify their email.
Email and password
Email link
Google
Google Play
Facebook
Twitter
GitHub
Microsoft
Yahoo
LinkedIn
You ask them for their phone number so you can send them an SMS as the second factor.
In order to enable MFA in your app, you'll need to enable the Identity Platform API. Note that this will also enable billing on your GCP Project, so you'll need to add credit card details.
Documentation links: [Web] [Android] [iOS]
Firebase should be now having Multifactor auth:
https://firebase.google.com/support/release-notes/js#version_7110_-_march_12_2020
https://cloud.google.com/identity-platform/docs/web/mfa
MFA in Firebase Auth officially landed on July 26, 2022. Here is the blog post that introduces it: https://firebase.blog/posts/2022/07/new-firebase-auth-features
Here's their official documentation: https://firebase.google.com/docs/auth/web/multi-factor
Related
I'm looking for out-of-the-box signup and sign-in solution. Based on my research AWS Cognito provides the solution. Custom hosted UI, self-sign-up with configurable required fields.
Does Google Firebase or Google Cloud as a whole have similar functionality? Especially self-sign-up flow with configurable required fields.
I see with Google Firebase email/password authentication provider available for sign-in. but I don't see self sign up process where I can configure the required field during the sign-up process.
Firebase Authentication is the sign-in solution from Firebase. In addition to SDK for Firebase's supported platforms, it comes with a pre-built UI for the most common platforms: web, Android, iOS and Flutter.
The number of pre-defined fields for a user is quite limited though, see for example the definition here for a web user. There is no way to expand this within Firebase Authentication. If you want to store more information for each user, you'll typically do that in one of Firebase's databases (Firestore or Realtime Database) with the user ID as the key for that information.
With Google Authenticator or Microsoft Authenticator I generate a Time-based One Time Password (TOTP).
User need to insert the code in my website complete two factor authentication.
How to generate a push notification "Approval Request" in Authenticator App with a custom account?
Like described here:
https://support.google.com/accounts/answer/7026266?co=GENIE.Platform%3DiOS&hl=en
https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Microsoft-Authenticator-iOS-now-supports-push-approval-for/ba-p/245120
Could not find any technical documentation
Twilio developer evangelist here.
You can't build that sort of integration with Google Authenticator or Microsoft Authenticator.
One option you have is to check out the Authy push notification API. It uses the Authy app which is free to download for your users, and can perform authentication via push notification or drop back to in app code or even SMS.
Let me know if that helps at all.
I have found the tutorial Using Firebase to authenticate users that explains how to authenticate users with Firebase to access different services.
However I haven't found how to enable Firebase login for the whole Google Cloud Endpoints portal page (like for example https://endpointsportal.ourproject.cloud.goog/).
How can I achieve this?
I think the only identity supported today is GCP meaning Cloud Endpoints Portal doesn't support 3rd party sign in. You can use Firebase to authenticate against the API, but not to log into the portal.
I can't figure out how to authenticate my IoT appliance to call Google Cloud App Engine APIs I've written using Firebase Auth.
We currently do this with our browser app using Firebase Auth tokens. We use the username and password to issue a token and then use that token during the life of the session to access APIs from our browser app.
This doesn't translate well to our IoT appliance as there is no username/password - so we are thinking we will need to use Firebase custom tokens. Unfortunately these tokens expire every hour - so we will need to use the Firebase Auth APIs to renew the tokens automatically - we think this is the way this works based on documentation.
A constraint we have is that this appliance doesn't have any user experience but instead needs to be able to restart at any time and reestablish it's authenticity with the server by retrieving a fresh token.
I'm having a hard time finding an example of how to do this - and I'm hoping someone can give me a simple example or some clear direction on how to keep a authentication token current while the appliance is on and establish a new one if it needs to restart.
Thanks!
Have you looked at Cloud IoT Core as an option? It handles the authentication piece for you without user/pass (uses JWT), and is designed for IoT. A quickie Cloud Function can bring your telemetry data into Firebase/Firestore very easily.
Another option would be to create a service account with permissions to write to AppEngine. Check out this link: https://cloud.google.com/docs/authentication/getting-started for some documentation on how to authenticate using a service account.
If one day I would have to replace Firebase with custom solution can I migrate authorized users from Firebase Auth to my system?
I am aware that Firebase allows to export all user data using Firebase Admin SDK but I'm curious about behavior of identity providers (Facebook, Google and Twitter). If my custom system would use the same providers API keys as Firebase Auth what would happen to my users?
Thanks for any help !
Firebase Auth provide a CLI SDK to download your accounts:
https://firebase.google.com/docs/cli/auth#authexport
Firebase Auth uses SCRYPT to hash passwords. If you decide to migrate, you can also contact Firebase support to help you with the process.
As for linked OAuth providers, you can still implement that in your own system as the OAuth flow is a well known standard and the users should be portable. In general, Firebase Auth architecture is based on open standards and protocols that are widely used in the industry. The advantage is that Firebase Auth manages all that complexity for you for free.