I've created an account in Firebase using phone authentication. However, from the documentation, it mention that:
If you use phone number based sign-in in your app, you should offer it
alongside more secure sign-in methods, and inform users of the
security tradeoffs of using phone number sign-in
I couldn't find a field to inject the password into the users database.
Should I enable the password/email sign in method? Is there any documentation to refer to?
I added email and password using:
createUserWithEmail:email:password:completion:
2 accounts are created:
I should rephrase my question to:
If the user logout, when they sign in again should they use the phone number, or email and password?
This is what it says in the documentation:
Authentication using only a phone number, while convenient, is less secure than the other available methods, because possession of a phone number can be easily transferred between users. Also, on devices with multiple user profiles, any user that can receive SMS messages can sign in to an account using the device's phone number.
If you use phone number based sign-in in your app, you should offer it alongside more secure sign-in methods, and inform users of the security tradeoffs of using phone number sign-in.
So all it means is that it is better to use another method with it, like email/password method.
When you enable that, then the user can create an account using his email, and you do not need the password, only the user id after he creates an account.
more info here:
https://firebase.google.com/docs/auth/ios/password-auth
Base on #Peter Haddad answer:
Updated the code to link the phone authenticated user and email/password authentication method.
FIRAuthCredential *credential =
[FIREmailAuthProvider credentialWithEmail:userEmail
password:userPassword];
[[FIRAuth auth]
.currentUser linkWithCredential:credential
completion:^(FIRUser *_Nullable user, NSError *_Nullable error) {
// ...
FIRUser *tmpUser = user;
}];
You should see these in the console (with only one row with 2 authentication type instead of 2 rows) :
Related
I'm using a Firebase phone auth as primary authentication. Since the phone is vulnerable, I want to link an email address to it that the user can use to access his account to change his phone number in case he lost his phone or got stolen. I can't find a way how to do it.
I saw a method currentUser.linkWithPhoneNumber(). However, reading its documentation, it says it is only supported on web platforms. Is there any other way to make this possible?
When you authenticate a user with a phone number, the only data that you have inside the FirebaseUser object when the authentication completes, are the UID and the phone number. If you need to add an email address to an existing account, you can request the user to provide an email address. Once you have that, you can update the email address using the FirebaseUser#updateEmail(String email) function. As soon as the account is updated, you can add any functionality related to that email address.
Since you didn't specify a programming language, I linked that function to the Android docs, but certainly, you can do the same thing in the case of any other programming languages.
upon further reading, i found Email Link Authentication that answered everything i've asked.
Linking/re-authentication with email link You can also link this method of authentication to an existing user. For example a user previously authenticated with another provider, such as a phone number, can add this method of sign-in to their existing account.
https://firebase.google.com/docs/auth/flutter/email-link-auth
Is it possible to send an SMS containing a one-time-token to a specific phone number through Firebase Authentication?
Conditions:
My App is a multi-user web app.
There are 2 user roles in My App: Admin, and Member.
I want to:
Member user clicks a button.
Send an SMS containing a one-time token to the admin phone number.
Admin user tell a one-time-token member user.
Member user fills out a form and presses submit.
Token is sent back to the Firebase and verified.
What you're describing is not a built-in flow for Firebase Authentication. The closest equivalent is Firebase's phone number authentication, but in that scenario the one-time password (OTP) is sent to the user who signs in to the app.
So you can either modify your flow to use another step for involving the admin user, or you can build your own provider for Firebase Authentication. In the latter case, you won't be able to use Firebase to send the SMS messages though, but will have to use another provider for that.
I don't want to authenticate the user via their phone number that I have already done by using their email id and password. I just want to confirm that they are entering a valid phone number by sending them an OTP and verifying it. All the solutions that I have looked up go on to straight up authenticate the user. I am using firestore as my database.
Firebase allows you to link multiple authentication methods. You can find more details at https://firebase.google.com/docs/auth/web/account-linking
So, once the user is authenticated with email/password, initiate phone number authentication. When you get AuthCredential link it to current firebase user as mentioned in above link.
Other solutions would be to use external SMS gateway like twilio and doing phone number verification on your own. Which isn't required for your use case. In case you still want to try this, there is a free SMS gateway (which uses your own mobile number to send SMS) at https://www.sg.yagnyam.in/.
I'd like to know if it's possible for a mobile registered firebase user to log-in without authentication procedure, in other words:
Lets say an administrator creates a firebase user by console (or web interface to console) then is it possible that when this user launches the app on his mobile he just logs in without the authentication procedure?
To put it simple, is it possible for mobile users a log-in like email/password user: just enter the number and log-in?
If you're referring to using a Phone Number for authentication this is supported by Firebase and the documentation can be found here https://firebase.google.com/docs/auth/ios/phone-auth
The caveat to this is that you can't create a user through the Firebase console as you were suggesting. It relies on the user using their mobile number to register when they logging in for the first time.
The other option that may or may not be applicable is to use Anonymous authentication along with a collection of predefined users with numbers as Peter suggested above.
You can add new users from the console, first you need to enable the email/password Sign in method. Then you can add a new user:
Then the user can login using the email/password added in the console.
If you want the user to enter a number and login, then associate a number in the firebase database with the email:
Users
userid
email: userx#gmail.com
number: 102
I just use two methods on my web app.
SignInWithEmail
SignInWithPhoneNumber
And I want users can sign up with user&password which is possible now and then I get their phone number. So they can sing in with the phone number for the next time. But if someone put an unexcited phone number in sign in page it didn't show an error to say that phone number doesn't exist. And firebase just signed up that phone number!
I just want users could sign up for email and password!
SignInWithPhoneNumber method will automatically sign up a new user if user doesn't exist. You can check if the returned user is a new user and if it's new, delete and sign out the user manually.
Firebase Auth provides the tools needed for building this. As Ti pointed it out, Firebase Auth returns isNewUser in firebase.auth.UserCredential returned on sign in/sign up. You can inspect that to tell if a phone number user is existing or new and wire your logic from there. You also have the ability to ask the user to provide their email/password afterwards. You can use linkWithCredential to link an email/password credential.