Firebase 3 - We have blocked all requests from this device due to unusual activity

Question

I was testing my login/sign up feature and for some reason I can't understand Firebase now is blocking all requests from my device.

I've waited one day to try again, but I still have the same problem.

ERROR: "We have blocked all requests from this device due to unusual activity. Try again later."

What should I do to have access to my database again?

Answer 1

To solve this problem I used a VPN app on the device. This helps avoid IP address restrictions.

But it is not clear how to help an angry app customer. Not all customers are ready to use vpn or wait for a phone number to be unlocked.

Deleting the user in the Firebase console or reinstalling the app didn't help.

Answer 2

The error "We have blocked all requests from this device due to unusual activity. Try again later." is usually thrown when a user is making SMS authentication requests to a certain number of times using the same phone number or IP address. These repeated requests are considered as a suspicious behavior which temporarily blocks the device or IP address.

Additionally, there's a limit of 5 SMS per phone number per 4 hours. With this, you may try doing the following to resolve the issue:

Reduce the frequency of attempts to avoid triggering the anti-abuse system Try using whitelisted phone numbers for testing your app Use multiple testing devices (as the limits are applied per IP or device) Wait for an hour for the quota to lift

Answer 3

If you use Phone Authentication, Here is what to do:

1. Go to Firebase Console
2. Authentication ==> Sign-in-method
3. Go to "Phone" and pop-up will show
4. Add your phone number at "Phone Numbers for testing" along with a verification code from your choice.

And it works now :)

Answer 4

Also, setting up Firebase Auth test phone numbers should help.

Per https://firebase.google.com/docs/auth/ios/phone-auth#test-with-fictional-phone-numbers:

Test with fictional phone numbers
You can set up fictional phone numbers for development via the Firebase console. Testing with fictional phone numbers provides these benefits:

• Test phone number authentication without consuming your usage quota.
• Test phone number authentication without sending an actual SMS message. Run consecutive tests with the same phone number without getting throttled. This minimizes the risk of rejection during App store review process if the reviewer happens to use the same phone number for testing.
• Test readily in development environments without any additional effort, such as the ability to develop in an iOS simulator or an Android emulator without Google Play Services.
• Write integration tests without being blocked by security checks normally applied on real phone numbers in a production environment.

Fictional phone numbers must meet these requirements:

• Make sure you use phone numbers that are indeed fictional, and do not already exist. Firebase Authentication does not allow you to set existing phone numbers used by real users as test numbers.
  One option is to use 555 prefixed numbers as US test phone numbers, for example: +1 650-555-3434

• Phone numbers have to be correctly formatted for length and other constraints. They will still go through the same validation as a real user's phone number.

• You can add up to 10 phone numbers for development.

• Use test phone numbers/codes that are hard to guess and change those frequently.

Create fictional phone numbers and verification codes

• In the Firebase console, open the Authentication section.
• In the Sign in method tab, enable the Phone provider if you haven't already.
• Open the Phone numbers for testing accordion menu.
• Provide the phone number you want to test, for example: +1 650-555-3434.
• Provide the 6-digit verification code for that specific number, for example: 654321.
• Add the number. If there's a need, you can delete the phone number and its code by hovering over the corresponding row and clicking the trash icon.

Answer 5

If you are doing tests a better way to go about it is to add the phone number as a test number Authentication > Sign in method > Phone. Then add the test number + the verification code you'll use

Answer 6

Add that number of yours to Firebase as a tester. This way you can test it as many times as you can. Else multiple requests from one number to a project. Firebase deals it as a hacker and blocks it.

Add your number as Tester as: Go to -> Firebase Console -> Authentication -> Sign-in-method -> Edit Phone -> Phone numbers for testing (optional)

Add your phone number and verification code of your choice and that number will then work.

You will not get verification code from firebase, but you can give the verification code you set as a tester and can login through phone

Answer 7

One of the causes can be sending too may verification email to a user's email within a short duration of time. Try adding a duration timer and check if the verification message has been sent within the time duration.

Answer 8

I was facing the same issue and I solved this problem by Buying Blaze plan. This blocking seemed like a security measure on Firebase's side. If you are using Firebase for development purpose, buying the Blaze plan won't cost you any thing as it has the same quota of free services offered in Spark plan.

Answer 9

I've run into the same problem.

By default (for the free plan), firebase caps sign-ins to 100 per hour, per IP-address. This broke our automated testing. You can change the setting like this:

• open console
• open your project
• go to "authentication"
• go to "sign-in method"
• scroll down to "manage sign-in quota"

That's it. Currently the maximum setting for this quota is 1000 per hour .

Answer 10

I have added my phone as a test number in the Sign-in method tab.

Actually this error occurs when your quota limit is exceeded.

Just add your number and testing OTP to get it worked.

Note: The testing number will not get any message of OTP as we already defined static OTP code.

Answer 11

I contacted firebase support and received this message:

The error "We have blocked all requests from this device due to unusual activity. Try again later." is usually thrown when a user is making SMS authentication requests to a certain number of times using the same phone number or IP address. These repeated requests are considered as a suspicious behavior which temporarily blocks the device or IP address.

Additionally, there's a limit of 5 SMS per phone number per 4 hours. With this, you may try doing the following to resolve the issue:

Reduce the frequency of attempts to avoid triggering the anti-abuse system Try using whitelisted phone numbers for testing your app Use multiple testing devices (as the limits are applied per IP or device) Wait for an hour for the quota to lift

I tried to increase the quota as per @lhk answer but there answer is the following:

You also mentioned that you have increased the quota to 1000 but it didn't work. Do note that this "Manage to sign up quota" field is intended for Email/Password and Anonymous sign-ups.

Answer 12

One of the possible solutions:

1. Go to your Firebase console -> Auth -> Users table

2. Locate the user you are testing.

3. Delete this user.

4. Retest.

Answer 13

I managed to get this working straight away by resetting the users password.

Steps are as follows:

1. Go into your admin console, Authentication, Users
2. Locate the user
3. Click on the menu dots in the far right hand column
4. Choose reset password, then click ok
5. Follow the steps in the email when it comes through

Answer 14

See my answer at https://stackoverflow.com/a/39291794/18132

I went into firebase > Authentication > sign-in method > google and added my client id to the whitelist.

Answer 15

This is one of many quirks that I am running into. While Firebase seems to be a nice framework/product/service, at the moment it doesn't seem to be totally ready for broad production deployment yet. In this case I only used one particular (fake) user for testing/debugging and only after just a few attempts (probably no more than 10 sign-ins), I ran into this issue. The funny thing is that my tests delete the fake test-user after each run so I couldn't see any user in my auth user table afterwards. The solution for me was to manually add that user via the "ADD USER" button and then delete it. I think they should have (at least as a workaround) a definable user that is for testing/debugging, who is not subject to this restriction, if they really feel they have to have such a (low) limit.