CODEWITHSUNDEEP
firebasefirebase-authentication
user1872384
user1872384

Reputation: 7127

Make Firebase phone authentication more secure

I've created an account in Firebase using phone authentication. However, from the documentation, it mention that:

If you use phone number based sign-in in your app, you should offer it alongside more secure sign-in methods, and inform users of the security tradeoffs of using phone number sign-in

I couldn't find a field to inject the password into the users database.

Should I enable the password/email sign in method? Is there any documentation to refer to?

I added email and password using:

createUserWithEmail:email:password:completion:

2 accounts are created:

I should rephrase my question to:

If the user logout, when they sign in again should they use the phone number, or email and password?

Upvotes: 1

Views: 786

Answers (2)

user1872384
user1872384

Reputation: 7127

Base on @Peter Haddad answer:

Updated the code to link the phone authenticated user and email/password authentication method.

FIRAuthCredential *credential =
[FIREmailAuthProvider credentialWithEmail:userEmail
                                 password:userPassword];

[[FIRAuth auth]
 .currentUser linkWithCredential:credential
 completion:^(FIRUser *_Nullable user, NSError *_Nullable error) {
     // ...
     FIRUser *tmpUser = user;

 }];

You should see these in the console (with only one row with 2 authentication type instead of 2 rows) :

enter image description here

Upvotes: 0

Peter Haddad
Peter Haddad

Reputation: 80914

This is what it says in the documentation:

Authentication using only a phone number, while convenient, is less secure than the other available methods, because possession of a phone number can be easily transferred between users. Also, on devices with multiple user profiles, any user that can receive SMS messages can sign in to an account using the device's phone number.

If you use phone number based sign-in in your app, you should offer it alongside more secure sign-in methods, and inform users of the security tradeoffs of using phone number sign-in.

So all it means is that it is better to use another method with it, like email/password method.

When you enable that, then the user can create an account using his email, and you do not need the password, only the user id after he creates an account.

more info here:

https://firebase.google.com/docs/auth/ios/password-auth

Upvotes: 3

Related Questions