Make Firebase phone authentication more secure

0
votes

I've created an account in Firebase using phone authentication. However, from the documentation, it mention that:

If you use phone number based sign-in in your app, you should offer it alongside more secure sign-in methods, and inform users of the security tradeoffs of using phone number sign-in

I couldn't find a field to inject the password into the users database.

Should I enable the password/email sign in method? Is there any documentation to refer to?

I added email and password using:

createUserWithEmail:email:password:completion:

2 accounts are created:

I should rephrase my question to:

If the user logout, when they sign in again should they use the phone number, or email and password?

2
firebasefirebase-authentication
Just to clarify, you don't need to create the password. You can simply just updateEmail(primaryEmail) and also verify it by sending an email verification. If the user ever loses access to their phone number, they can trigger the password reset flow to recover their account (this would add a password in the process). If they changed their phone number, they can update it to the new one in the process etc. You can even remove the password, afterwards, if you don't want it by unlinking it. - bojeil
Firebase Auth also added sign in with email link. You can consider using that too: firebase.google.com/docs/auth/ios/email-link-auth - bojeil

2 Answers

3
votes

This is what it says in the documentation:

Authentication using only a phone number, while convenient, is less secure than the other available methods, because possession of a phone number can be easily transferred between users. Also, on devices with multiple user profiles, any user that can receive SMS messages can sign in to an account using the device's phone number.

If you use phone number based sign-in in your app, you should offer it alongside more secure sign-in methods, and inform users of the security tradeoffs of using phone number sign-in.

So all it means is that it is better to use another method with it, like email/password method.

When you enable that, then the user can create an account using his email, and you do not need the password, only the user id after he creates an account.

more info here:

https://firebase.google.com/docs/auth/ios/password-auth

0
votes

Base on @Peter Haddad answer:

Updated the code to link the phone authenticated user and email/password authentication method.

FIRAuthCredential *credential =
[FIREmailAuthProvider credentialWithEmail:userEmail
                                 password:userPassword];

[[FIRAuth auth]
 .currentUser linkWithCredential:credential
 completion:^(FIRUser *_Nullable user, NSError *_Nullable error) {
     // ...
     FIRUser *tmpUser = user;

 }];

You should see these in the console (with only one row with 2 authentication type instead of 2 rows) :

enter image description here