User and device association in Firebase Authentication

0
votes

We are developing an app using Flutter + Firebase Authentication, We are using phone authentication of Firebase Auth. We want to bind a user with a device (Phone), as phone number are portable.

Ex:

  1. User (U1) has mobile (M) and signup using phone Auth (User id will be created after OTP verification)

  2. Let's say after some that mobile (M) is transferred to another User, and he does singin in our app, he will get User (U1) details.

We are thinking to put some association of the user with a device (device identifier), so that for any user if deviceId gets changes, we can throw some challenges to the user (Like question / or his KYC detail). This will prevent account takeover.

So far we haven't found anything related to user and device association during sign-in/up using Firebase Authentication. Can someone help?

in short, Can we store some extra information during user sign-in/up using firebase?

1
firebaseflutterfirebase-authentication

1 Answers

1
votes

The Firebase documentation explicitly calls out this security concern:

Authentication using only a phone number, while convenient, is less secure than the other available methods, because possession of a phone number can be easily transferred between users. Also, on devices with multiple user profiles, any user that can receive SMS messages can sign in to an account using the device's phone number.

If you use phone number based sign-in in your app, you should offer it alongside more secure sign-in methods, and inform users of the security tradeoffs of using phone number sign-in.

You can definitely store additional information for the phonenumber-to-UID association. For example, storing this precise relationship in a database, like Cloud Firestore or Realtime Database, would allow you to look up whether a phone number was used by an existing user and take action on that. What exact action to take, is up to you of course.