Firebase Web Authentication: Spam & abuse protection

[Alex Bethke]

Hi,

When creating a new user using the Firebase Authentication SDK with 'createUserWithEmailAndPassword', is firebase behind the scenes already implementing some sort of spam and abuse protection mechanism? or if we want increased protection is advisable to implement something like reCaptcha or similar?

Thanks,

Alex

[Kato Richardson]

Hi Alex,

Firebase does employ some abuse prevention and limits requests per IP address. Also note that creating a login credential in this way just assigns a unique id to the given email/password combination. So there's not really an effective abuse vector here given the low volume allowed per IP address.

☼, Kato

--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-talk+unsubscribe@googlegroups.com.
To post to this group, send email to fireba...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/50c02a25-757a-41b4-a2e8-73b5dfa5ace9%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Kato Richardson |

Developer Programs Eng |

kato...@google.com |

775-235-8398

[Alex Bethke]

Thanks Kato. I see.

Following up and mentioning that I'm not at all versed in this area of security. I'd have another question if I may.

Is it possible that a bot takes a block of different IP addresses and start creating randomly users? I've been wondering if that kind of scenario would be possible.

Thanks again and keep the good work... :)

Alex

On Thursday, June 1, 2017 at 5:58:07 PM UTC+2, Kato Richardson wrote:

Hi Alex,

Firebase does employ some abuse prevention and limits requests per IP address. Also note that creating a login credential in this way just assigns a unique id to the given email/password combination. So there's not really an effective abuse vector here given the low volume allowed per IP address.

☼, Kato

On Tue, May 30, 2017 at 3:16 AM, Alex Bethke <alexb...@gmail.com> wrote:

Hi,

When creating a new user using the Firebase Authentication SDK with 'createUserWithEmailAndPassword', is firebase behind the scenes already implementing some sort of spam and abuse protection mechanism? or if we want increased protection is advisable to implement something like reCaptcha or similar?

Thanks,

Alex

--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.

To unsubscribe from this group and stop receiving emails from it, send an email to firebase-tal...@googlegroups.com.

To post to this group, send email to fireba...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/50c02a25-757a-41b4-a2e8-73b5dfa5ace9%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Kato Richardson]

Sure, it would certainly be possible to generate email/password accounts in limited fashion, per IP address. But again, there's no effective abuse vector here. This wouldn't prevent someone who actually owns the email from logging in, resetting the password, verifying the email address, or any other activities. It would just pre-create the UID used later.

Keep in mind that it's really just creating something akin to an entry in a hash table containing UID => encrypted email/password combination.

☼, Kato

To unsubscribe from this group and stop receiving emails from it, send an email to firebase-talk+unsubscribe@googlegroups.com.

To post to this group, send email to fireba...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/9a4be540-8b90-4513-9837-b7ba4e57e20e%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[Alex Bethke]

Thanks, Kato, I get it.

Alex

To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/9a4be540-8b90-4513-9837-b7ba4e57e20e%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.