Security rule to validate if 2FA is enabled

[Tarek Aoukar]

I need to validate if a user has 2FA enabled and has logged in with it or not.

I know that google has "Google Cloud Identity Platform" and they describe how to enroll users in them: https://cloud.google.com/identity-platform/docs/web/mfa

However, this is purely client side, it does not explain how to validate that on firebase side.

For example, the security rule to check a user has logged in: request.auth != null

To check a user has verified email is: request.auth.token.verified_email == true

What is the rule to check if user has 2FA enabled ??

If anyone watches stackoverflow: https://stackoverflow.com/questions/65746288/firestore-security-rules-for-2fa/65777242, sorry for the duplicate entry, I can't seem to get a response there so I'm asking here.

[Sam Olsen]

Hi, thanks for reaching out--

You can check for second factor being enabled and used by looking at the "sign_in_second_factor" and "second_factor_identifier" fields in "request.auth.token.firebase". For example, this rule will grant access if the user is using phone second factor sign in:

    if request.auth.token.firebase.get('sign_in_second_factor', null) == 'phone'

    && 'second_factor_identifier' in request.auth.token.firebase;

Cheers,

Sam

[Tarek Aoukar]

Thanks for the help.
Is there some sort of full documentation or list of tokens? I've read so many pages but don't remember ever passing by those tokens.

Cheers,

Tarek.

[Sam Olsen]

Unfortunately there's not any full listing of the fields that can go into tokens. We document the common ones and the most used ones, and with that being said the fact that these two fields aren't present in the docs is an oversight on our part, thanks so much for bringing it to our attention!

Sam