How to incorporate Google Authenticator with Firebase in my application?
1,719 views
Skip to first unread message
Ray Johannsson
Jun 18, 2021, 5:01:13 AM6/18/21
to Firebase Google Group
I'm using Firebase, but need to add other MFA options. Specifically: 1) Google Authenticator and 2) a PIN #
The Firebase token allows for second_factor_identifier, but I think that's only for SMS.
Thanks
Ray Johannsson
Jun 18, 2021, 9:57:38 AM6/18/21
to Firebase Google Group
More info: I was hoping I could rely on Firebase's token management system, even if I were to add my own additional MFA.
If I can't do it this way (and tie my other MFAs to Firebase), then I think I will need to have TWO INDEPENDANT token management systems!?
There must be a way to do this all within Firebase.
md...@google.com
Jun 18, 2021, 2:51:18 PM6/18/21
to Firebase Google Group
Hey there, Malcolm from Firebase here.
Right now, I don't know that there's a clean solution to this. There are a couple of ugly ways, though, so let me at least walk you through those.
(1) You use custom auth, so you can do the first factor + second factor validation yourself. You don't get the convenience of most of Firebase Auth, but this does technically unblock you if you need the Firebase token in order to interact with other Firebase services.
(2) You do the second factor part yourself, and you set a custom claim on the user every time they go through the second factor flow (with that custom claim including the timestamp of the second factor validation). Then, you validate user sessions in your app (or in your DB Rules, if the syntax allows) by making sure the Firebase sign-in timestamp is within a small time period (e.g. 5 minutes) of the custom claim timestamp you put. This probably leads to some annoying validation on your part, but at least you don't have to start managing OAuth handshakes.
Unfortunately, that's all I can come up with at the moment :(
However, this *has* given me an idea for something that we could implement where we allow developers to hook in their own second factors similar to the way that we do first factors via custom auth, and I'm excited about that. Obviously, that wouldn't release anywhere close to now (if we even ever build it), so that's not of much help to you, but thanks for the great idea :)
However, this *has* given me an idea for something that we could implement where we allow developers to hook in their own second factors similar to the way that we do first factors via custom auth, and I'm excited about that. Obviously, that wouldn't release anywhere close to now (if we even ever build it), so that's not of much help to you, but thanks for the great idea :)
~Malcolm
Ray Johannsson
Jun 19, 2021, 11:39:07 AM6/19/21
to Firebase Google Group
Thank-you very much for your feedback, Malcolm.
If there's an alpha program offered for such an enhancement, we'd be happy to participate (hint hint) :)
M L
Jul 7, 2023, 3:38:40 PM7/7/23
to Firebase Google Group
Any updates on this Malcolm / Google? We would love to participate in an alpha program! This is an important feature for us.
Reply all
Reply to author
Forward
0 new messages