[ Authentication ] Is Email+Password signup flow secure ?
576 views
Skip to first unread message
yuuya sakano
Mar 19, 2022, 12:29:42 PM3/19/22
to Firebase Google Group
Hello.
I would like to ask a question about the email+password authentication flow.
Note: I am assuming that we will not be using the email-only sign-in flow in this case.
For Email+Password authentication, we first run createUserWithEmailAndPassword to create the user in firebase authentication, then sendEmailVerification(https:// firebase.google.com/docs/reference/js/auth.md?hl=en#sendemailverification) to confirm the identity of the Email.
This flow is also described in the official Firebase blog.
https://firebase.googleblog.com/2017/02/email-verification-in-firebase-auth.html
However, there are several security and privacy concerns with this authentication flow.
1. if a user is created without verifying that the email is his/her own, he/she can register for the service with someone else's email address. The email address will remain in firebase authentication database unless the person tries to log in with that email address, or until they receive an email confirming their email address, without their knowledge.
Why doesn't the email+password authentication user creation process provide for prior confirmation of the email address's identity? (Even though email-only authentication involves sending the email address in advance...)
2. there is a risk of creating a mailing list of users registered for the service if the event concerned in 1. is exploited.
For example, suppose you have created a web service for wealthy people, and you create this authentication flow. A malicious user attempts to register an unspecified number of email addresses with the service.Then, some responses will return the error "A user has already been created for this email address"(reference: https://firebase.google.com/docs/reference/js/auth.md#createuserwithemailandpassword) . In other words, the owner of the email address that returned the response is a wealthy person, and a third party is told that the owner of the email address is a wealthy person.
This is designated by OWASP as a bad authentication flow. https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html#incorrect-and- correct-response-examples
With the above in mind, let me summarize my question.
For Email+Password authentication only, does firebase authentication provide a way to verify the identity of the email before creatEmailUserWithEmailAndPassword? (sendSignInLinkToEmail is not available. Because I assume that email-link authentication will not be used in this case.)
Also, does Firebase have official documentation that fixes the above issues I have raised as concerns?
Or is this concern of mine misplaced?
That is all. Thank you for taking the time to read this long question.
Translated with www.DeepL.com/Translator (free version)
I would like to ask a question about the email+password authentication flow.
Note: I am assuming that we will not be using the email-only sign-in flow in this case.
For Email+Password authentication, we first run createUserWithEmailAndPassword to create the user in firebase authentication, then sendEmailVerification(https:// firebase.google.com/docs/reference/js/auth.md?hl=en#sendemailverification) to confirm the identity of the Email.
This flow is also described in the official Firebase blog.
https://firebase.googleblog.com/2017/02/email-verification-in-firebase-auth.html
However, there are several security and privacy concerns with this authentication flow.
1. if a user is created without verifying that the email is his/her own, he/she can register for the service with someone else's email address. The email address will remain in firebase authentication database unless the person tries to log in with that email address, or until they receive an email confirming their email address, without their knowledge.
Why doesn't the email+password authentication user creation process provide for prior confirmation of the email address's identity? (Even though email-only authentication involves sending the email address in advance...)
2. there is a risk of creating a mailing list of users registered for the service if the event concerned in 1. is exploited.
For example, suppose you have created a web service for wealthy people, and you create this authentication flow. A malicious user attempts to register an unspecified number of email addresses with the service.Then, some responses will return the error "A user has already been created for this email address"(reference: https://firebase.google.com/docs/reference/js/auth.md#createuserwithemailandpassword) . In other words, the owner of the email address that returned the response is a wealthy person, and a third party is told that the owner of the email address is a wealthy person.
This is designated by OWASP as a bad authentication flow. https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html#incorrect-and- correct-response-examples
With the above in mind, let me summarize my question.
For Email+Password authentication only, does firebase authentication provide a way to verify the identity of the email before creatEmailUserWithEmailAndPassword? (sendSignInLinkToEmail is not available. Because I assume that email-link authentication will not be used in this case.)
Also, does Firebase have official documentation that fixes the above issues I have raised as concerns?
Or is this concern of mine misplaced?
That is all. Thank you for taking the time to read this long question.
Translated with www.DeepL.com/Translator (free version)
Rachel Myers
Mar 21, 2022, 12:54:12 PM3/21/22
to fireba...@googlegroups.com
Yes, you can verify a user's email address. I think the best explanation about Auth security is this video. All your concerns are valid, though I would frame them differently. Two things make email + password inherently less secure than other auth methods:
- First, as you point out, developers don't always have users verify email addresses. By contrast, other auth methods like Sign in by Email Link or Sign in with Apple are always using verified emails.
- Second, email + password is more vulnerable to a credential stuffing attack. If developers insist on using email + password, then we recommend that they implement server-side restrictions like reducing the quota limits on that particular API endpoint.
--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-tal...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/7692b666-3bc4-4d06-8272-e44d5dde1a48n%40googlegroups.com.
yuuya sakano
Mar 22, 2022, 7:11:44 PM3/22/22
to Firebase Google Group
Rachel,thanks for replying.
The sendEmailVerification method requires a user object as an argument.
The sendEmailVerification method requires a user object as an argument.
export declare function sendEmailVerification(user: User, actionCodeSettings?: ActionCodeSettings | null): Promise<void>;
In other words, you need to use createUserWithEmailAndPassword beforehand. So I don't think it will solve the problem I first raised as a concern.
2022年3月22日火曜日 1:54:12 UTC+9 Rachel Myers:
Rachel Myers
Mar 23, 2022, 11:25:48 AM3/23/22
to fireba...@googlegroups.com
Ah. One option is to only use forms of auth that are always using verified emails, and another is to block user creation on email verification using a blocking function. Right now this is only available with an upgrade to GCIP.
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/f319afa7-0bed-432a-9d8b-9701f09ef603n%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages