Password-based sign-in remains a popular means of user authentication despite its weaknesses. For example, users frequently forget their passwords, requiring a password reset flow that can create friction for returning users; databases of passwords are routinely shared between bad actors; and, users often reuse insecure passwords across sites, which makes the problem of stolen passwords even worse. On the other hand, the password model of authentication is familiar to users and users expect to see it. For this reason, it's understandable that many developers want to implement some form of password-based sign-in in their apps.
Firebase and Google Cloud Identity Platform provide libraries to make password sign-in easy to implement for your users, but it's important to consider these authentication best practices to enable more secure sign-ins.
Add restrictions to your API keys
Before you launch your app, you should add additional restrictions to your API keys to limit the access they grant. Here are some steps you can take:
If you have a web client, set up a separate API key for that platform and restrict the API key to only allow requests from the servers that will host your app.
If you have your own server that you use to proxy traffic between your mobile apps and Google services, configure your API keys to only allow traffic from your servers’ IP address range.
One way to improve security for users who sign in with passwords Is to use password management tools:
In your Android and web apps, use One Tap sign-in, which helps users sign in frictionlessly with their Google accounts or their saved passwords. One Tap sign-in integrates well with Firebase Authentication and Cloud Identity Platform.
Recommend to your users that they use a password manager such as Chrome’s password manager or one of the other services that are available. These tools help users provision secure passwords and automatically fill them in on websites and apps.
Use multi-factor authentication (MFA) to protect sensitive information
If your app deals with sensitive information, the industry best practice, and our recommendation, is to require MFA for user sign-in. This is especially important if your app deals with information such as financial data or medical records. You can add a second factor to most of Firebase Authentication’s sign-in methods, including email address and password, with Google Cloud Identity Platform. To get started, enable Identity Platform in your project, then add MFA to your apps (iOS, Android, Web). Your existing Firebase Authentication code will continue to work after you enable Identity Platform.
Prefer social sign-in and email link sign-in to passwords
If you’re not using MFA, other strong options for user authentication with Firebase are to use one of the social sign-in providers supported by Firebase Authentication such as Google, Facebook, and Apple, or to use email link sign in.
Using a social sign-in provider lets you take advantage of the security infrastructure of well-audited identity providers, and also provides a better experience for users as a result of lower sign-in and sign-up friction. (See the docs for using Google Sign-in with Firebase for iOS, Android, Web, Unity, C++; Facebook, Apple, and other providers are also supported.) If you’re developing a new app and you anticipate your user base will be able to successfully sign in with one of these providers, we recommend making social sign-in your primary method of authentication.
Email link sign-in is preferred over password-based sign-in without MFA because it requires legitimate users to have access to their email account to successfully sign in. For this reason, if you already have users who are signing in with passwords and you choose not to use MFA, we recommend that you migrate your users to email link sign-in and disable password-based sign-in when you can. (See the docs for iOS, Android, Web, Unity, C++.)
Use phone authentication for users who don't use email
To serve users who don't have or use email addresses, Firebase and Google Cloud Identity Platform provide phone authentication services. This is the best solution for many user bases, but it has its own security caveats: possession of a phone number can be easily transferred between users, and, on devices with multiple user profiles, any user that can receive SMS messages can sign in to an account using the device's phone number. (See the docs for iOS, Android, Web, Unity, C++.)
We recognize the ubiquity of the password model and we will continue working to improve the security of password based sign-in.
Over the past few months, we’ve seen that apps not only improve the way we live, they also enhance our ability to adapt to change. In 2020, more businesses and families have turned to apps to stay connected, productive, and entertained. At the same time, our developer community has stepped up to build and scale the apps people are relying on. Our team, alongside the rest of Google, has strived to be supportive in this moment. Our mission is to help you succeed by making it easy to build and operate apps.
Last year, we shared that 2 million apps actively use Firebase every month. Now, that number has grown to over 2.5 million monthly active apps, which includes global businesses like Gameloft and Alibaba, as well as innovative startups like Classkick. Classkick is a full-spectrum learning platform with a backend powered by our Realtime Database and supported by Google Cloud. When the COVID-19 pandemic forced schools to close, Classkick onboarded thousands of teachers and school administrators to their platform. With Firebase, they were able to scale to meet this new demand so students could continue to learn effectively from home and stay engaged with their teachers and classmates.
Classkick is helping students learn effectively from home
Classkick is just one example from our incredible community of how apps are helping people adapt to their new surroundings. It’s stories like these that inspire us to keep making Firebase better. Every year at Firebase Summit, we share updates on how we can help you accelerate app development, run your app efficiently, and tailor Firebase to suit your needs. Read on to learn what’s new at our digital Firebase Summit 2020, and view the sessions and resources on our summit website.
Accelerate app development with new building blocks
We’re continuing to invest in tools that speed up your app development so you can deliver value to your users in less time.
Introducing the Authentication emulator for rapid iteration and local development
Last year, we launched the Firebase Emulator Suite to let you run emulated versions of our backend products for a faster and safer development experience. A few months ago, we introduced you to the local emulator UI, which makes it possible to run services locally via a web app with a distinguishable UI, and comes with features like advanced data editing and searching. The Emulator Suite supports Hosting, Realtime Database, Firestore, Cloud Functions, and Cloud Pub/Sub - and now, we’ve added support for Firebase Authentication.
The Emulator Suite now includes support for Authentication
This means you can test the entire user management process - from user creation to Function trigger to sending updates to Firestore, and even fuzzy log searches to debug interactions between the emulators and your application - on your local machine. You can also use the new auth emulator to run integration tests that rely on authentication. The Emulator Suite, now with Firebase Authentication, allows you to shift to a local-first developer workflow so you can experiment and rapidly iterate without touching production data, incurring costs, or worrying that you’ll break something. Check out our documentation to get started.
New Hosting preview channels let you see changes before publishing
Web development can be cumbersome and complicated. With Firebase Hosting, you can deploy secure, fast-loading web apps and landing pages that are backed by a global CDN in less time, and with less hassle. Recently, we added new features that many of you have been asking for, including an integration with Cloud Logging to give you more server-side analytics, support for Brotli compression to boost your site performance, and improved support for localized content.
Our latest update to Firebase Hosting, preview channels, lets you see your changes before publishing them to your site. Now, you can deploy changes to a preview channel in seconds with a single command and generate an obscured unique URL to share with your team. Preview channels not only let you check that your changes look as intended right away, they also make collaboration quicker and easier even if you’re working across a distributed team. Try them out today!
Hosting’s new preview channels let you see changes before publishing
More Extensions for adding features and functionality
At last year’s Firebase Summit, we launched Firebase Extensions; pre-packaged solutions that automate common tasks in your projects and let you add new functionality in fewer steps. Since then, we’ve partnered with Stripe to release the Send Invoices using Stripe and the Run Subscription Payments with Stripe extensions. These extensions let you integrate the Stripe payments platform with Firebase without requiring you to learn Stripe’s API.
Today, we’re sharing a preview of another extension through our Alpha Program, called Detect Online Presence. Detect Online Presence shows you which users or devices are currently online and stores that data in Cloud Firestore. If you’re developing a game or a social app, you can use this extension to let your users know when their friends are online for a friendly match or chat. Join our Alpha Program to try it out!
Detect Online Presence is our newest Firebase Extension, available in Alpha
Get actionable insights to run your app efficiently
In addition to accelerating app development, Firebase provides actionable data so you can optimize your app - and ultimately, keep users happy.
Redesigned Performance Monitoring dashboard to help you focus on critical metrics
Any time you release a new version of your app, it’s important to pay attention to stability and performance metrics to ensure your users have a fast, high-quality experience. Firebase Performance Monitoring gathers and presents data about your app’s performance to show you exactly what’s happening in your app - and when users are encountering slowness. But sometimes, there’s so much information, it can be hard to focus on what’s important.
To help you hone in on key insights, we’re excited to unveil the redesigned Performance Monitoring dashboard. This new dashboard makes it crystal clear if one of your critical metrics needs attention so that you can take action, and it’s customizable, allowing you to bring the metrics you care about most to the forefront. We’ve made this dashboard available to everyone - just head on over to the console and add the metrics that matter to you.
The redesigned Performance Monitoring dashboard brings critical metrics to the forefront
New organizational and targeting tools for Remote Config
As people start using your app, you’ll want to delight them with new features, promotions, and personalization so they stick around. With Firebase Remote Config, you can dynamically alter your app, safely test and release new features, and stay in control of the whole experience - without having to publish a new version. However, as your project gets bigger, it might become hard to maintain and navigate through your app config. Over the past few months, we’ve added new features to help you better organize, visualize, and target your parameters so you can manage your app config more efficiently.
First, we added information about experiments into the Remote Config dashboard and launched parameter groups. Then, we made it possible to sort parameters alphabetically and enhanced the search tool. On top of that, we improved version targeting by making it available for iOS and adding support for semantic versioning, so you can use numeric operators like “>=” to target specific app versions without resorting to complicated regular expressions.
Improved version targeting in Remote Config
Most recently, we launched config metrics to give you more visibility into how your app configuration is behaving for users so you can find and fix incorrect configurations quickly. These config metrics include realtime fetch requests, which allow you to monitor rollouts of a new set of values, and fetch percentages, which show you the distribution of parameter values across users. For example, when you see a smaller fetch percentage for a condition than expected, it signals that the wrong users may be exposed to the intended values.
Real-time config metrics for Remote Config
Tailor Firebase to suit your needs as you scale
When your app and business grow, your development challenges may become more complex. We’re working to give you automation capabilities, such as Crashlytics BigQuery streaming, and more control and flexibility so you can adapt Firebase to fit your sophisticated needs.
New Google Analytics APIs for better data management
One of the key factors in scaling a successful app is knowing how your users are interacting with it. Our robust integration with Google Analytics helps you understand what actions users are taking inside your app, where they're spending their time, and why they churn -- so you can make smarter decisions. Last year, we announced a significant new upgrade in Google Analytics that gave you a single view of customer engagement across both native apps and web-powered ones. Since then, we’ve added new features like the setDefaultEventParameters and powerful new ecommerce measurement, which you can read about in this blog post.
Today, we're excited to announce three new APIs that give you more control so you can collect, record, and manage your data in a way that suits your growing business. The first one, the Google Analytics 4 Measurement Protocol, lets you log events directly to Google Analytics. This is especially useful for developers who want to augment their client-side data with server-to-server calls to gain new insights. For those of you who want to create your own custom dashboards, the Data API, which is the second new API, gives you programmatic access to your Google Analytics reporting data. Finally, the Admin API gives you the ability to configure your Analytics account and set user permissions.
Google Analytics 4 Measurement Protocol lets you log events directly to Google Analytics
Introducing imported segments for increased targeting flexibility
Over the years, we’ve seen many of you take advantage of our BigQuery integration by exporting data from Firebase, joining it with data from other channels, running sophisticated analysis - and even creating your own custom user segments in BigQuery. Now, we’re giving you the power to bring these custom segments back from BigQuery into Firebase with the launch of imported segments! This means you can target any custom segment with products like Remote Config, Cloud Messaging, and In-App Messaging. For example, if you have an ecommerce app and a physical storefront, you can import data from offline sources - like your store - and send those users an in-app promotion with In-App Messaging.
This feature is available through Firebase's BigQuery integration. To get started, simply create your custom segment and import it into your BigQuery dataset. Then, Firebase will be able to read that data and make those segments available for targeting. We built imported segments to give you more control and flexibility to target your users.
New imported segments let you bring custom segments from BigQuery into Firebase
Looking ahead
With these improvements to Firebase, we aim to make app development faster and easier so you can stay focused on creating the amazing app experiences that people need to stay productive, connected, and entertained. People are relying on your apps to adapt and thrive in our changing world. You can rely on us to build, operate, and scale successful apps - in 2020 and beyond.
For more resources and content from Firebase Summit 2020, be sure to check out our summit website, and if you’d like a sneak peek of what’s coming next, join our Alpha program.
Most apps that you build with Firebase’s backend services, such as Realtime Database, Cloud Firestore, and Cloud Storage, need some way to sign users in: among other things, this lets you provide a consistent experience across sessions and devices, and lets you set user-specific permissions. Firebase Authentication helps you meet this requirement by providing libraries and services that you can use to quickly build a new sign-in system for your app.
But what if your organization already uses a service such as Okta to handle user identity? With Firebase Custom Authentication, you can use any user identity service (including Okta) to authenticate with Firebase, and this post will show you how.
You’ll learn how to build a Firebase and Okta integration, which will have two components:
A Node.js backend that “exchanges” Okta access tokens for Firebase custom authentication tokens. The backend is an Express.js app that you can deploy as a Cloud Function or run on your own infrastructure.
A web frontend that signs users in with Okta, gets a Firebase custom authentication token from your backend, and authenticates with Firebase using the custom token.
By the way, this approach can also be used with some modification for other identity services, such as Auth0, Azure Active Directory, or your own custom system.
Ready to get started? Great! But, before you write any code, you’ll need to set up your Okta and Firebase projects.
I hope you like consoles
First, set up an Okta project on the Okta Developer site:
Sign in or sign up for a new account.
Take note of your Org URL (top-right of the dashboard) for later.
On the Applications page, add a Single-Page App.
Set the Base URIs and Login redirect URIs to the location where you plan to host your web frontend (http://localhost:5000 if you’re using the Firebase Hosting emulator) and enable the Authorization Code grant type.
When you’re done, take note of the app's Client ID for later.
In API > Trusted Origins, confirm that the base URI you set above is listed, with CORS and Redirect enabled.
Open your Firebase project or create a new one. Take note of your project ID for later.
On the Project Overview page, add a new web app.
If you plan to eventually host your web app with Firebase, you can automatically set up Firebase Hosting and simplify configuration by enabling Also set up Firebase Hosting for this app.
If you plan to test your token exchange endpoint locally, such as by using the Cloud Functions emulator (recommended), open your project settings and, on the Service Accounts page, generate and download an Admin SDK service account key. Be sure to keep this file safe, as it grants administrator access to your project.
Finally, if you plan to deploy your token exchange endpoint as a Cloud Function:
After you deploy your Cloud Function, you will also need to make sure it is configured to run as a service account with the Service Account Token Creator role. See the sample app documentation for details.
Now that your projects are set up, you’ll write the crucial piece: the token exchange endpoint.
Okta tokens in; Firebase tokens out
The job of the token exchange endpoint is to take a user’s Okta access token and, if it’s valid, produce a Firebase custom authentication token that represents the same user.
This endpoint needs to be able to verify the authenticity of the Okta access token. To accomplish this, use the Express.js middleware provided in Okta’s developer documentation (reproduced below, with minor modifications):
const OKTA_ORG_URL = // Your Okta org URL
const OktaJwtVerifier = require('@okta/jwt-verifier');
const oktaJwtVerifier = new OktaJwtVerifier({
issuer: `${OKTA_ORG_URL}/oauth2/default`
});
// Middleware to authenticate requests with an Okta access token.
const oktaAuth = async (req, res, next) => {
const authHeader = req.headers.authorization || '';
const match = authHeader.match(/Bearer (.+)/);
if (!match) {
res.status(401);
return next('Unauthorized');
}
const accessToken = match[1];
try {
const jwt = await oktaJwtVerifier.verifyAccessToken(
accessToken, 'api://default');
req.jwt = jwt;
return next(); // Pass the request on to the main route.
} catch (err) {
console.log(err.message);
res.status(401);
return next('Unauthorized');
}
}
Any endpoint protected by this middleware will require a valid Okta access token in the Authorization header. If the token is valid, it will insert the decoded token into the request before passing the request along by calling next().
Now, you can write the token exchange endpoint:
const express = require('express');
const app = express();
const cors = require('cors')({origin: 'https://YOUR_DOMAIN'});
const firebaseAdmin = require('firebase-admin');
const firebaseApp = firebaseAdmin.initializeApp();
// Get a Firebase custom auth token for the authenticated Okta user.
// This endpoint uses the `oktaAuth` middleware defined above to
// ensure requests have a valid Okta access token.
app.get('/firebaseCustomToken', [cors, oktaAuth], async (req, res) => {
const oktaUid = req.jwt.claims.uid;
try {
const firebaseToken =
await firebaseApp.auth().createCustomToken(oktaUid);
res.send(firebaseToken);
} catch (err) {
console.log(err.message);
res.status(500).send('Error minting token.');
}
});
This endpoint uses the Firebase Admin SDK to mint a Firebase custom authentication token using the user’s Okta UID. When you sign a user in with this token for the first time (on the frontend), Firebase Authentication will add a user record with the same UID to your project.
This process of using an Okta access token to acquire a Firebase custom token is the key idea behind integrating Okta and Firebase. But, let’s go one step further and write a simple web frontend to demonstrate the use of the endpoint.
Set up a Firebase authentication state listener that shows some user profile information to signed-in users and Okta’s sign-in widget to signed-out users:
const oktaSignIn = new OktaSignIn({
baseUrl: OKTA_ORG_URL,
redirectUri: window.location.url,
authParams: {
display: 'page',
},
el: '#signin-widget',
});
firebase.auth().onAuthStateChanged((user) => {
if (user) {
// User is signed in. Display some user profile information.
document.getElementById('user-info').innerHTML =
`Hi, ${user.displayName}! Your email address is
${user.email} and your UID is ${user.uid}.`;
document.getElementById('authenticated-user-content').hidden = false;
document.getElementById('signin-widget').hidden = true;
} else {
// User is signed out. Display the Okta sign-in widget.
oktaSignIn.showSignInToGetTokens({
clientId: OKTA_CLIENT_ID,
redirectUri: window.location.url,
getAccessToken: true,
getIdToken: true,
scope: 'openid profile email',
});
document.getElementById('authenticated-user-content').hidden = true;
document.getElementById('signin-widget').hidden = false;
}
});
When a user signs in with Okta’s widget, their browser briefly redirects to Okta’s authorization server, and then, assuming the user signed in successfully, redirects back to your app with the response.
Use Okta’s sign-in library to get the Okta access token from the response and use the access token to get a Firebase custom token from your token exchange endpoint:
if (oktaSignIn.hasTokensInUrl()) {
// Get the access token from Okta.
const oktaTokenResponse =
await oktaSignIn.authClient.token.parseFromUrl();
const accessToken = oktaTokenResponse.tokens.accessToken.value;
// Use the access token to call the firebaseCustomToken endpoint.
const firebaseTokenResponse = await fetch(CUSTOM_TOKEN_ENDPOINT, {
headers: {
'Authorization': `Bearer ${accessToken}`,
}
});
const firebaseToken = await firebaseTokenResponse.text();
// (Continued below.)
}
And finally, authenticate with Firebase using the custom token:
// (Continued from above.)
try {
await firebase.auth().signInWithCustomToken(firebaseToken);
} catch (err) {
console.error('Error signing in with custom token.');
}
When the call to signInWithCustomToken() completes, the auth state listener will detect the change and display the user’s profile information.
At this point, the user is authenticated with Firebase and you can use any of Firebase’s authentication-enabled services, such as Realtime Database, Cloud Firestore, and Cloud Storage. See the Security Rules documentation for more information on granting resource access to authenticated users.
Our team is driven by the belief that apps have drastically improved the way we live, work, learn, and socialize, keeping us connected to each other and plugged into the information we need. Now more than ever, we understand the importance of supporting our developer community by ensuring you have the technology and resources you need to keep your business up and running. Whether you’re a high-growth startup or a global enterprise, we’re still here to help you build and operate your app.
