You can use Firebase Authentication to sign in a user by sending an SMS message to the user's phone. The user signs in using a one-time code contained in the SMS message.
Authentication using only a phone number, while convenient, is less secure than the other available methods, because possession of a phone number can be easily transferred between users. Also, on devices with multiple user profiles, any user that can receive SMS messages can sign in to an account using the device's phone number.
If you use phone number based sign-in in your app, you should offer it alongside more secure sign-in methods, and inform users of the security tradeoffs of using phone number sign-in.
To sign in users by SMS, you must first enable the Phone Number sign-in method for your Firebase project:
- In the Firebase console, open the Authentication section.
- On the Sign-in Method page, enable the Phone Number sign-in method.
- Ensure you have setup your APNs certificates for iOS
- Add the application descriptor additions below
With iOS your app must be able to receive APNs notifications from Firebase. When you sign in a user with their phone number for the first time on a device, Firebase Authentication sends a silent push notification to the device to verify that the phone number sign-in request comes from your app. (For this reason, phone number sign-in cannot be used on a simulator.)
So it's important that you've been through the steps to add your APNs certificates to your application in the Firebase console.
If you are using FCM or Push Notifications you will already have already added these to your application descriptor however if you aren't you need to add the following tags to your iPhone Entitlements section in your application descriptor.
To initiate phone number sign-in, present the user an interface that prompts them to type their phone number. Legal requirements vary, but as a best practice and to set expectations for your users, you should inform them that if they use phone sign-in, they might receive an SMS message for verification and standard rates apply.
Then, pass their phone number to the PhoneAuthProvider.verifyPhoneNumber method to request that Firebase verify the user's phone number. For example:
This call will dispatch one of 3 potential events from
VERIFY_PHONE_NUMBER_FAILED: An error occurred. You can check the event for more details
VERIFY_PHONE_NUMBER_CODE_SENT: The SMS code has been sent to the specified phone number - you should ask the user to enter this number as below
SIGNIN_WITH_CREDENTIAL_COMPLETE: It is possible at this point that the authentication completes due to either:
- Instant verification: In some cases the phone number can be instantly verified without needing to send or enter a verification code.
- Auto-retrieval: On some devices Google Play services can automatically detect the incoming verification SMS and perform verificaiton without user action
After the user enters the verification code that Firebase sent to the user's phone, create a
PhoneAuthCredential object, using the verification code and the verification ID that was returned.
To create a credential call
To prevent abuse, Firebase enforces a limit on the number of SMS messages that can be sent to a single phone number within a period of time. If you exceed this limit, phone number verification requests might be throttled. If you encounter this issue during development, use a different phone number for testing, or try the request again later.
After you get a PhoneAuthCredential object you can call:
This will dispatch a
FirebaseAuthEvent.SIGNIN_WITH_CREDENTIAL_COMPLETE event when complete
and you can check the value of
success to see whether it succeeded.
After a user signs in for the first time, a new user account is created and linked to the credentials — that is, the user name and password, phone number, or auth provider information—the user signed in with. This new account is stored as part of your Firebase project, and can be used to identify a user across every app in your project, regardless of how the user signs in.
The following example shows the complete sign in process, using a simple text input dialog (from the Dialog ANE) to gather the SMS code from the user.