0

I am developing a mobile app where security is really key. I would like to implement a secure authentication flow where:

  • I can track and limit the number of devices where a user can be logged in from
  • I can identity the device that is trying to login in order to check if it is authorized
  • In case of non-authorized device, add a 2FA security layer to authorize the new device

I currently use Firebase but it does not offer advanced or custom security feature related to my case.

Do you know how can I implement such a thing? With another backend tool? Do I need to code a custom auth server?

I examined the documentation of Firebase, Supabase, Auth0 and Okta and I did not find solution.

Improve this question
4
  • You can do all of that with Firebase, your code and some creativity. In fact, 2FA is covered in the firebase documentation. Here's the link for Swift but it's available in other platforms as well. Add multi-factor authentication to your iOS app Commented May 23, 2024 at 18:18
  • Hello @Jay, thanks for your comment. I am not worried about the 2FA possibility but more about the whole logic before having to trigger it. I started with a blocking function to identify the device trying to login, but I cannot send custom device info along credential during the login action. A device information is provided by Firebase but is based on the device name, model etc.. that can be spoofed by an attacker. It seems that I cannot provide a proper deviceId during the login process. Commented May 24, 2024 at 21:59
  • The question is a little vague and I am not sure it's answerable without understanding the entire use case. For example; how do you define custom device info and proper deviceId? How is that generated? What prevents that information being sent? e.g. It would be a simple process that, once the user is authenticated to put a Rule in place that denies read/write without the device sending proper deviceId first. Perhaps this question may be better suited for reddit or the google firebase forums as it may require more a deeper discussion. Commented May 25, 2024 at 12:35
  • I think will define custom device info via the device_info_plus package, and create a crypto hash for the deviceId (probably from device info, userId + salt), I am not worried about that. I wanted the device check to be part of the authentication factor for a robust security. I will explore custom claim to handle that and put rules in place. Thanks for your answer. Commented May 27, 2024 at 21:20
Related questions
1287
How can I sanitize user input with PHP?
512
How to implement REST token-based authentication with JAX-RS and Jersey
642
If you can decode JWT, how are they secure?
Load 6 more related questions Show fewer related questions

0

Reset to default

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.