I want to provide my application's users the ability to add a second factor of Authentication and I'm currently using Firebase for logging and signing in new users. Firebase already lets you use a second factor but your only possibility is to send an SMS to a verified phone number. I want to replace this second factor with Authy OneTouch so I was wondering what's the best practice in this case.

Right now here's how I authenticate my users:

1. An user logs in using a form in my client. Under the hood I'm using signInWithEmailAndPassword, retrieving the IDToken from Firebase and setting persistence to NONE.
2. The client sends a post request to my backend attaching the IdToken and singOut immediately after.
3. If the token is valid, the server will provide an HttpOnly session cookie storing that token that will be sent along with future requests to my backend to keep track of the user's authentication state.

How I plan to change my workflow:

1. Through the profile page, the user may or may not opt-in for the second auth factor.

2. On user opting in I'll send a request to my server and it will call setCustomUserClaims to attach a custom mfa claim and do the necessary steps to register a new user on Authy.

3. On logging in I access the claim calling getIdTokenResult and access tokenResult.claims.mfa. If it doesn't exist then the process goes as the previous list. Otherwise I log the user out, ask him/her to go through the second factor, and regularly poll a specific URL that Authy provides to get updates on the status of the second factor challenge.

4. When I detect that the second factor challenge was successfully completed I send a post request to my backend attaching the idToken I got from Firebase and relevant infos I got from Authy's response.

5. The backend verifies if the idToken is valid (to make sure the email-password challenge was previously performed), then proceeds to generate a custom token with Firebase user's uuid, email, password, mfa-status using createCustomToken, then performs a signInWithCustomToken and sets a session cookie in the response.

Is my idea fundamentally correct? In case does Firebase provide a way to customize its default second factor and I just missed it? Thanks.

CodePudding user response：

While Firebase Authentications's paid brethren Google Cloud Identity Platform does offer 2FA with SMS, neither of them currently provides an option to use/require a custom second factor for authenticating a user.

It's a common request though, so I recommend filing a feature request for it.

Until the feature is added to Firebase itself, the only way you can do something like that is through a custom provider, which allows you (but also requires you) to take control of the auth flow yourself.