firebaseui-web
firebaseui-web copied to clipboard
firebase
Support for Multi-Factor Auth?
Hello,
I just wired up Multi-Factor authentication for my password auth, and it works great. But when I try to log in via Google Auth through FirebaseUI, I get the following popup message:
says "Proof of ownership of a second factor is required to complete sign-in."
The callbacks signInFailure and signInSuccessWithAuthResult are not called, so I can't handle this error and redirect to my confirmation code form.
Also, I can't find any examples online on how to use MFA with FirebaseUI. I checked this:
https://cloud.google.com/identity-platform/docs/web/mfa
but it doesn't mention FirebaseUI specifically. It does discuss using Google auth as a first factor, but without the FirebaseUI callbacks being called, I can't handle the second factor verification.
Question 1: Does Firebase UI support MFA? Question 2: If so, is there a canonical example on how to make it work? Question 3: If Question #1 is a no, will it be or can it please be supported?
Hey @rscotten, we don't yet support multi-factor auth in FirebaseUI. We plan a phased approach for support this capability to unblock developers like yourself:
- Provide a callback to plug in your own 2nd factor handler.
- Provide our FirebaseUI built-in implementation for the 2nd factor handler.
@bojeil-google Thanks for the quick response. Your phase 1 would be greatly appreciated!
Same here. Is there a way for us to catch the auth/multi-factor-auth-required error somewhere at least? Thank you.
We will expose a callback to plug in your own 2nd factor handler. This will be triggered on auth/multi-factor-auth-required. We are busy working on another feature at the moment. This should be next on our list.
Any update on this? I'm currently still unable to handle the verifyPassword: Proof of ownership of a second factor is required to complete sign-in. error, so I can't divert the auth flow to any of my custom elements.
Any update on this? I'm currently still unable to handle the
verifyPassword: Proof of ownership of a second factor is required to complete sign-in.error, so I can't divert the auth flow to any of my custom elements.
I've ended up implementing authy then using claims on the user's google object to identify if they have 2fa. I am hoping that this issue is resolved before this app launches. @bojeil-google did say that it "should be next on (their) list" on Dec 23 so I have to imagine some progress has been made. 3 months for google? Could go either way I suppose.
@bojeil-google It's been nine months since I originally posted this. The industry that we serve just had a major hacking (allegedly by Russians and the FBI is involved) and our clients are now motivated to enable MFA. We'd really appreciate if this can be given priority attention (what's more important than the security of our data?). We look silly when we have to explain to our customers that MFA works for email and not OAuth.
@rscotten Would one way be to abandon firebaseui-web completely and make a true community based web auth UI? I’m in.
I ended up having to re-implement a basic UI which I'm sure is less battle-tested and more bug-prone than this project, all in order to enable MFA for our customers.
It appears the Firebase team is struggling to get / manage resources and treats their UI as second-rate to the API. Perhaps because they don't charge for use of the UI itself. That said, I don't know if it's wise to start a community project tightly coupled to Firebase auth. If their team can't effectively support their own product, should the community start doing free work for them? I appreciate the spirit of open source, but this smells different. I wish Firebase would treat their UI as part of the product that people pay for.
Any new information about this feature? Or is there any workaround for it?
