Password-based sign-in remains a popular means of user authentication despite its weaknesses. For example, users frequently forget their passwords, requiring a password reset flow that can create friction for returning users; databases of passwords are routinely shared between bad actors; and, users often reuse insecure passwords across sites, which makes the problem of stolen passwords even worse. On the other hand, the password model of authentication is familiar to users and users expect to see it. For this reason, it's understandable that many developers want to implement some form of password-based sign-in in their apps.
Firebase and Google Cloud Identity Platform provide libraries to make password sign-in easy to implement for your users, but it's important to consider these authentication best practices to enable more secure sign-ins.
Before you launch your app, you should add additional restrictions to your API keys to limit the access they grant. Here are some steps you can take:
Visit our Applying API key restrictions documentation to learn more.
One way to improve security for users who sign in with passwords Is to use password management tools:
If your app deals with sensitive information, the industry best practice, and our recommendation, is to require MFA for user sign-in. This is especially important if your app deals with information such as financial data or medical records. You can add a second factor to most of Firebase Authentication’s sign-in methods, including email address and password, with Google Cloud Identity Platform. To get started, enable Identity Platform in your project, then add MFA to your apps (iOS, Android, Web). Your existing Firebase Authentication code will continue to work after you enable Identity Platform.
If you’re not using MFA, other strong options for user authentication with Firebase are to use one of the social sign-in providers supported by Firebase Authentication such as Google, Facebook, and Apple, or to use email link sign in.
To serve users who don't have or use email addresses, Firebase and Google Cloud Identity Platform provide phone authentication services. This is the best solution for many user bases, but it has its own security caveats: possession of a phone number can be easily transferred between users, and, on devices with multiple user profiles, any user that can receive SMS messages can sign in to an account using the device's phone number. (See the docs for iOS, Android, Web, Unity, C++.)
We recognize the ubiquity of the password model and we will continue working to improve the security of password based sign-in.
