firebasegoogle-identitygoogle-2fa

How to only require 2FA on certain pages with firebase


I'm making a website that requires the user to log in with email and password to see most the site, but also requires two factor sms authentication when trying to visit a certain high security page.

I have attempted this by using firebase with google identity platform to have the user setup 2FA the first time they visit the high security page as described here. https://cloud.google.com/identity-platform/docs/web/mfa

Unfortunately, now the user can't sign in with just email and password, it gives a the error:
Firebase: Error (auth/multi-factor-auth-required).

It seems that firebase intends for me to force the user to sign in with 2FA everytime they want to sign in (which if I had finished reading the tutorial I would have realized this earlier).

So is there a way to only require 2FA when visiting a certain page of my website?

I have scoured the internet for anyone trying to do a similar thing but have found nothing.


Solution

  • I don't believe this is possible with Firebase Authentication nor Google Identity Platform.

    It looks like Auth0 allows you to configure 2FA at the app-level (i.e. each app either is or is not 2FA enabled), or based on some higher level conditions (network, date/time, geographic location, etc.).

    But I don't see a way to configure a web app such that different "pages" could be protected with 2FA separate from the rest of the app/site.