androidfirebasefirebase-authenticationsms

Is it possible to identify server side that the same user/device is used during Firebase authentication flow?


Let's assume that my app doesn't send any device identifier to my server. But it uses Firebase for SMS authentication.

If a user logs in, then enables VPN, reinstalls my app, and now tries to login with a different phone number, how can I detect server side that it's still the same device during the use of Firebase flow?


Solution

  • But it uses Firebase for SMS authentication.

    As far as I know, when you receive an SMS, there are no metadata present so you can identify a device.

    If a user logs in, then enables VPN, reinstalls my app, and now tries to login with a different phone number, how can I detect server side that it's still the same device during the use of Firebase flow?

    Without writing something that uniquely identifies the device into a database and checking that unique value each time a user tries to sign in again, it's hard to know that. Even if you write such hardware-based identifiers, like IMEI, MAC, Serial Number, etc., you cannot rely on that data for non-google devices (except Pixels and Nexuses). According to the official documentation regarding Android identifiers best practices it clearly states that:

    Avoid using hardware identifiers, such as IMEI, MAC address, etc...