firebasereact-nativefirebase-authenticationreact-native-firebase

Firebase update multi-factor phone number

I want to have an option in the app to update MFA phone number.

It seems like using updatePhoneNumber(credential) is not correct because phone number must be enrolled as a second factor and not regular first factor auth. Found one GitHub issue about it

If I understand correctly, the only way to set a phone number for second factor is to use the following methods:

verifyPhoneNumberForMultiFactor(phoneOptions)

and then

enroll(multiFactorAssertion)

But this is a sensitive action. Which means user must be recently logged in. But I don't want to log user out and ask to login again. I want to re-authenticate user instead.

So I can use following flow:

  1. Ask user for password (we know email cause user is logged in at this moment)
  2. Use EmailAuthProvider to re-authenticate user
  3. for MFA user it will throw FirebaseAuthMultiFactorException
  4. Send verification code
  5. Ask user for sms code
  6. Now user is authenticated and I can ask to set new phone number
  7. use verifyPhoneNumberForMultiFactor method to send verification code
  8. Ask user for sms code
  9. Use enroll method to update phone number

This flow seems too complicated. Especially if users don't use passwords but email links, so in purpose to re-authenticate I have to ask them to open email and click the link, which makes the flow even crazier.

But even if flow above is valuable, using enroll will add a new phone to existing enrolledFactors of MFA user, but I need to replace it. And I could not find a method to update specific MFA phone either

What I would like to have is much simpler flow when a user selected what phone number they want to replace, confirm this phone with sms, set another phone, confirm new phone with sms, done.

There's another option - use the Firebase Admin SDK to update enrolledFactors, but this action revokes tokens, so I have to ask user to do full login after that. But also I need to invent some method to verify the phone number before asking backend to update it (in purpose to avoid wrong number setup, by a typo for example). But this also breaks another security level firebase has. Every time a new second factor added by enroll, firebase sends an email with link to revert this action. With Admin SDK it will not happen.

Is there an easier way to update MFA phone number?

I'm using react-native, but it doesn't matter since methods are similar.

Solution

  • The flow you explained above seems the only way to update phone number. I can add that you can unenroll the old phone number. There is unenroll method available. https://pub.dev/documentation/firebase_auth/latest/firebase_auth/MultiFactor/unenroll.html