I'm using Firebase Authentication (Phone/OTP verification) in my Android app. When testing on a real device, after entering the phone number, it opens Chrome with a reCAPTCHA page before sending the OTP.
This is not the user experience I want, and I’m confused why it’s happening.
What I’ve already done: Added SHA-1 and SHA-256 keys (debug and release) in Firebase Console
Enabled Phone Authentication in Firebase
Enabled SafetyNet in Firebase (also tried Play Integrity)
Testing on real devices, not emulator
Not published on Play Store yet (still testing in debug mode)
My Questions: Do I need to publish the app on the Play Store for OTP verification to work smoothly (without browser reCAPTCHA)?
Is there a way to skip this Chrome reCAPTCHA step and verify OTP directly in the app?
Does the Play Store install or signing have anything to do with this behavior?
User enters a phone number → OTP is sent and received → verified inside the app
The documentation outlines the situations where a recaptcha will be used. The following is redacted slightly:
reCAPTCHA verification: In the event that Play Integrity cannot be used, such as when a user has a device without Google Play services installed, Firebase Authentication uses a reCAPTCHA verification to complete the phone sign-in flow.
Some scenarios where reCAPTCHA is triggered:
- If the app is not distributed through Google Play Store (on Authentication SDK v21.2.0+).
You asked:
My Questions: Do I need to publish the app on the Play Store for OTP verification to work smoothly (without browser reCAPTCHA)?
Based on the documentation, if Play Integrity can't be used (which sounds like the case) the answer seems to be "yes" - you need to publish on the Play store.
If you're wondering why Play Integrity isn't working for you, I suggest reviewing the Play Integrity API documentation, which makes it clear that it also only works when the app is downloaded from the Play store (emphasis mine):
When a user performs an action in your app, you can call the Play Integrity API to check that it happened in your genuine app binary, installed by Google Play, running on a genuine Android device.
I think you can expect to keep seeing recaptchas until you publish.