Password-based sign-in remains a popular means of user authentication despite its weaknesses. For example, users frequently forget their passwords, requiring a password reset flow that can create friction for returning users; databases of passwords are routinely shared between bad actors; and, users often reuse insecure passwords across sites, which makes the problem of stolen passwords even worse. On the other hand, the password model of authentication is familiar to users and users expect to see it. For this reason, it's understandable that many developers want to implement some form of password-based sign-in in their apps.
Firebase and Google Cloud Identity Platform provide libraries to make password sign-in easy to implement for your users, but it's important to consider these authentication best practices to enable more secure sign-ins.
Add restrictions to your API keys
Before you launch your app, you should add additional restrictions to your API keys to limit the access they grant. Here are some steps you can take:
If you have a web client, set up a separate API key for that platform and restrict the API key to only allow requests from the servers that will host your app.
If you have your own server that you use to proxy traffic between your mobile apps and Google services, configure your API keys to only allow traffic from your servers’ IP address range.
One way to improve security for users who sign in with passwords Is to use password management tools:
In your Android and web apps, use One Tap sign-in, which helps users sign in frictionlessly with their Google accounts or their saved passwords. One Tap sign-in integrates well with Firebase Authentication and Cloud Identity Platform.
Recommend to your users that they use a password manager such as Chrome’s password manager or one of the other services that are available. These tools help users provision secure passwords and automatically fill them in on websites and apps.
Use multi-factor authentication (MFA) to protect sensitive information
If your app deals with sensitive information, the industry best practice, and our recommendation, is to require MFA for user sign-in. This is especially important if your app deals with information such as financial data or medical records. You can add a second factor to most of Firebase Authentication’s sign-in methods, including email address and password, with Google Cloud Identity Platform. To get started, enable Identity Platform in your project, then add MFA to your apps (iOS, Android, Web). Your existing Firebase Authentication code will continue to work after you enable Identity Platform.
Prefer social sign-in and email link sign-in to passwords
If you’re not using MFA, other strong options for user authentication with Firebase are to use one of the social sign-in providers supported by Firebase Authentication such as Google, Facebook, and Apple, or to use email link sign in.
Using a social sign-in provider lets you take advantage of the security infrastructure of well-audited identity providers, and also provides a better experience for users as a result of lower sign-in and sign-up friction. (See the docs for using Google Sign-in with Firebase for iOS, Android, Web, Unity, C++; Facebook, Apple, and other providers are also supported.) If you’re developing a new app and you anticipate your user base will be able to successfully sign in with one of these providers, we recommend making social sign-in your primary method of authentication.
Email link sign-in is preferred over password-based sign-in without MFA because it requires legitimate users to have access to their email account to successfully sign in. For this reason, if you already have users who are signing in with passwords and you choose not to use MFA, we recommend that you migrate your users to email link sign-in and disable password-based sign-in when you can. (See the docs for iOS, Android, Web, Unity, C++.)
Use phone authentication for users who don't use email
To serve users who don't have or use email addresses, Firebase and Google Cloud Identity Platform provide phone authentication services. This is the best solution for many user bases, but it has its own security caveats: possession of a phone number can be easily transferred between users, and, on devices with multiple user profiles, any user that can receive SMS messages can sign in to an account using the device's phone number. (See the docs for iOS, Android, Web, Unity, C++.)
We recognize the ubiquity of the password model and we will continue working to improve the security of password based sign-in.
Some Firebase Android SDKs depend on Google Play services, which means they will only run on devices and emulators with Google Play services installed. These Firebase SDKs communicate with the Google Play services background service on the device to provide a secure, up-to-date, and lightweight API to your app.
Certain Android devices do not have Google Play services installed. Previously, this meant developers had to make use of work-arounds to be able to be able to use these Firebase SDKs on such devices.
Today, we are pleased to announce that as of version 20.0.0 of the Firebase Authentication Android SDK (which is included in version 26.0.0 of the Firebase Android BoM), Firebase Authentication no longer depends on Google Play services. This means it is now easy to securely access Firebase products like Cloud Firestore, Realtime Database, and Cloud Storage from any Android device.
So what does this mean for you?
Firebase handles all of this behind the scenes, so you won't have to make any changes to your code base. All you have to do is to update your Gradle dependencies to the latest version (26.0.0) of the Firebase Android BoM, recompile, and you're good to go.
dependencies {
// ...
// Import the Firebase BoM
implementation platform('com.google.firebase:firebase-bom:26.0.0')
// When using the BoM, you don't specify versions in Firebase library dependencies
// For example, declare the dependencies for Firebase Authentication and Cloud Firestore
implementation 'com.google.firebase:firebase-auth'
implementation 'com.google.firebase:firebase-firestore'
}
In case you've used a workaround to be able to use Firebase Auth on non-GMS devices, you can now remove this workaround from your app.
In order to remove the dependency on Google Play services without compromising security, the new version of the Firebase Authentication SDK for Android made some changes to Phone Number Authentication. In particular, Firebase must be able to verify that phone number sign-in requests are coming from your app. On devices with Google Play services installed, Firebase will use Android SafetyNet to establish the device as legitimate. If your app makes use of Phone Number Authentication, you should enable the SafetyNet API. In the event that SafetyNet cannot be used (for example, on devices without Google Play services), Firebase will use reCAPTCHA verification to complete the phone sign-in flow.
It is worth noting that the reCAPTCHA flow will only be triggered when SafetyNet is not available or the user's device doesn't pass suspicion checks. Nonetheless, you should ensure that both scenarios are working correctly. For example, you can call FirebaseAuth.getInstance().getFirebaseAuthSettings().forceRecaptchaFlowForTesting();
in your tests to force the reCAPTCHA flow. For more detail about testing, refer to the documentation, which goes into much more detail.
For a complete list of Firebase SDKs that require Google Play services, refer to this overview.
If you have feedback or want to contribute, you can find us on GitHub.
Over the past few months, we’ve seen that apps not only improve the way we live, they also enhance our ability to adapt to change. In 2020, more businesses and families have turned to apps to stay connected, productive, and entertained. At the same time, our developer community has stepped up to build and scale the apps people are relying on. Our team, alongside the rest of Google, has strived to be supportive in this moment. Our mission is to help you succeed by making it easy to build and operate apps.
Last year, we shared that 2 million apps actively use Firebase every month. Now, that number has grown to over 2.5 million monthly active apps, which includes global businesses like Gameloft and Alibaba, as well as innovative startups like Classkick. Classkick is a full-spectrum learning platform with a backend powered by our Realtime Database and supported by Google Cloud. When the COVID-19 pandemic forced schools to close, Classkick onboarded thousands of teachers and school administrators to their platform. With Firebase, they were able to scale to meet this new demand so students could continue to learn effectively from home and stay engaged with their teachers and classmates.
Classkick is helping students learn effectively from home
Classkick is just one example from our incredible community of how apps are helping people adapt to their new surroundings. It’s stories like these that inspire us to keep making Firebase better. Every year at Firebase Summit, we share updates on how we can help you accelerate app development, run your app efficiently, and tailor Firebase to suit your needs. Read on to learn what’s new at our digital Firebase Summit 2020, and view the sessions and resources on our summit website.
Accelerate app development with new building blocks
We’re continuing to invest in tools that speed up your app development so you can deliver value to your users in less time.
Introducing the Authentication emulator for rapid iteration and local development
Last year, we launched the Firebase Emulator Suite to let you run emulated versions of our backend products for a faster and safer development experience. A few months ago, we introduced you to the local emulator UI, which makes it possible to run services locally via a web app with a distinguishable UI, and comes with features like advanced data editing and searching. The Emulator Suite supports Hosting, Realtime Database, Firestore, Cloud Functions, and Cloud Pub/Sub - and now, we’ve added support for Firebase Authentication.
The Emulator Suite now includes support for Authentication
This means you can test the entire user management process - from user creation to Function trigger to sending updates to Firestore, and even fuzzy log searches to debug interactions between the emulators and your application - on your local machine. You can also use the new auth emulator to run integration tests that rely on authentication. The Emulator Suite, now with Firebase Authentication, allows you to shift to a local-first developer workflow so you can experiment and rapidly iterate without touching production data, incurring costs, or worrying that you’ll break something. Check out our documentation to get started.
New Hosting preview channels let you see changes before publishing
Web development can be cumbersome and complicated. With Firebase Hosting, you can deploy secure, fast-loading web apps and landing pages that are backed by a global CDN in less time, and with less hassle. Recently, we added new features that many of you have been asking for, including an integration with Cloud Logging to give you more server-side analytics, support for Brotli compression to boost your site performance, and improved support for localized content.
Our latest update to Firebase Hosting, preview channels, lets you see your changes before publishing them to your site. Now, you can deploy changes to a preview channel in seconds with a single command and generate an obscured unique URL to share with your team. Preview channels not only let you check that your changes look as intended right away, they also make collaboration quicker and easier even if you’re working across a distributed team. Try them out today!
Hosting’s new preview channels let you see changes before publishing
More Extensions for adding features and functionality
At last year’s Firebase Summit, we launched Firebase Extensions; pre-packaged solutions that automate common tasks in your projects and let you add new functionality in fewer steps. Since then, we’ve partnered with Stripe to release the Send Invoices using Stripe and the Run Subscription Payments with Stripe extensions. These extensions let you integrate the Stripe payments platform with Firebase without requiring you to learn Stripe’s API.
Today, we’re sharing a preview of another extension through our Alpha Program, called Detect Online Presence. Detect Online Presence shows you which users or devices are currently online and stores that data in Cloud Firestore. If you’re developing a game or a social app, you can use this extension to let your users know when their friends are online for a friendly match or chat. Join our Alpha Program to try it out!
Detect Online Presence is our newest Firebase Extension, available in Alpha
Get actionable insights to run your app efficiently
In addition to accelerating app development, Firebase provides actionable data so you can optimize your app - and ultimately, keep users happy.
Redesigned Performance Monitoring dashboard to help you focus on critical metrics
Any time you release a new version of your app, it’s important to pay attention to stability and performance metrics to ensure your users have a fast, high-quality experience. Firebase Performance Monitoring gathers and presents data about your app’s performance to show you exactly what’s happening in your app - and when users are encountering slowness. But sometimes, there’s so much information, it can be hard to focus on what’s important.
To help you hone in on key insights, we’re excited to unveil the redesigned Performance Monitoring dashboard. This new dashboard makes it crystal clear if one of your critical metrics needs attention so that you can take action, and it’s customizable, allowing you to bring the metrics you care about most to the forefront. We’ve made this dashboard available to everyone - just head on over to the console and add the metrics that matter to you.
The redesigned Performance Monitoring dashboard brings critical metrics to the forefront
New organizational and targeting tools for Remote Config
As people start using your app, you’ll want to delight them with new features, promotions, and personalization so they stick around. With Firebase Remote Config, you can dynamically alter your app, safely test and release new features, and stay in control of the whole experience - without having to publish a new version. However, as your project gets bigger, it might become hard to maintain and navigate through your app config. Over the past few months, we’ve added new features to help you better organize, visualize, and target your parameters so you can manage your app config more efficiently.
First, we added information about experiments into the Remote Config dashboard and launched parameter groups. Then, we made it possible to sort parameters alphabetically and enhanced the search tool. On top of that, we improved version targeting by making it available for iOS and adding support for semantic versioning, so you can use numeric operators like “>=” to target specific app versions without resorting to complicated regular expressions.
Improved version targeting in Remote Config
Most recently, we launched config metrics to give you more visibility into how your app configuration is behaving for users so you can find and fix incorrect configurations quickly. These config metrics include realtime fetch requests, which allow you to monitor rollouts of a new set of values, and fetch percentages, which show you the distribution of parameter values across users. For example, when you see a smaller fetch percentage for a condition than expected, it signals that the wrong users may be exposed to the intended values.
Real-time config metrics for Remote Config
Tailor Firebase to suit your needs as you scale
When your app and business grow, your development challenges may become more complex. We’re working to give you automation capabilities, such as Crashlytics BigQuery streaming, and more control and flexibility so you can adapt Firebase to fit your sophisticated needs.
New Google Analytics APIs for better data management
One of the key factors in scaling a successful app is knowing how your users are interacting with it. Our robust integration with Google Analytics helps you understand what actions users are taking inside your app, where they're spending their time, and why they churn -- so you can make smarter decisions. Last year, we announced a significant new upgrade in Google Analytics that gave you a single view of customer engagement across both native apps and web-powered ones. Since then, we’ve added new features like the setDefaultEventParameters and powerful new ecommerce measurement, which you can read about in this blog post.
Today, we're excited to announce three new APIs that give you more control so you can collect, record, and manage your data in a way that suits your growing business. The first one, the Google Analytics 4 Measurement Protocol, lets you log events directly to Google Analytics. This is especially useful for developers who want to augment their client-side data with server-to-server calls to gain new insights. For those of you who want to create your own custom dashboards, the Data API, which is the second new API, gives you programmatic access to your Google Analytics reporting data. Finally, the Admin API gives you the ability to configure your Analytics account and set user permissions.
Google Analytics 4 Measurement Protocol lets you log events directly to Google Analytics
Introducing imported segments for increased targeting flexibility
Over the years, we’ve seen many of you take advantage of our BigQuery integration by exporting data from Firebase, joining it with data from other channels, running sophisticated analysis - and even creating your own custom user segments in BigQuery. Now, we’re giving you the power to bring these custom segments back from BigQuery into Firebase with the launch of imported segments! This means you can target any custom segment with products like Remote Config, Cloud Messaging, and In-App Messaging. For example, if you have an ecommerce app and a physical storefront, you can import data from offline sources - like your store - and send those users an in-app promotion with In-App Messaging.
This feature is available through Firebase's BigQuery integration. To get started, simply create your custom segment and import it into your BigQuery dataset. Then, Firebase will be able to read that data and make those segments available for targeting. We built imported segments to give you more control and flexibility to target your users.
New imported segments let you bring custom segments from BigQuery into Firebase
Looking ahead
With these improvements to Firebase, we aim to make app development faster and easier so you can stay focused on creating the amazing app experiences that people need to stay productive, connected, and entertained. People are relying on your apps to adapt and thrive in our changing world. You can rely on us to build, operate, and scale successful apps - in 2020 and beyond.
For more resources and content from Firebase Summit 2020, be sure to check out our summit website, and if you’d like a sneak peek of what’s coming next, join our Alpha program.
We graduated the Firebase Crashlytics SDK to General Availability (GA) back in June, and today we are encouraging you to migrate your apps from the Fabric SDK to the Firebase Crashlytics SDK. On November 15th, we’ll be sunsetting the legacy Fabric SDK, meaning any apps that are still using the Fabric SDK will no longer report crashes.
Improvements made to the Firebase Crashlytics SDK
Android:
The Firebase Crashlytics SDK can now upload crashes after an app has closed, allowing you to receive crash data in more real time on Android! We've been tracking how the Firebase Crashlytics SDK performs, and we estimate the new SDK captures ~30% more Android crashes, and twice as many on the actual day of the crash.
Additionally, we streamlined our Crashlytics Gradle Plugin, with a new API in the build.gradle for managing and uploading mapping files and native symbol files. The total size of the plugin has also been reduced from 20+ MB to only 100 KB. In order to reduce build times the new plugin supports task configuration avoidance, and has improved up to date checking for gradle tasks. The new plugin will also support all modern Android Gradle Plugin features, such as cleaner support for disabling mapping file uploads of different flavors or buildtypes, and troubleshooting for 4.1+ versions of Android Studio.
We also improved our upload-symbols conversion speed. Customers with large dSYMs should see a significant decrease in the time it takes to upload Crashlytics symbols, going from an average of 12 minutes for a 600 MB dSYM down to ~45 seconds!
We also enabled tvOS and macOS apps to share the same Crashlytics installation as an iOS app. You can now configure apps with the same bundle ID to be part of the same project. Meaning crash reports from every OS will be shown in the same dashboard.
Overall improvements:
In addition to technical improvements, our new SDK has APIs (e.g., package names, initialization code) designed to be consistent with other Firebase products, while also getting rid of references to the now deprecated fabric.io namespace. For example, we changed the Crashlytics initialization statement to use new methods that are more consistent with how other Firebase services are initialized:
Fabric.with([Crashlytics.self])
is no longer needed. It is now sufficient to simply call:
FirebaseApp.configure()
It’s time for an upgrade!
To continue getting crash reports, please follow our upgrade guide here. As we mentioned during our SDK GA announcement, November 15th will be the last day to upgrade before the legacy SDK is shutdown.
Lastly, we would like to personally thank all of our users who have been part of this journey from Fabric to Firebase with us. We hope to keep providing an amazing crash reporting experience for you. As always, please let us know your thoughts, and tell us how we can improve Crashlytics.
Last year we announced that app developers could upgrade their Firebase projects to the next generation of app analytics. Upgrading enables them to view their app analytics data in Analytics and unlocks additional analysis capabilities.
Since then, we’ve expanded more Google Analytics features like automated and custom insights to also include app data so that you can more quickly identify key trends and anomalies from your app reporting. Earlier this year we introduced a gaming-specific Analytics experience to help mobile game developers more easily see how players move through the lifecycle. And to bring predictive insights to your site and app, we rolled out new predictive capabilities in Analytics – not only helping you reach customers most likely to purchase, but also giving you new ways to retain those less likely to return to your app via App campaigns in Google Ads.
We are continuing our investment in the app ecosystem and today, we are introducing new updates to Google Analytics that will help you get the insights you need to be ready for what’s next. Let’s take a look at some new features you can use when you upgrade.
View your app’s revenue sources together
The ability to measure all your revenue sources helps you monetize and grow your apps business. Soon, you’ll be able to view impression-level revenue data in Analytics from AdMob mediated revenue and from other third-party app advertising platforms – giving you a holistic view of your customers' lifetime value.
You can now view revenue from MoPub and ironsource in the new Analytics.
To get started, use the Google Analytics for Firebase SDK to log the ad_impression eventwhenever users see an ad impression. Be sure to include details such as the ad platform, source, currency and value.
With this revenue data now in Analytics, you can build audiences of high-value users and reach them for re-engagement campaigns. Third-party ad revenue will also soon be available as an experiment objective in A/B testing with Firebase. This way, you can test changes in user experience and see which drive more revenue through third-party platforms like MoPub or ironSource.
Use new custom dimensions and metrics
In the past, custom parameter reporting in Analytics for Firebase required you to register parameters for each event individually, which is time intensive and quickly uses up your quota. With event-scoped custom dimensions and metrics in the new Analytics, you only need to register each event once at the property level. You can also create and edit custom dimensions and metrics in the “All Events” section for your entire property. Plus, custom parameters you’ve previously created will automatically be upgraded to custom dimensions and metrics.
Create a custom dimension for your entire property.
Let’s say you’re a game app developer and you want your Analytics reports to show the levels at which users are starting, quitting, retrying, and ending your game. Previously, you’d need to register a custom event parameter for every single event. So with four events (starting, quitting, retrying, and ending) you’d have to register a parameter, “level,” four times. With the new Analytics, one single metric, “level,” is applied at the property level across all events — reducing the number of custom metrics your property uses.
Reach people with signed-in user insights
When users are signed in on your Android or iOS app, Analytics can help you connect the customer journey across platforms and devices with a special view in your reporting. Now, you can use those signed-in user insights to create relevant audiences and reach them with personalized messages in remarketing campaigns. And with the new Analytics, we’ve provided you with more granular controls for ads personalization so that you can choose when to use your data to optimize ads and when to limit your data use for measurement.
Let’s say you’re a lifestyle retail brand with a conversion rate on your mobile app that surpasses the rate on your website. Taking a closer look, you might notice a cohort of returning customers who visit your website for lifestyle content but never make a purchase. You can group the signed-in visitors into an audience and reach out to them with a marketing promotion, driving them to your app, where they have a higher likelihood to convert. For those who convert within the app, you can understand their complete customer journey across platforms and more effectively analyze the success of your promotion and adjust from there.
Upgrade to the new Analytics
The enhanced intelligence of Analytics provides additional revenue data to help improve your advertising strategy, simplified and efficient event measurement, and tailored experiences for increased conversion opportunities. If you aren't already using the new Google Analytics, upgrade to the new Google Analytics from the Firebase console today.
We’re excited to introduce two improvements to Remote Config’s app version targeting functionality - New semantic version number targeting and improved iOS version number targeting.
App version targeting is a powerful tool that helps you customize your app for users on specific versions. Whether it’s releasing a new feature behind a feature flag or running an A/B Test on your latest app version, Remote Config’s app version targeting makes this easy; all without needing to publish app updates. These new updates will help you target exactly the right versions of your Android and iOS apps.
Improved iOS version number targeting
Previously in Remote Config, our iOS version targeting was applied to your app’s
CFBundleVersion, which is commonly known as your app’s “build” number. This understandably generated some confusion! We’ve cleared up this confusion by renaming the previous iOS “version number” conditions to “build number” and introducing a new version condition for iOS, available in Firebase iOS SDK version 6.24.0 or above, that matches against your app’s CFBundleShortVersionString.
Semantic version number targeting
As developers, we’re constantly pushing out new versions of our apps. Often, we need to segment users who are on, above, or below a specific version number to enable some feature or fix. Writing regular expressions to target versions greater than or less than a specific version number is challenging and difficult to validate. That’s why we’ve made numeric operators like “greater than” and “less than” available for version number targeting!
Now it’s quick and easy to target versions of your app that came before, after, or exactly equal to a specific version number - no confusing regular expressions required! So for example if you want to target a fix for users between specific versions of your app, like version numbers after 1.2.3 but before 1.3.4, it's as easy as setting these two conditions in the console: Version >= 1.2.3, and Version < 1.3.4.
You can review our full set of targeting conditions here.
We hope you enjoy using the new version number targeting features, and let us know what you think! As always, you can reach out to us on StackOverflow or the official Firebase support site.
In what might be my shortest (but most exciting) blog post this year, we wanted to let you know that Cloud Firestore now has support for not-equal queries. This means you can now query, for example, all documents in a "Projects" collection where the project's status field is not equal to the value "completed"
On a similar note, Cloud Firestore also supports not-in queries, where you can query for documents where fields are not in a list of values. So you can, for example, find all documents in a "Projects" collection where the status isn't equal to "completed" or "dropped" with a single query.
Note that neither of these calls will allow you to fetch documents where this field doesn't exist. If a field is completely missing from a document, it will not be returned in your query results.
Notice that project 4593 does not get included in the results, because it has no owner field
When it comes to combining these not-equal operators with others in the same query, they have many of the same restrictions as other inequality operators (<, >=, etc.). You can't use a != operator against two different fields, for instance. Similarly, you can't use a != query on one field and then sort by a second field. And combining a != query in one field with a == query in another field requires your creating a composite index. Make sure to check out the official documentation for all the details.
This functionality is currently supported by the iOS, Android and Web client libraries, as well as the Node.js and Java server-side SDKs. Support for C++ and other server libraries is coming soon.
We hope this new addition makes it a little easier to develop Cloud Firestore-powered applications, and as always, if you have questions, please feel free to reach out on StackOverflow.