๐Ÿ’ฌ
Get Help
BV
Baptiste Veyrard

Custom Authentication with custom factors

Hi,

I am building an app where security is really important.
For the user authentication, I currently use the basic email/password auth with Firebase.
Firebase is as well used as my database.

I would like to enhance the security of my authentication flow, adding a deviceID factor in addition to the email/password factors.

Here is the flow idea:

  • I generate a deviceID (store in secure storage) when a user create an account for its current device.

  • When the user will login later, it will check if its current deviceID (if existing in secure storage) is saved as a trusted device in the database

  • If not trusted, an OTP challenge will be triggered. If succeed, the current device will be added to the list of trusted devices

Some people does that locally, but it is not secure (Firebase auth API is still available with only email/password in bypassing the app UI).

I am looking for a solution to integrate the deviceID factor to an authentication flow.

Research I have done:

  • Firebase blocking functions: unfortunately we cannot pass custom parameter, and the native values of the event parameters (IP address, userAgent...) are not enough robust/secure

  • Firebase cloud functions: not directly correlated to the authentication flow, so the Firebase auth API will remain available with only email/password in bypassing the app UI)

  • Supabase: does not propose custom authentication, and the serverless function got the same issue as the Firebase cloud functions

  • Local custom actions: same issue as cloud functions

Promising trails:

The Firebase custom Token allow to connect a user and use the Firebase services, which is great given the Firebase integration is nice on FlutterFlow.

It involves either:

  • to create my own auth backend, which could cause security flaws (given I am not an expert) and as well adding more code to manage

  • or to use an external auth provider (Clerk, Auth0, Amazon Cognito...)

Has someone already solve this can of issue for its app ?
Has some already integrated Clerk, Auth0 or Cognito as custom authentication provider in its FlutterFlow app?

Thanks in advance for replies, I am sure this security question could help many FlutterFlow user to enhance the security of their app.

4 replies