FR: Authentication with only email (no password)

[mesqueeb]

Dear Firebase community,

I'd like to request for Authentication with only email (no password). I have some services users only vary rarely need to login and I don't want my users to set passwords. Just an email with a URL to login every time they want to login will do.
I think a lot of people would like this feature and there is currently a hack possible to achieve this, but I feel it'd be much better if this was an official option from Firebase.

Best regards,
-Luca Ban

[mono0926]

Now supported 🎉

https://firebase.google.com/support/release-notes/js#4.12.0

Added several APIs to support the new passwordless email sign in feature.

https://firebase.google.com/support/release-notes/ios#4.11.0

Adds new API to allow authentication using only an email link (Passwordless Authentication with email link).

[bojeil-google]

There are also sample codes for this for all 3 platforms:
https://github.com/firebase/quickstart-ios/blob/master/authentication/AuthenticationExample/PasswordlessViewController.m
https://github.com/firebase/quickstart-js/blob/master/auth/email-link.html
https://github.com/firebase/quickstart-android/blob/master/auth/app/src/main/java/com/google/firebase/quickstart/auth/PasswordlessActivity.java

[mesqueeb]

Thank you very much!

[forgr-owner]

@bojeil-google @mono0926 could we configure/customize the template who is send to the user ?

[bojeil-google]

Currently this is not possible to prevent abuse.

[ootpapps]

Thank you very much for the email only authentication and example.

I am struggling with the desktop experience and how to transition the user back to the app to complete the authentication flow. I understand the flow must be completed in-app, but I am struggling to address the risk that the user may jump to their desktop to confirm their email address.

Appears right now the only resolution would be to set up a webpage warning the user to click the email verification on the mobile device they began the authentication on... Is this correct?

Appreciated greatly.

[bojeil-google]

The feature was designed to allow completion on any device. It is not restricted to a single device. But if you want to restrict it, you can set up a landing webpage to warn the user to open the link on the same device.

[ootpapps]

Hi,
Thank you for the reply but I believe you misunderstood me. I don't want users to be restricted to a single device. How can I enable the email link to authenticate a user if they end up verifying their email via a desktop but started the authentication flow on a mobile device?

I am specifically referring to passwordless email sign-in only.

Thank you

[bojeil-google]

Not sure I understand. If they open the link on a desktop device, they will be redirected to the continue URL that you own and passed. You would complete sign in there (you would need to ask the user for their email again for security reasons). The user will basically start the flow on a mobile device and ends up getting signed in on a desktop browser.

[ootpapps]

Thanks for the reply. I must be missing the linkage between the webpage the dynamic link sends the desktop user to and completing the sign-in that started on the mobile device. I suppose I should look at using the JS components to sign in a user who started on mobile but moved to desktop to verify their email address? I believe this is relevant documentation: https://firebase.google.com/docs/auth/web/email-link-auth If not, could you please let me know a bit more detail? Really appreciate the confirmation that I'm headed the right way, or not...

On Thu, Jun 14, 2018, 6:24 PM bojeil-google ***@***.***> wrote: Not sure I understand. If they open the link on a desktop device, they will be redirected to the continue URL that you own and passed. You would complete sign in there (you would need to ask the user for their email again for security reasons). The user will basically start the flow on a mobile device and ends up getting signed in on a desktop browser. — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#365 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AGFU6B2X3pyA4QfXteybSK7_bpQiHZVWks5t8wy9gaJpZM4Q9Hps> .

-- *Ryan Park, CPA, CA * Founder, Out of the Park Apps http://www.ootpapps.com *Install the #1 Parental Control app on Android for **free now** & **please rate it 5 stars** - *https://goo.gl/5KL2BI

[bojeil-google]

I am not sure what to add but this option in the documentation specifies the landing page if the link is opened from a regular browser:
url: 'https://www.example.com/finishSignUp?cartId=1234',

On that page you can call the following logic to complete sign in:

if (firebase.auth().isSignInWithEmailLink(window.location.href) {
  // Get email...
  // ...
  // sign in.
  firebase.auth().signInWithEmailLink(email, window.location.href)
}

[ootpapps]

Thank you I will take a look at this, much appreciated

On Thu, Jun 14, 2018, 6:51 PM bojeil-google ***@***.***> wrote: I am not sure what to add but this option in the documentation specifies the landing page if the link is opened from a regular browser: url: 'https://www.example.com/finishSignUp?cartId=1234', On that page you can call the following logic to complete sign in: if (firebase.auth().isSignInWithEmailLink(window.location.href) { // Get email... // ... // sign in. firebase.auth().signInWithEmailLink(email, window.location.href) } — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#365 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AGFU6ODI2zdC85amtGyt1DconE70Di5Iks5t8xMmgaJpZM4Q9Hps> .

-- *Ryan Park, CPA, CA * Founder, Out of the Park Apps http://www.ootpapps.com *Install the #1 Parental Control app on Android for **free now** & **please rate it 5 stars** - *https://goo.gl/5KL2BI

[ootpapps]

Seems I'm stumped. I set up the JS approach as described and got it working, however, even when the email is validated through the webpage, the flow will break when we go back to the mobile app. How can I pass the email link back to the mobile app? It is required to sign in with signInWithEmailLink(email,link). Is there a way to persist the email link on the mobile device in the case they start the process on mobile, verify on the web, and return to the mobile to login? This does not appear to be documented anywhere, though there is acknowledgement that verification may occur on a different device. So hopefully this use case is supported.

On Fri, 15 Jun 2018 at 07:11 Ryan Park ***@***.***> wrote: Thank you I will take a look at this, much appreciated On Thu, Jun 14, 2018, 6:51 PM bojeil-google ***@***.***> wrote: > I am not sure what to add but this option in the documentation specifies > the landing page if the link is opened from a regular browser: > url: 'https://www.example.com/finishSignUp?cartId=1234', > > On that page you can call the following logic to complete sign in: > > if (firebase.auth().isSignInWithEmailLink(window.location.href) { > // Get email... > // ... > // sign in. > firebase.auth().signInWithEmailLink(email, window.location.href) > } > > — > You are receiving this because you commented. > Reply to this email directly, view it on GitHub > <#365 (comment)>, > or mute the thread > <https://github.com/notifications/unsubscribe-auth/AGFU6ODI2zdC85amtGyt1DconE70Di5Iks5t8xMmgaJpZM4Q9Hps> > . > -- *Ryan Park, CPA, CA * Founder, Out of the Park Apps http://www.ootpapps.com *Install the #1 Parental Control app on Android for **free now** & **please rate it 5 stars** - *https://goo.gl/5KL2BI

-- *Ryan Park, CPA, CA * Founder, Out of the Park Apps http://www.ootpapps.com *Install the #1 Parental Control app on Android for **free now** & **please rate it 5 stars** - *https://goo.gl/5KL2BI