0

I am using Firebase Authentication only with Email Provider. Now, I didn't publish my app but when I test the app with different devices/emulators I am able to log-in to the app with the same email address/Id. I don't want this behavior because it is not a safe way. I only want a user can only log-in with an email address on a single device. Is it possible to do it in Firebase security rules?

Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
Abdulsamet Kılınçarslan
  • 262
  • 4
  • 11
  • This topic has been covered a few times before, so I recommend reading some of these: https://stackoverflow.com/search?q=%5Bfirebase-authentication%5D+only+one+device – Frank van Puffelen Jan 27 '21 at 14:39

1 Answers1

3

I don't want this behavior because it is not a safe way.

I don't know why would say that, but I'm aware of one fact. I'm using my Gmail address on multiple devices and everything is very safe.

I only want a user can only log-in with an email address on a single device.

I'm wondering why would you do that? How about the situation when the user losses the device? Wouldn't you want the user to be able to use your app from another device? How about the situation in which you store some data in the database? Are you willing to tell the user that the information is lost?

Is it possible to do it in Firebase security rules?

You can think of a solution to secure that, but I don't think it's a good option to go ahead with. Secure your app using Security Rules, as much as possible, but let the user the option to access your app from multiple devices.

Edit:

what if someone who knows the user's email address and password can log in to the app and see all the user's data.

This can happen in the case of any app. If you lose the credentials, your app may be compromised. However, you can implement a two-step verification if you'd like, but still, let the user access your app from multiple devices.

Think of a situation in which your phone is lost and, you have a really important email to read. Would you like to be able to read that email from a friend's device instead of losing it forever?

Would such an event be the fault of the user or the developer?

I'm don't know how it can be a developer's fault if someone loses the credentials of an app? Is it Google's fault if you lose your email credentials?

Alex Mamo
  • 130,605
  • 17
  • 163
  • 193
  • Thank your for your informative answer. I thought that because the user's datas are very crucial for them, it would be nice to disable login from different devices due to security purpose. For example, what if someone who knows the user email adress and password can log in the app and see all the user's datas. Doesn't this make the app less secure ? Would such an event be the fault of the user or the developer? – Abdulsamet Kılınçarslan Jan 27 '21 at 13:17
  • 1
    Please see my updated answer. – Alex Mamo Jan 27 '21 at 13:56