3

I have the following mobile app scenario based on a Firebase backend:

  • Two or more mobile app instances communicate with each other through a central service (trusted). The apps are paired by exchanging a shared secret, e.g. through scanning a QR code or entering a pairing code.
  • Users are anonymous, ie no signup required (or possible). Essentially, it is the specific app on a specific device that is paired with a ditto counterpart (vs user-to-user).
  • Information exchanged is sensitive but has no intrinsic value: It must be possible to trust that information comes from a given device and it must be possible to trust that the information has reached the intended device and not an impersonating device. But it is not a critical problem that an app instance's information is lost, e.g. if the app is removed or the device is destroyed (an annoyance that requires re-pairing, but not a critical issue).

It seems Firebase Anonymous Auth is a perfect match for this scenario - but the documentation hints that it should only be used as a temporary solution until users create an actual account. Are there any drawbacks to using anonymous auth as the sole authentication method for the solution? The alternatives I see are some kind of hack using a custom token-based login or perhaps email/password auth.

samthecodingman
  • 23,122
  • 4
  • 30
  • 54
Ae Yppek
  • 85
  • 1
  • 1
  • 4

1 Answers1

5

Are there any drawbacks to using anonymous auth as the sole authentication method for the solution?

There isn't unless the user uninstalls the app.

The documentation hints that it should only be used as a temporary solution until users create an actual account.

Why a temporary solution? It's because anonymous accounts do not persist across application uninstalls. If a user uninstalls the app, everything that was saved locally will be deleted, including the anonymous auth token that identifies that account. Unfortunately, there is no way to reclaim that token for the user.

The alternatives I see are some kind of hack using a custom token-based login or perhaps email/password auth.

IMHO, the best approach would be to use anonymous authentication but to also let the user the possibility to link their account with email and password or any other providers, like Google, Facebook, Instagram, and so on.

Alex Mamo
  • 130,605
  • 17
  • 163
  • 193
  • 2
    To tack onto the temporary solution point, Anonymous Auth is particularly volatile when used in a browser - all a user would need to do is use a different browser or browser profile, or clear their cache (which could be automated by some policy) to invalidate their previous token. In the case of applications, as Alex covered, install and reinstall would be effectively the same as swapping browsers. – samthecodingman Oct 30 '21 at 11:10
  • 1
    Excellent input, AlexMamo and samthecodingman - thanks! – Ae Yppek Oct 30 '21 at 12:03
  • how to make sure / how is it ensured that the anon user token really lives as long as the app lives on the device? Might there be unintended signouts, e.g. when the user closes the app, or when it‘s getting offloaded? – Adrian Föder Apr 13 '23 at 07:50
  • 1
    @AdrianFöder When a user closes the app, it doesn't mean that will be signed out. But yes, an unintended signout, will have the same effect, the user will lose the token. – Alex Mamo Apr 13 '23 at 08:34