verifyPhoneNumber:UIDelegate:multiFactorSession:completion:
Firebase API reference
Regarding the above Firebase PhoneAuthProvider method, verifyPhoneNumber, when a verificationID is returned to the client through this method, what does that ensure? Does it ensure that this phone number is capable of creating and signing into Firebase Auth accounts? Furthermore, does it ensure this regardless of whether the client actually received an SMS code or not?
In other words, in order to sign into a Firebase Auth account using phone credentials, both this verificationID and the code sent to the client via SMS must be used in tandem. However, if all we want to do is ensure that this phone number is capable of creating and signing into a Firebase Auth account, is the act of getting a verificationID from this method sufficient to make that determination, regardless of whether or not the client actually received an SMS code?
2
Answers
I will try to break down my answer to your questions piece by piece.
when the
verifyPhoneNumbermethod returns averificationIdto the client, it mainly ensures that a verification process has been initiated on the Firebase servers for that phone number specifically.To the best of my knowledge the process is:`
No, the receipt of a
verificationIdalone does not ensure that a phone number is capable of creating and signing into Firebase Auth accounts.Again, no. The
verificationIditself does not ensure that the client has received an SMS code. This Id is returned with the verification process has been initiated successfully, but it does not guarantee that the SMS code has been delivered to or received by the client.The purpose of the verificationId is to identify the verification process for a given phone number. It does not independently validate the phone number or confirm anything.
Correct.
No, the act of getting a
verificationIdfrom theverifyPhoneNumbermethod is not sufficient to make the determination that a phone number is capable of creating and signing into a Firebase Auth account.Remember this if anything: the
verificationIdis a token that represents that a verification process has been initiated, but does not validate. The validation process comes in the second step, where the user receives said code, and inputs that code into the client application.When a verificationID is returned to the client, it must not mean that the phone number is capable of creating and signing into firebase auth accounts. The verificationID is just an identifier thats associated with the phone number for this particular session. Its used to validate the user-provided verification code (sent via SMS) when they try to sign in.
If the client never receives the verification code via SMS, it could be bc of several reasons such as network issues, carrier restrictions, or if the provided number is not capable of receiving SMS (like a landline).
To ensure that a phone number is able of creating and signing into firebase auth accounts, the full process needs to be completed i.e., the phone number needs to receive the SMS code and the user needs to enter it in conjunction with the verificationID.
So just obtaining a verificationID is not enough to ensure that a phone number can create and sign into a Firebase Auth account.