Firebase Auth Guide: Phone, Social, & Enterprise Authentication
Firebase Auth Guide: Phone, Social, & Enterprise Authentication
Quick Answer
Firebase Authentication is Google’s Identity-as-a-Service offering 50,000 free Monthly Active Users (MAUs), phone authentication, social login, and enterprise features via Firebase Authentication with Identity Platform. It’s ideal for mobile apps, anonymous-to-authenticated flows, and projects already in the Google Cloud ecosystem.
Executive Summary
Firebase Authentication has evolved from the “Google Identity Toolkit” into a dual-tiered system:
- Foundation Tier: Email/password, social login, phone authentication (suitable for rapid development)
- Advanced Tier (Identity Platform): MFA, SAML/OIDC, multi-tenancy, and deeper GCP integration
The platform excels in mobile-first scenarios with native SDKs for iOS, Android, and Flutter that handle complex authentication flows including device trust and biometric integration.
Key Specifications
| Attribute | Details |
|---|---|
| Official Name | Firebase Authentication / Firebase Authentication with Identity Platform |
| Documentation | firebase.google.com/docs/auth |
| Latest Innovation | Firebase Data Connect (PostgreSQL + GraphQL integration) |
| Primary Use Case | Mobile apps, consumer apps, Google Cloud integration |
Authentication Methods
Supported Methods
| Method | Status | Details |
|---|---|---|
| Email/Password | TRUE | scrypt hashing, custom password policies |
| Social OAuth | TRUE | Google, Apple, Facebook, Twitter, GitHub, Microsoft, Yahoo, Game Center, Play Games |
| Phone Authentication | TRUE | SMS OTP with reCAPTCHA/App Check protection |
| Anonymous Auth | TRUE | Create temporary UID, convert to permanent account later |
| Magic Links | TRUE | Email-based passwordless authentication |
| Account Linking | TRUE | Merge multiple auth methods into one account |
| MFA | TRUE (Identity Platform) | SMS, TOTP (Authenticator apps) |
| Passkeys | TRUE (Preview) | FIDO2/WebAuthn (FaceID, TouchID) |
Token Lifecycle
| Token Type | Purpose | Duration |
|---|---|---|
| ID Token | User identity proof | 1 hour (short-lived) |
| Refresh Token | Obtain new ID tokens | Long-lived (persists until sign-out/revocation) |
Platform Support
SDK Availability Matrix
| Platform | Official SDK | MFA Support | Passkeys | Notes |
|---|---|---|---|---|
| iOS | Swift/Obj-C | Yes | Yes | Requires APNs for Phone Auth |
| Android | Kotlin/Java | Yes | Yes | Requires Play Services, SHA-1 fingerprint registration |
| Web | JavaScript/TypeScript | Yes | Yes | SSR requires Service Worker pattern |
| Flutter | Dart (firebase_auth) | Yes | Planned | Wraps native SDKs |
| Unity | C# | Limited | No | Desktop dev support |
| C++ | C++ | Limited | No | Game engine focus |
Key Features
1. Anonymous Authentication
Firebase uniquely supports anonymous users—allowing apps to create data before requiring credentials:
- Use Case: Try-before-you-buy flows, shopping carts
- Conversion:
linkWithCredential()converts anonymous UID to permanent account - Preservation: Anonymous data (cart contents) merges into permanent account
2. Phone Authentication with Fraud Protection
- reCAPTCHA Integration: Invisible reCAPTCHA (web) or Play Integrity/App Attestation (mobile)
- SMS Toll Fraud Protection: Mandatory abuse protection
- Blocking SMS Regions: Configurable to disable traffic to expensive countries
3. Firebase Data Connect (2025 Innovation)
Bridges Firebase Auth with Cloud SQL for PostgreSQL:
- @auth Directive: Maps auth.uid directly to database columns
- Row-Level Security (RLS): Enforced at database level via CEL expressions
- Schema-First: GraphQL schema defines both data model and security policies
4. Blocking Functions (Identity Platform)
Synchronous hooks that can accept/reject authentication attempts:
beforeCreate: Enforce allow-lists, validate invitation codesbeforeSignIn: Ban checking, geo-fencing, custom claim injection
5. App Check
Protects your app from unauthorized requests:
- Device Attestation:
- Apple: DeviceCheck / App Attest
- Android: Play Integrity API
- Web: reCAPTCHA Enterprise/v3
- Protection: Prevents credential stuffing and unauthorized API calls
Pricing Analysis
Spark Plan (Free)
| Feature | Allowance |
|---|---|
| Email/Social MAU | 50,000 free |
| Phone Auth | Very limited / Pay-per-use |
| MFA | Not available |
Blaze Plan (Paid)
| Feature | Cost |
|---|---|
| MAU Pricing | ~$0.0025-0.0055 per MAU (above 50k free) |
| Phone SMS | Market rates per country (US: ~$0.01, others: $0.10+) |
| Identity Platform | Separate enterprise pricing |
Bill Shock Risk: SMS Toll Fraud
If a botnet targets your phone auth endpoint, it can generate thousands of SMS requests in minutes. Implement App Check to prevent this.
Best For
- Mobile Apps: Native SDKs for iOS/Android/Flutter with secure storage (Keychain/Keystore)
- Consumer Apps (B2C): Generous free tier, social login, anonymous auth
- Projects Using Google Cloud: Native integration with Firestore, Cloud Functions, Data Connect
- Anonymous-to-Auth Flows: Unique capability to convert anonymous sessions to permanent accounts
Avoid For
- Projects Needing Self-Hosted Identity: Firebase is cloud-only (except for specific enterprise scenarios)
- B2B SaaS Requiring SAML: Available only via Identity Platform enterprise pricing
- Cost-Sensitive High-Volume Phone Auth: SMS costs add up quickly; consider alternatives
Operational Constraints
Rate Limits
| Limit | Value |
|---|---|
| API Rate Limits | ~1,000 requests/sec (total ops) |
| Account Lookups | 900 req/min (getUser, getAccountInfo) |
| SMS Sending | 50/min per IP (anti-abuse threshold) |
Implementation Considerations
| Challenge | Solution |
|---|---|
| SSR + Firebase Auth | Use Service Worker to sync ID token to session cookie for server-side rendering |
| Token Verification Cost | Local crypto verification is unlimited (no rate limit) |
| Revocation Checking | Enabling checkRevoked: true adds network calls and latency |
Migration Path
Firebase supports importing users from legacy systems:
- Hash Algorithms: HMAC, PBKDF2, BCRYPT, SCRYPT (Firebase’s own)
- Bulk Import: Admin SDK for batch user creation
- Password Hashes: Import existing hashes without password resets
Conclusion
Firebase Authentication stands as a sophisticated, scalable, and secure IDaaS solution that significantly lowers the barrier to entry for secure app development. Its deep integration with Google Cloud—especially the new Data Connect service—makes it compelling for both rapid prototyping and enterprise deployments.
Verdict: Choose Firebase Auth for mobile apps, consumer applications, and projects already in the Google Cloud ecosystem. Consider alternatives (Supabase, Clerk, Auth0) if you need built-in B2B features or self-hosting.
Last Updated: January 20, 2026 Research Source: Firebase Auth Research Report