Password sign-in best practices

Password-based sign-in remains a popular means of user authentication despite its weaknesses. For example, users frequently forget their passwords, requiring a password reset flow that can create friction for returning users; databases of passwords are routinely shared between bad actors; and, users often reuse insecure passwords across sites, which makes the problem of stolen passwords even worse. On the other hand, the password model of authentication is familiar to users and users expect to see it. For this reason, it’s understandable that many developers want to implement some form of password-based sign-in in their apps.

Firebase and Google Cloud Identity Platform provide libraries to make password sign-in easy to implement for your users, but it’s important to consider these authentication best practices to enable more secure sign-ins.

Best practices

Add restrictions to your API keys

Before you launch your app, you should add additional restrictions to your API keys to limit the access they grant. Here are some steps you can take:

  • If you have a web client, set up a separate API key for that platform and restrict the API key to only allow requests from the servers that will host your app.
  • If you have your own server that you use to proxy traffic between your mobile apps and Google services, configure your API keys to only allow traffic from your servers’ IP address range.

Visit our Applying API key restrictions documentation to learn more.

Use and recommend password management tools

One way to improve security for users who sign in with passwords Is to use password management tools:

  • In your Android and web apps, use One Tap sign-in, which helps users sign in frictionlessly with their Google accounts or their saved passwords. One Tap sign-in integrates well with Firebase Authentication and Cloud Identity Platform.
  • Recommend to your users that they use a password manager such as Chrome’s password manager or one of the other services that are available. These tools help users provision secure passwords and automatically fill them in on websites and apps.

Implement a password policy

Identity Platform offers a password policy feature that help improve account security by enforcing password complexity requirements for new and existing users. To configure a password policy follow the steps listed in Use password policy.

Enable email enumeration protection

Email enumeration is a type of brute-force attack in which a malicious actor attempts to guess or confirm users in a system by passing an email address to the API and checking the response. Identity Platform offers a protection feature to protect user accounts in your app from enumeration attacks. To enable this protection, follow the instructions in Enable email enumeration protection.

Enable App Check

App Check uses attestation services to check that requests made to your project originate from your app or from an authentic, untampered device.

Use multi-factor authentication (MFA) to protect sensitive information

If your app deals with sensitive information, the industry best practice, and our recommendation, is to require MFA for user sign-in. This is especially important if your app deals with information such as financial data or medical records. You can add a second factor to most of Firebase Authentication’s sign-in methods, including email address and password, with Google Cloud Identity Platform. To get started, enable Identity Platform in your project, then add MFA to your apps (iOS, Android, Web). Your existing Firebase Authentication code will continue to work after you enable Identity Platform.

If you’re not using MFA, other strong options for user authentication with Firebase are to use one of the social sign-in providers supported by Firebase Authentication such as Google, Facebook, and Apple, or to use email link sign in.

  • Using a social sign-in provider lets you take advantage of the security infrastructure of well-audited identity providers, and also provides a better experience for users as a result of lower sign-in and sign-up friction. (See the docs for using Google Sign-in with Firebase for iOS, Android, Web, Unity, C++; Facebook, Apple, and other providers are also supported.) If you’re developing a new app and you anticipate your user base will be able to successfully sign in with one of these providers, we recommend making social sign-in your primary method of authentication.
  • Email link sign-in is preferred over password-based sign-in without MFA because it requires legitimate users to have access to their email account to successfully sign in. For this reason, if you already have users who are signing in with passwords and you choose not to use MFA, we recommend that you migrate your users to email link sign-in and disable password-based sign-in when you can. (See the docs for iOS, Android, Web, Unity, C++.)

Use phone authentication for users who don’t use email

To serve users who don’t have or use email addresses, Firebase and Google Cloud Identity Platform provide phone authentication services. This is the best solution for many user bases, but it has its own security caveats: possession of a phone number can be easily transferred between users, and, on devices with multiple user profiles, any user that can receive SMS messages can sign in to an account using the device’s phone number. (See the docs for iOS, Android, Web, Unity, C++.)

We recognize the ubiquity of the password model and we will continue working to improve the security of password based sign-in.