向 Android 应用添加多重身份验证
本文档介绍如何向 Android 应用添加短信多重身份验证。
多重身份验证可提高应用的安全性。虽然攻击者通常会窃取密码和社交账号,但拦截短信的难度要大得多。
准备工作
请至少启用一个支持多重身份验证的提供方。每个提供方都支持 MFA,电话身份验证、匿名身份验证和 Apple Game Center 除外。
确保您的应用会验证用户的电子邮件地址。MFA 要求验证电子邮件地址。这可防止图谋不轨者使用别人的电子邮件地址注册服务,然后通过添加第二重身份验证因素来阻止真正的电子邮件地址所有者注册。
在 Firebase 控制台中注册应用的 SHA-1 哈希(您的更改将自动应用到 Google Cloud Identity Platform)。
按照对客户端进行身份验证中的步骤获取应用的 SHA-1 哈希。
打开 Firebase 控制台。
前往项目设置。
在您的应用下,点击 Android 图标。
按照引导步骤添加 SHA-1 哈希。
启用多重身份验证
前往 Google Cloud 控制台中的 Identity Platform MFA 页面。
前往 MFA在多重身份验证中,点击启用。
输入您将用于测试应用的电话号码。虽然并非必需,但我们强烈建议您注册测试电话号码,以免在开发过程中被节流。
如果您尚未向应用网域授权,请点击添加网域将其添加到许可名单中。
点击保存。
选择注册模式
您可以选择应用是否要求多重身份验证,以及何时和如何注册用户。一些常见模式包括:
在注册过程中注册用户的第二重身份验证。如果应用要求所有用户进行多重身份验证,请使用此方法。
提供可在注册期间跳过第二重身份验证注册的选项。如果应用鼓励但不要求进行多重身份验证,可以使用此方法。
提供从用户的账号或个人资料管理页面(而不是注册屏幕)添加第二重身份验证的功能。这样可以使注册过程更顺畅,同时仍可为注重安全的用户提供多重身份验证。
如果用户希望访问安全性要求更高的功能,再要求添加第二重身份验证。
注册第二重身份验证
如需为用户注册新的第二重身份验证,请执行以下操作:
重新验证用户身份。
让用户输入自己的电话号码。
为用户获取多重身份验证会话:
Kotlin+KTX
user.multiFactor.session.addOnCompleteListener { task -> if (task.isSuccessful) { val multiFactorSession: MultiFactorSession? = task.result } }Java
user.getMultiFactor().getSession() .addOnCompleteListener( new OnCompleteListener<MultiFactorSession>() { @Override public void onComplete(@NonNull Task<MultiFactorSession> task) { if (task.isSuccessful()) { MultiFactorSession multiFactorSession = task.getResult(); } } });构建一个
OnVerificationStateChangedCallbacks对象以处理验证过程中的不同事件:Kotlin+KTX
val callbacks = object : OnVerificationStateChangedCallbacks() { override fun onVerificationCompleted(credential: PhoneAuthCredential) { // This callback will be invoked in two situations: // 1) Instant verification. In some cases, the phone number can be // instantly verified without needing to send or enter a verification // code. You can disable this feature by calling // PhoneAuthOptions.builder#requireSmsValidation(true) when building // the options to pass to PhoneAuthProvider#verifyPhoneNumber(). // 2) Auto-retrieval. On some devices, Google Play services can // automatically detect the incoming verification SMS and perform // verification without user action. this@MainActivity.credential = credential } override fun onVerificationFailed(e: FirebaseException) { // This callback is invoked in response to invalid requests for // verification, like an incorrect phone number. if (e is FirebaseAuthInvalidCredentialsException) { // Invalid request // ... } else if (e is FirebaseTooManyRequestsException) { // The SMS quota for the project has been exceeded // ... } // Show a message and update the UI // ... } override fun onCodeSent( verificationId: String, forceResendingToken: ForceResendingToken ) { // The SMS verification code has been sent to the provided phone number. // We now need to ask the user to enter the code and then construct a // credential by combining the code with a verification ID. // Save the verification ID and resending token for later use. this@MainActivity.verificationId = verificationId this@MainActivity.forceResendingToken = forceResendingToken // ... } }Java
OnVerificationStateChangedCallbacks callbacks = new OnVerificationStateChangedCallbacks() { @Override public void onVerificationCompleted(PhoneAuthCredential credential) { // This callback will be invoked in two situations: // 1) Instant verification. In some cases, the phone number can be // instantly verified without needing to send or enter a verification // code. You can disable this feature by calling // PhoneAuthOptions.builder#requireSmsValidation(true) when building // the options to pass to PhoneAuthProvider#verifyPhoneNumber(). // 2) Auto-retrieval. On some devices, Google Play services can // automatically detect the incoming verification SMS and perform // verification without user action. this.credential = credential; } @Override public void onVerificationFailed(FirebaseException e) { // This callback is invoked in response to invalid requests for // verification, like an incorrect phone number. if (e instanceof FirebaseAuthInvalidCredentialsException) { // Invalid request // ... } else if (e instanceof FirebaseTooManyRequestsException) { // The SMS quota for the project has been exceeded // ... } // Show a message and update the UI // ... } @Override public void onCodeSent( String verificationId, PhoneAuthProvider.ForceResendingToken token) { // The SMS verification code has been sent to the provided phone number. // We now need to ask the user to enter the code and then construct a // credential by combining the code with a verification ID. // Save the verification ID and resending token for later use. this.verificationId = verificationId; this.forceResendingToken = token; // ... } };使用用户的电话号码、多重身份验证会话和回调初始化
PhoneInfoOptions对象:Kotlin+KTX
val phoneAuthOptions = PhoneAuthOptions.newBuilder() .setPhoneNumber(phoneNumber) .setTimeout(30L, TimeUnit.SECONDS) .setMultiFactorSession(MultiFactorSession) .setCallbacks(callbacks) .build()Java
PhoneAuthOptions phoneAuthOptions = PhoneAuthOptions.newBuilder() .setPhoneNumber(phoneNumber) .setTimeout(30L, TimeUnit.SECONDS) .setMultiFactorSession(multiFactorSession) .setCallbacks(callbacks) .build();默认情况下,系统会启用即时验证。如需将其停用,请添加对
requireSmsValidation(true)的调用。向用户的电话发送验证消息:
Kotlin+KTX
PhoneAuthProvider.verifyPhoneNumber(phoneAuthOptions)Java
PhoneAuthProvider.verifyPhoneNumber(phoneAuthOptions);虽然没有强制要求,但最好事先告知用户他们会收到短信,并需按标准费率支付短信费用。
短信验证码发出后,要求用户验证该验证码:
Kotlin+KTX
// Ask user for the verification code. val credential = PhoneAuthProvider.getCredential(verificationId, verificationCode)Java
// Ask user for the verification code. PhoneAuthCredential credential = PhoneAuthProvider.getCredential(verificationId, verificationCode);使用
PhoneAuthCredential初始化MultiFactorAssertion对象:Kotlin+KTX
val multiFactorAssertion = PhoneMultiFactorGenerator.getAssertion(credential)Java
MultiFactorAssertion multiFactorAssertion = PhoneMultiFactorGenerator.getAssertion(credential);完成注册。(可选)您可以为第二重身份验证指定显示名称。这对于具有多个第二重身份验证的用户非常有用,因为电话号码在身份验证流程中会被遮盖(例如 +1******1234)。
Kotlin+KTX
// Complete enrollment. This will update the underlying tokens // and trigger ID token change listener. FirebaseAuth.getInstance() .currentUser ?.multiFactor ?.enroll(multiFactorAssertion, "My personal phone number") ?.addOnCompleteListener { // ... }Java
// Complete enrollment. This will update the underlying tokens // and trigger ID token change listener. FirebaseAuth.getInstance() .getCurrentUser() .getMultiFactor() .enroll(multiFactorAssertion, "My personal phone number") .addOnCompleteListener( new OnCompleteListener<Void>() { @Override public void onComplete(@NonNull Task<Void> task) { // ... } });
以下代码展示了注册第二重身份验证的完整示例:
Kotlin+KTX
val multiFactorAssertion = PhoneMultiFactorGenerator.getAssertion(credential) user.multiFactor.session .addOnCompleteListener { task -> if (task.isSuccessful) { val multiFactorSession = task.result val phoneAuthOptions = PhoneAuthOptions.newBuilder() .setPhoneNumber(phoneNumber) .setTimeout(30L, TimeUnit.SECONDS) .setMultiFactorSession(multiFactorSession) .setCallbacks(callbacks) .build() // Send SMS verification code. PhoneAuthProvider.verifyPhoneNumber(phoneAuthOptions) } } // Ask user for the verification code. val credential = PhoneAuthProvider.getCredential(verificationId, verificationCode) val multiFactorAssertion = PhoneMultiFactorGenerator.getAssertion(credential) // Complete enrollment. FirebaseAuth.getInstance() .currentUser ?.multiFactor ?.enroll(multiFactorAssertion, "My personal phone number") ?.addOnCompleteListener { // ... } Java
MultiFactorAssertion multiFactorAssertion = PhoneMultiFactorGenerator.getAssertion(credential); user.getMultiFactor().getSession() .addOnCompleteListener( new OnCompleteListener<MultiFactorSession>() { @Override public void onComplete(@NonNull Task<MultiFactorSession> task) { if (task.isSuccessful()) { MultiFactorSession multiFactorSession = task.getResult(); PhoneAuthOptions phoneAuthOptions = PhoneAuthOptions.newBuilder() .setPhoneNumber(phoneNumber) .setTimeout(30L, TimeUnit.SECONDS) .setMultiFactorSession(multiFactorSession) .setCallbacks(callbacks) .build(); // Send SMS verification code. PhoneAuthProvider.verifyPhoneNumber(phoneAuthOptions); } } }); // Ask user for the verification code. PhoneAuthCredential credential = PhoneAuthProvider.getCredential(verificationId, verificationCode); MultiFactorAssertion multiFactorAssertion = PhoneMultiFactorGenerator.getAssertion(credential); // Complete enrollment. FirebaseAuth.getInstance() .getCurrentUser() .getMultiFactor() .enroll(multiFactorAssertion, "My personal phone number") .addOnCompleteListener( new OnCompleteListener<Void>() { @Override public void onComplete(@NonNull Task<Void> task) { // ... } }); 恭喜!您已成功为用户注册了第二重身份验证。
让用户通过第二重身份验证登录
如需让用户通过双重身份验证(包含短信验证)登录,请执行以下操作:
让用户通过第一重身份验证登录,然后捕获
FirebaseAuthMultiFactorException异常。此错误包含一个解析器,您可以使用该解析器获取用户注册的第二重身份验证。它还包含一个底层会话,可证明用户已成功通过其第一重身份验证。例如,如果用户的第一重身份验证是电子邮件地址和密码:
Kotlin+KTX
FirebaseAuth.getInstance() .signInWithEmailAndPassword(email, password) .addOnCompleteListener( OnCompleteListener { task -> if (task.isSuccessful) { // User is not enrolled with a second factor and is successfully // signed in. // ... return@OnCompleteListener } if (task.exception is FirebaseAuthMultiFactorException) { // The user is a multi-factor user. Second factor challenge is // required. val multiFactorResolver = (task.exception as FirebaseAuthMultiFactorException).resolver // ... } else { // Handle other errors, such as wrong password. } })Java
FirebaseAuth.getInstance() .signInWithEmailAndPassword(email, password) .addOnCompleteListener( new OnCompleteListener<AuthResult>() { @Override public void onComplete(@NonNull Task<AuthResult> task) { if (task.isSuccessful()) { // User is not enrolled with a second factor and is successfully // signed in. // ... return; } if (task.getException() instanceof FirebaseAuthMultiFactorException) { // The user is a multi-factor user. Second factor challenge is // required. MultiFactorResolver multiFactorResolver = task.getException().getResolver(); // ... } else { // Handle other errors such as wrong password. } } });如果用户的第一重身份验证是联合提供方(例如 OAuth),请在调用
startActivityForSignInWithProvider()后捕获错误。如果用户注册了多个第二重身份验证,请询问用户要使用哪一个:
Kotlin+KTX
// Ask user which second factor to use. // You can get the list of enrolled second factors using // multiFactorResolver.hints // Check the selected factor: if (multiFactorResolver.hints[selectedIndex].factorId === PhoneMultiFactorGenerator.FACTOR_ID ) { // User selected a phone second factor. val selectedHint = multiFactorResolver.hints[selectedIndex] as PhoneMultiFactorInfo } else if (multiFactorResolver.hints[selectedIndex].factorId === TotpMultiFactorGenerator.FACTOR_ID) { // User selected a TOTP second factor. } else { // Unsupported second factor. }Java
// Ask user which second factor to use. // You can get the masked phone number using // resolver.getHints().get(selectedIndex).getPhoneNumber() // You can get the display name using // resolver.getHints().get(selectedIndex).getDisplayName() if ( resolver.getHints() .get(selectedIndex) .getFactorId() .equals( PhoneMultiFactorGenerator.FACTOR_ID ) ) { // User selected a phone second factor. MultiFactorInfo selectedHint = multiFactorResolver.getHints().get(selectedIndex); } else if ( resolver .getHints() .get(selectedIndex) .getFactorId() .equals(TotpMultiFactorGenerator.FACTOR_ID ) ) { // User selected a TOTP second factor. } else { // Unsupported second factor. }使用提示和多重身份验证会话初始化
PhoneAuthOptions对象。这些值包含在附加到FirebaseAuthMultiFactorException的解析器中。Kotlin+KTX
val phoneAuthOptions = PhoneAuthOptions.newBuilder() .setMultiFactorHint(selectedHint) .setTimeout(30L, TimeUnit.SECONDS) .setMultiFactorSession(multiFactorResolver.session) .setCallbacks(callbacks) // Optionally disable instant verification. // .requireSmsValidation(true) .build()Java
PhoneAuthOptions phoneAuthOptions = PhoneAuthOptions.newBuilder() .setMultiFactorHint(selectedHint) .setTimeout(30L, TimeUnit.SECONDS) .setMultiFactorSession(multiFactorResolver.getSession()) .setCallbacks(callbacks) // Optionally disable instant verification. // .requireSmsValidation(true) .build();向用户的电话发送验证消息:
Kotlin+KTX
// Send SMS verification code PhoneAuthProvider.verifyPhoneNumber(phoneAuthOptions)Java
// Send SMS verification code PhoneAuthProvider.verifyPhoneNumber(phoneAuthOptions);短信验证码发出后,要求用户验证该验证码:
Kotlin+KTX
// Ask user for the verification code. Then, pass it to getCredential: val credential = PhoneAuthProvider.getCredential(verificationId, verificationCode)Java
// Ask user for the verification code. Then, pass it to getCredential: PhoneAuthCredential credential = PhoneAuthProvider.getCredential(verificationId, verificationCode);使用
PhoneAuthCredential初始化MultiFactorAssertion对象:Kotlin+KTX
val multiFactorAssertion = PhoneMultiFactorGenerator.getAssertion(credential)Java
MultiFactorAssertion multiFactorAssertion = PhoneMultiFactorGenerator.getAssertion(credential);调用
resolver.resolveSignIn()以完成第二重身份验证。然后,您可以访问原始登录结果,其中包括特定于提供方的标准数据和身份验证凭据:Kotlin+KTX
multiFactorResolver .resolveSignIn(multiFactorAssertion) .addOnCompleteListener { task -> if (task.isSuccessful) { val authResult = task.result // AuthResult will also contain the user, additionalUserInfo, // and an optional credential (null for email/password) // associated with the first factor sign-in. // For example, if the user signed in with Google as a first // factor, authResult.getAdditionalUserInfo() will contain data // related to Google provider that the user signed in with; // authResult.getCredential() will contain the Google OAuth // credential; // authResult.getCredential().getAccessToken() will contain the // Google OAuth access token; // authResult.getCredential().getIdToken() contains the Google // OAuth ID token. } }Java
multiFactorResolver .resolveSignIn(multiFactorAssertion) .addOnCompleteListener( new OnCompleteListener<AuthResult>() { @Override public void onComplete(@NonNull Task<AuthResult> task) { if (task.isSuccessful()) { AuthResult authResult = task.getResult(); // AuthResult will also contain the user, additionalUserInfo, // and an optional credential (null for email/password) // associated with the first factor sign-in. // For example, if the user signed in with Google as a first // factor, authResult.getAdditionalUserInfo() will contain data // related to Google provider that the user signed in with. // authResult.getCredential() will contain the Google OAuth // credential. // authResult.getCredential().getAccessToken() will contain the // Google OAuth access token. // authResult.getCredential().getIdToken() contains the Google // OAuth ID token. } } });
以下代码展示了让多重身份验证用户登录的完整示例:
Kotlin+KTX
FirebaseAuth.getInstance() .signInWithEmailAndPassword(email, password) .addOnCompleteListener { task -> if (task.isSuccessful) { // User is not enrolled with a second factor and is successfully // signed in. // ... return@addOnCompleteListener } if (task.exception is FirebaseAuthMultiFactorException) { val multiFactorResolver = (task.exception as FirebaseAuthMultiFactorException).resolver // Ask user which second factor to use. Then, get // the selected hint: val selectedHint = multiFactorResolver.hints[selectedIndex] as PhoneMultiFactorInfo // Send the SMS verification code. PhoneAuthProvider.verifyPhoneNumber( PhoneAuthOptions.newBuilder() .setActivity(this) .setMultiFactorSession(multiFactorResolver.session) .setMultiFactorHint(selectedHint) .setCallbacks(generateCallbacks()) .setTimeout(30L, TimeUnit.SECONDS) .build() ) // Ask user for the SMS verification code, then use it to get // a PhoneAuthCredential: val credential = PhoneAuthProvider.getCredential(verificationId, verificationCode) // Initialize a MultiFactorAssertion object with the // PhoneAuthCredential. val multiFactorAssertion: MultiFactorAssertion = PhoneMultiFactorGenerator.getAssertion(credential) // Complete sign-in. multiFactorResolver .resolveSignIn(multiFactorAssertion) .addOnCompleteListener { task -> if (task.isSuccessful) { // User successfully signed in with the // second factor phone number. } // ... } } else { // Handle other errors such as wrong password. } } Java
FirebaseAuth.getInstance() .signInWithEmailAndPassword(email, password) .addOnCompleteListener( new OnCompleteListener<AuthResult>() { @Override public void onComplete(@NonNull Task<AuthResult> task) { if (task.isSuccessful()) { // User is not enrolled with a second factor and is successfully // signed in. // ... return; } if (task.getException() instanceof FirebaseAuthMultiFactorException) { FirebaseAuthMultiFactorException e = (FirebaseAuthMultiFactorException) task.getException(); MultiFactorResolver multiFactorResolver = e.getResolver(); // Ask user which second factor to use. MultiFactorInfo selectedHint = multiFactorResolver.getHints().get(selectedIndex); // Send the SMS verification code. PhoneAuthProvider.verifyPhoneNumber( PhoneAuthOptions.newBuilder() .setActivity(this) .setMultiFactorSession(multiFactorResolver.getSession()) .setMultiFactorHint(selectedHint) .setCallbacks(generateCallbacks()) .setTimeout(30L, TimeUnit.SECONDS) .build()); // Ask user for the SMS verification code. PhoneAuthCredential credential = PhoneAuthProvider.getCredential(verificationId, verificationCode); // Initialize a MultiFactorAssertion object with the // PhoneAuthCredential. MultiFactorAssertion multiFactorAssertion = PhoneMultiFactorGenerator.getAssertion(credential); // Complete sign-in. multiFactorResolver .resolveSignIn(multiFactorAssertion) .addOnCompleteListener( new OnCompleteListener<AuthResult>() { @Override public void onComplete(@NonNull Task<AuthResult> task) { if (task.isSuccessful()) { // User successfully signed in with the // second factor phone number. } // ... } }); } else { // Handle other errors such as wrong password. } } }); 恭喜!您已成功让使用多重身份验证的用户登录。
后续步骤
- 使用 Admin SDK 以编程方式管理多重身份验证用户。