Authentication in Mobile Apps
User authentication is a critical feature for most apps. Let's explore secure authentication methods and best practices for implementing login systems.
Authentication Methods
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ Authentication Methods โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ โ
โ Email/Password โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ
โ โ Traditional login form โ โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ
โ โ
โ Social Login (OAuth 2.0) โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ
โ โ Google, Facebook, Apple, GitHub โ โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ
โ โ
โ Biometric Authentication โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ
โ โ Fingerprint, Face ID, Iris Scan โ โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ
โ โ
โ Magic Link / Passwordless โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ
โ โ Email link, SMS code โ โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ
โ โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
React Native: Firebase Auth
import auth from '@react-native-firebase/auth';
// Email/Password Sign Up
const signUp = async (email, password) => {
try {
const result = await auth().createUserWithEmailAndPassword(email, password);
console.log('User created:', result.user.uid);
} catch (error) {
console.error('Sign up error:', error.message);
}
};
// Email/Password Sign In
const signIn = async (email, password) => {
try {
const result = await auth().signInWithEmailAndPassword(email, password);
console.log('Signed in:', result.user.uid);
} catch (error) {
console.error('Sign in error:', error.message);
}
};
// Sign Out
const signOut = async () => {
await auth().signOut();
};
// Listen for auth state changes
auth().onAuthStateChanged(user => {
if (user) {
console.log('User is signed in:', user.uid);
} else {
console.log('User is signed out');
}
});
Flutter: Firebase Auth
import 'package:firebase_auth/firebase_auth.dart';
// Email/Password Sign Up
Future<void> signUp(String email, String password) async {
try {
final result = await FirebaseAuth.instance
.createUserWithEmailAndPassword(email: email, password: password);
print('User created: ${result.user?.uid}');
} catch (e) {
print('Sign up error: $e');
}
}
// Email/Password Sign In
Future<void> signIn(String email, String password) async {
try {
final result = await FirebaseAuth.instance
.signInWithEmailAndPassword(email: email, password: password);
print('Signed in: ${result.user?.uid}');
} catch (e) {
print('Sign in error: $e');
}
}
// Sign Out
Future<void> signOut() async {
await FirebaseAuth.instance.signOut();
}
// Listen for auth state changes
FirebaseAuth.instance.authStateChanges().listen((User? user) {
if (user != null) {
print('User is signed in: ${user.uid}');
} else {
print('User is signed out');
}
});
Security Best Practices
- Never store passwords: Use hashing (bcrypt, Argon2)
- Use HTTPS: Always encrypt data in transit
- Token expiration: Implement refresh token rotation
- Secure storage: Store tokens in secure storage, not AsyncStorage
- Biometrics: Offer biometric authentication for convenience