Firebase SMS Verification / Authentication

Question

For a client project I'm creating a simple hybrid app that serves a very simple function, yet will have high traffic. The app wouldn't normally need a backend, since it's very very simple, and firebase seems like a perfect solution for the project.

The only part where I'm stuck at is SMS Verification / Authentication with Firebase. However, after some intense googling, and doc reading, I've come to realize that there's no easy way to do this. Here's what I've looked into so far :

1. Fabric.io Digits has a great JS API, however for some reason firebase and digits won't play nicely together : https://groups.google.com/forum/#!topic/firebase-talk/sB7lPuyCVBQ
2. Facebook Account Kit - Just a week ago, Facebook released a new kit for SMS Verification & Authentication, although it still feels like it has the same problem as fabric.io digits, at least until proven otherwise.
3. Twilio / Nexmo via NodeJS - These are both epic services with great JS APIs, however from what I understand this would require a separate backend server to handle JWT token exchange. And that on its own is another server, which would become the bottleneck during high traffic, and another point of vulnerability for security, the client team would have to manage separately. Not the most pleasant.
4. Twilio / Nexmo & Auth0 - So far this seems like the best option, where authentication & user management is handled by Auth0, however this solution can quickly get expensive given that both twilio or nexmo and auth0 are paid solutions. Not that I'm a cheapo expecting things to work for free - but feels like a very expensive extra step given that it is just to forward tokens. [see: clients-from-hell]
5. I remember reading somewhere, a suggestion like using phone numbers as emails on firebase like: [email protected] and use the security codes sent over sms as password, which sounds very sketchy for many different reasons.

Usually with hybrid mobile apps, the non-native nature of them or JS APIs are to blame, but for the first time (for me at least) it feels like this isn't the case. I presume at this point Firebase isn't a valid option, but wanted to ask the loving and caring members of the community one last time before starting to look into AWS, and setting up an entire backend for the client.

Is there any other way to handle this type of authentication minus the middle-service / without a backend server? Anyone has any experience using these solutions?

---

UPDATE : MAY 2017

Phone Verification & Authentication is now natively available in Firebase. See my self-posted answer below.

---

UPDATE : APR 2017

Firebase now natively supports Cloud Functions. You can now accomplish this and a lot more using Cloud Functions without setting up any servers.

---

UPDATE : OCT 2017

Fabric.io and Firebase has collaborated and integrated Digits in Firebase phone authentication and launched more features for Fabric.

Answer 1

As of May 17 2017, the amazing people at Firebase have baked Digits' phone authentication into Firebase. This is now incredibly easy to achieve natively within Firebase, more or less with the flip of a switch and without the need of an external service or anything alike. You can read more about it in the docs :)

Answer 2

I can't speak to every integration you mentioned, but you might want to try out another one Twilio's services, Authy.

We've recently released production ready code samples via tutorials to help people work through these kinds of problems.

One such example walks you through:

• Sending a OneTouch push notification to mobile Authy app or
• Sending a token through mobile Authy app or
• Sending a one-time token in a text message sent with Authy via Twilio.

is the 2FA with Authy tutorial. The following Node.js snippet shows the endpoint waiting for user status to be approved or denied. If the User has approved the OneTouch request, we will save their session as confirmed, which officially logs them in.

If the request was denied we render the /verify page and ask the User to log in with a Token.

// Internal endpoint for checking the status of OneTouch exports.authyStatus = function(request, response) {     var status = (request.user) ? request.user.authyStatus : 'unverified';     if (status == 'approved') {         request.session.confirmed = true;         request.session.save(function(err) {             if (err) return error(response, 500,                  'There was an error validating your session.');         });     }     if (!request.session) {         return error(response, 404, 'No valid session found for this user.');     } else {         response.send({ status: status });     }    }; 

So, this indeed requires you have a server. But given a go at the sample, this should help you decide what will work best for your app.