How to stop Instant verification in phone number verfication

[chitrey]

The phone authentication in firebase has two types of users on successful authentication as provided in the documentation:

Instant verification: in some cases the phone number can be instantly verified without needing to send or enter a verification code.

Auto-retrieval: on some devices, Google Play services can automatically detect the incoming verification SMS and perform verification without user action.

I would like to authenticate the users on the basis of sending SMS instead. So how could it be resolved. I would like to stop instant verification as well as auto retrieval and call the onCodeSent callback each time

Any help would be appreciated.

[samtstern]

@chitrey we don't currently have a way to disable the instant verification or auto retrieval. Both of those are based on SMS though, can you explain why you'd want to turn them off? In our user studies they greatly increase sign up conversion rate.

[samtstern]

Closing this issue as we are not planning to allow disabling this feature for now.

[Barackos]

@samtstern A good reason to allow disabling this feature is for debugging. I cannot recreate the call for "onCodeSent" anymore because of the Instant Verification, which makes it impossible for me to debug my "Enter your verification code" screen anymore. I tried uninstalling the app / removing its data and nothing helps. At least for debugging purposes, we have to have this option. Am I missing something here?

[samtstern]

@Barackos that's a good point. I'll make sure to add that to the feature request internally. One workaround is to use two devices. One one device (with no SIM) enter the phone number of the other device (with a SIM). Then you'll get the code flow.

[Aswindev]

Please make a way to disable instant verification, its a pain while debugging.

p.s. I wasted last 2 hours thinking i messed up my perfectly working program :(
Thank you for this thread, or i would've gone mad thinking it was my fault.

[McLeroy]

After verifying the code

PhoneAuthProvider.getCredential(verificationId,code);

onVerificationCompleted is never called. Why?

[samtstern]

onVerificationCompleted is only called when instant verification or auto-retrieval occurs.

[grrrian]

I'm interested in disabling instant verification for this reason: https://stackoverflow.com/q/45356169/3889068

[samtstern]

Looks like @isaisachen replied on StackOverflow.

[Jitesh291]

You can go to settings and disable you sim card. Enable it again and you should start getting verification codes. Though for instant verification I have not come across any way to disable that.

[isaisachen]

@Jitesh291 I'm confused. "disable your sim card... start getting verification codes" - so I assume it worked for you and you no longer got instant verification? And then what does your last sentence mean? You mean SMS auto-retrieval?

[Jitesh291]

@isaisachen Thing is when you try this for the first time you will get the otp code from Google but the next time you try it, it can cause instant verification to get active. So if you are debugging and having problem with not receiving otp code from google just disable your sim card and enable it again. This will help you in getting the otp codes from google again for one more time until you enter your code and instant verification gets activated again. Please note: I don't think there is any way you can disable instant verification as of now. But you can always optimize your code in a way it doesn't create any problem for you and your users.

[andersu]

Having the same problem, making it hard to debug the input screen. +1 for the feature request.

[0mar-ahmed]

I tried to pass 0 to timeout parameter in verifyPhoneNumber

docs says:
the maximum amount of time you are willing to wait for SMS auto-retrieval to be completed by the library. Maximum allowed value is 2 minutes. Use 0 to disable SMS-auto-retrieval. If you specifies a positive value less than 30 seconds, library will default to 30 seconds.

i've done that but nothing happened

[janosvig]

Same happens with me what Omar-ahmed mentions.

Passing 0 still the onCodeAutoRetrievalTimeOut gets called after 30 sec. Is this intended? I know I can do workaround to check if there is SIM available and then do call onCodeAutoRetrievalTimeOut manually. But this seems a bit hacky for me.

[anwarkamal317]

same is the case with me I tried to use 2 mobile phones by putting 1st mobile phone number in 2nd phone(where I am testing app) I get the code in 1st mobile I put it for verification but it is giving error of "invalid code"
PS: I am putting right code (tried many times)

[guruprakash119]

onVerificationCompleted is only called when instant verification or auto-retrieval occurs.
#296 (comment)
@samtstern please look on this issue

yes its getting call automatically after instant verification but,its not verify the number correctly
please look at this link i have explained the problem in detail,please have a look

https://stackoverflow.com/q/58909735/12072674

[meghna-me]

Please make a way to disable instant verification, its a pain while debugging.

p.s. I wasted last 2 hours thinking i messed up my perfectly working program :(
Thank you for this thread, or i would've gone mad thinking it was my fault.

I messed up my last 2 days at this! Refactored my whole code so that's a plus.

[azizainunnajib]

i got 3 days to face this probelm.. hahaha

[chitrey]

I had completely forgotten about this thread. I guess those two features are still not available to us developers who prefer "debugging" our app :D

[azizainunnajib]

solution to work with other phone cell is not really good. because i want to add feature to fill automaticly the OTP (for the first time). so hard to use other phone.

[manishpaul26]

Spent the whole day finding the cause for this and certainly a very annoying thing if you're debugging. There should be a way to disable this!

@Jitesh291 's solution worked for me.

Settings -> Sim and Network -> Sim (1 or 2) -> Disable it.

Open the app and now try, auto verification shouldn't happen.

[Sampath-Lokuge]

Can you tell me how to enable this feature to me? I have Samsung Galaxy S8 with Android 8. Here I cannot test this feature on my device. What should I do to enable this on my device because I would like to test how this works with my code?

[kylemccollom]

This is a cool feature, but many users are concerned and confused when they experience it. They do not realize the verification was a success, and they see the experience as insecure. This should be something that we can disable.

[chitrey]

Can you tell me how to enable this feature to me? I have Samsung Galaxy S8 with Android 8. Here I cannot test this feature on my device. What should I do to enable this on my device because I would like to test how this works with my code?

This is automatically done by Firebase. You need to enable "Phone Sign In" and your package name should match. Add debugging SHA1 key as well and you should start receiving the codes. And as everyone has already mentioned, we cannot disable the auto verification process. Sadness

[Sampath-Lokuge]

@chitrey You: Instant verification: in some cases the phone number can be instantly verified without needing to send or enter a verification code.

Me: How can I enable this? I can use normal Phone Auth and it always asks verification code. i.e. no instant verification.

[wuizard]

I found out this instant verification is dangerous.
Even when your SIM number is different with the number you use to login. You still get instant verification. Why don't you guys at least disable instant verification if the number is different with current device SIM number ?

or at least , give us developer disable feature

[takieddine12]

I guess there should be a way to disable it at least on temporary basis , me basically i prefer to receive the sms and verify it from the user side as well , then authenticate him

[Shawn1912]

Hahaha, its been 4 years and we still don't have a workaround for this issue!

[adifyr]

You also have an issue - firebase/firebase-android-sdk#2688 - where if the name of my app on the Play Store is longer than 15 characters, then auto-verification doesn't even work. So now, if I want to disable the auto-verification, I can't do that either? How is this not considered a priority issue?!

[jfbourne]

@Barackos that's a good point. I'll make sure to add that to the feature request internally. One workaround is to use two devices. One one device (with no SIM) enter the phone number of the other device (with a SIM). Then you'll get the code flow.

whats the status of this?

[tregix-tech]

Any update? 🙏

[rohit267]

All hail firebase, when we can't test the code in debug not sure how to proceed for production.

[aguli-moeving]

I found out this instant verification is dangerous. Even when your SIM number is different with the number you use to login. You still get instant verification. Why don't you guys at least disable instant verification if the number is different with current device SIM number ?

or at least , give us developer disable feature

This happens to me too.
I have iPhone with Sim A, that I use to login to my app on Android Phone with No Sim.
I get the OTP on ios and instant verification happens on the android.
I don't understand how can this happen? This seems very risky.

[KXTOD]

This has been a request for over 5 years now, any updates on this?

[rohanvasishth]

There should be a way to turn this off. As others have mentioned, there are some clear security risks and I don't really see it as a beneficial UX experience that outweighs these risks. The feature is great but it should be opt in.

[Jimlala]

This instant verification thing, without opt-out, is one of the worst features indeed.

[mhmas]

لاتعليق 🙃

[matej-podzemny]

any news? this feature broke my flow and I have no idea how to disable auto-retrieval on android...

[efstathiosntonas]

any updates on this one?

[RezaHabibi1001]

any update please !!!!!!!!!!!!

why are you not responding?

[chitrey]

any update please !!!!!!!!!!!!

why are you not responding?

They have already closed this stating they are not planning on implementing this feature anytime soon. I don't think there is anything we can do.

[adifyr]

Hi Firebase Team. This is your occasional reminder of how badly you've sh** the bed with your phone auth feature.

[mesqueeb]

I would like to request the ability to disable this feature. This is unintuitive for users and would require tremendous extra effort for us to handle this other way of authenticating users.

We need to have all our users just receive the auth code via SMS without instant verification.

[efstathiosntonas]

hey @mesqueeb, I'm using react-native-firebase and I have patched the setTimeoutto be 0, this way the auto verification does not kick in.

from docs:

val options = PhoneAuthOptions.newBuilder(auth)
    .setPhoneNumber(phoneNumber) // Phone number to verify
    .setTimeout(0, TimeUnit.SECONDS) // Timeout and unit <----- SET THIS TO 0 FROM 60L
    .setActivity(this) // Activity (for callback binding)
    .setCallbacks(callbacks) // OnVerificationStateChangedCallbacks
    .build()
PhoneAuthProvider.verifyPhoneNumber(options)

@react-native-firebase+auth+18.5.0.patch just for reference: click me

diff --git a/node_modules/@react-native-firebase/auth/android/src/main/java/io/invertase/firebase/auth/ReactNativeFirebaseAuthModule.java b/node_modules/@react-native-firebase/auth/android/src/main/java/io/invertase/firebase/auth/ReactNativeFirebaseAuthModule.java
index b6406f1..023277a 100644
--- a/node_modules/@react-native-firebase/auth/android/src/main/java/io/invertase/firebase/auth/ReactNativeFirebaseAuthModule.java
+++ b/node_modules/@react-native-firebase/auth/android/src/main/java/io/invertase/firebase/auth/ReactNativeFirebaseAuthModule.java
@@ -969,10 +969,10 @@ class ReactNativeFirebaseAuthModule extends ReactNativeFirebaseModule {
     if (forceResend && mForceResendingToken != null) {
       PhoneAuthProvider.getInstance(firebaseAuth)
           .verifyPhoneNumber(
-                phoneNumber, 60, TimeUnit.SECONDS, activity, callbacks, mForceResendingToken);
+                phoneNumber, 0, TimeUnit.SECONDS, activity, callbacks, mForceResendingToken);
     } else {
       PhoneAuthProvider.getInstance(firebaseAuth)
-            .verifyPhoneNumber(phoneNumber, 60, TimeUnit.SECONDS, activity, callbacks);
+            .verifyPhoneNumber(phoneNumber, 0, TimeUnit.SECONDS, activity, callbacks);
     }
   }
 }
@@ -1041,7 +1041,7 @@ class ReactNativeFirebaseAuthModule extends ReactNativeFirebaseModule {
       PhoneAuthOptions.newBuilder()
           .setActivity(activity)
           .setMultiFactorHint((PhoneMultiFactorInfo) selectedHint)
-            .setTimeout(30L, TimeUnit.SECONDS)
+            .setTimeout(0L, TimeUnit.SECONDS)
           .setMultiFactorSession(resolver.getSession())
           .setCallbacks(
               new PhoneAuthProvider.OnVerificationStateChangedCallbacks() {
@@ -1084,7 +1084,7 @@ class ReactNativeFirebaseAuthModule extends ReactNativeFirebaseModule {
       PhoneAuthOptions.newBuilder()
           .setPhoneNumber(phoneNumber)
           .setActivity(getCurrentActivity())
-            .setTimeout(30L, TimeUnit.SECONDS)
+            .setTimeout(0L, TimeUnit.SECONDS)
           .setMultiFactorSession(multiFactorSession)
           .requireSmsValidation(true)
           .setCallbacks(

[lernerb]

@samtstern It looks like there was a change in the last two weeks in the latest OS updates on Android that is causing over 50% of sessions to auto-verify. This is a BREAKING CHANGE to existing apps, causing developers to have to patch this as a live issue now. Can we PLEASE get a way to turn this off?