Agency Addressing Concerns About Web3Auth Integration for NFT Portal

Web3Auth Community General
1

2024-06-12_17-34-15
2024-06-12_17-34-151894×2490 500 KB

Hey Web3Auth Community,

I recently commissioned an agency to develop an NFT portal and requested a Web3Auth integration to simplify the onboarding process for new users into Web3. The agency provided feedback on the pros and cons of Web3Auth, focusing on a few concerns highlighted below. I would greatly appreciate your insights and recommendations on the best approach.

Highlighted Concerns:

  1. Automatic Approval of Transactions: One major concern is that Web3Auth automatically approves transactions and signs signatures on behalf of users. This can pose significant security risks, as it reduces user control and awareness over their transactions.
  2. NFT Visibility: Users utilizing the Ethereum PrivateKeyProvider with Web3Auth might face issues where they are unable to view their NFTs in their wallets. This can lead to a poor user experience and confusion.

Suggested Alternatives:
The agency suggested using Web3Auth for the initial login and onboarding process but switching to a wallet-based approach (like MetaMask) for minting and transferring NFTs. This way:

  • Users have full control over their private keys and are responsible for approving each transaction, enhancing security and reducing the risk of unauthorized transactions.
  • Wallets like MetaMask are widely supported and ensure that users can view and manage their NFTs and other assets without compatibility issues.
  • This approach aligns more closely with the principles of decentralization, giving users sovereignty over their assets and reducing reliance on centralized services for key management.

Request for Advice:
Could you please suggest the best flow that suits my requirements? Specifically, I am looking for:

  1. The most secure and user-friendly onboarding process.
  2. Effective management and visibility of NFTs.
  3. Balancing ease of use with the principles of decentralization.

Thank you in advance for your assistance and suggestions! :upside_down_face:

2

hi @Kai.Smith

Thanks for reaching out. Let me gather all the details and provide you with precise information. In the meantime, I recommend checking out our documentation.

3

Thank you for pointing out the documentation. It seems there are still questions despite the documentation, otherwise, this forum wouldn’t exist :wink:

It was important for me to find out whether the agency’s claims are accurate because if they are, then Web3Auth might not be as beneficial for us as we originally thought.

4

Hi @Kai.Smith,

Nice to meet you! Borja, from the Web3Auth Business team here!

I see that you have a lot of reasonable doubts and some of the claims in that screenshot are not quite correct.

We will be more than happy to address all those doubts in a call with you and give you the best advice for your particular case.

Have a great day!

5

@Kai.Smith were you doubts cleared? Please let us know if you have any other doubts, happy to answer those.

6

Thank you very much. There was a call with you and our agency. Unfortunately, there were only salespeople on your side who could not answer the technical questions. However, they took note of the questions and were supposed to send us the answers. Unfortunately, this has not happened yet.

7

Okay, thank you for reverting back. Let me answer those two questions, and if you have any other questions, you can drop below.

Automatic Approval of Transactions:
Web3Auth doesn’t approves any transactions on user behalf. Web3Auth provides key management solution. When a user logins in using Web3Auth, the private key can be accessed on the frontend which can be used to sign and send transactions. As a developer or agency, they can always develop the screens to ask for approval of transactions from user and then sign the transactions. Consider like you are developing a console application to do sum of 2+2 which gives you result as soon as you run the console application. But you can also develop an UI interface and a modal to ask for confirmation to do addition of 2+2. That’s what is happening over here.

Moreover, with the latest releases of Web PnP SDK 8.7.0, now you can use the WalletServices plugin to show the approval screens. We’ll release the docs soon. Below is the screenshot from Mobile SDK.

Screenshot 2024-06-27 at 8.30.26 AM
Screenshot 2024-06-27 at 8.30.26 AM848×1222 71.3 KB

Metamask is a third party wallet, not a key management solution. Just like Metamask asks for the confirmation from user before signing the transactions, same can be done for Web3Auth by you.

NFT Visibility:
Again, Metamask is a wallet, that means it’s supposed to show the assets be it coins or NFTS. Web3Auth on other hand is a Key management service, that means once you have user’s private & public key after successful authentication you can fetch all the assets be it tokens, or NFTs. You can user service like Unmarshal.io. You can also use our WalletServcies too which provides give prebuilt white-label UI for Wallet .

I’ll like to conclude that you can have every functionality that Metamask has with Web3Auth, but Metamask can’t have every functionality that Web3Auth provides.

Social login: Onboarding is a very major issue in Web3 ecosystem. Remembering the mnemonic or private key is tough, and if you lose it, there’s no way to recover it. This results in loss of funds forever. Also, it’s complex to make Web2 users understand private key/ mnemonic, and its importance. That’s why social login is a key to onboard new users, since they are already familiar with Web3 login flows.

MPC TSS: Web3Auth apart from the SSS architecture also provides the MPC TSS architecture. In MPC TSS private key is split into multiple partial keys, which are never stored together in one place. Furthermore, in the MPC architecture, the private key is never reconstructed, enhancing security. The partial keys are stored in different locations and the user’s device. These partial keys are used to create partial signatures for messages and transactions. These partial signatures are then combined using Threshold Signature Scheme (TSS) to produce a final signature, which can be used for transactions on the
blockchain. MPC Core Kit supports both secp256k1 and ed25519 curves, so you can generate both ECDSA and EdDSA signatures. Read more about MPC TSS.

NFT services: Web3Auth has recently added the NFT services to assist you in creating and deploying contracts, minting NFTs, and integrating a seamless fiat-based NFT Checkout experience for your users. You can either provide the free mint, airdrop NFTs to the user, or ask the payment in Fiat/crypto. Read more about NFT services.

Wallet Services: With Wallet Services plugin, you can use the templated wallet UI which. Apart from that it also providers support for On Ramp provider with support in more than 100 countries. Read more about Wallet Services.

For Advice

  1. The most secure and user-friendly onboarding process: You can definitely use Web3Auth for secure and user friendly onboarding process using social login. Web3Auth doesn’t store any private key, private keys are mathematically generated based on social login, and MFA user has setup. For example, one share can be social login, other share can be user’s device. Users can also add backup options and recover the wallet in case if the lost the device.

  2. Effective management and visibility of NFTs: You can definitely use our WalletServices for better management and visibility of NFTs, if you wish to build your own Custom UI, there are Blockchain Data APIs available which can help you. For example Unmarshal.io.

  3. Balancing ease of use with the principles of decentralization: Web3Auth is completely decentralised, and I think you have already went through docs how we do that. Moreover the nodes that Web3Auth users are not run by a single entity. You can check the node operators.

8

@Kai.Smith does this answer your question? If not, let me know we can schedule a call as well.

9

Thank you! This helps a lot. We forwarded it to the agency. Again, thank you.

10

Sure, in that case closing this ticket. Feel free to open a new ticket if you need any more details, or schedule a call.

11

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.