Disallow developers from accessing private keys in MPC

githubdiscussions · February 18, 2023, 10:43am

Hello, I wanted to make a feature request for the MPC version of Web3Auth. Is there a plan to include a function that disallows developers from accessing private keys? This would provide a higher level of security for users and ensure that private keys are not accessible to apps.

As mentioned by a member of Magic, "Revealing the private key is a highly-sensitive user action and thus we do not allow integrating developers to access the private key." It would be great if this principle could be extended to the MPC version of Web3Auth.
magiclabs/magic-js#167

In addition, it would also be beneficial if users could still retrieve their private keys through the Web3Auth site, even if they are unable to do so through the integrated app. This would provide an extra layer of security and give users peace of mind.

Originally posted by: enu-kuro

Check the discussion at: https://github.com/orgs/Web3Auth/discussions/1339

githubdiscussions · February 20, 2023, 2:32am

This is and will be a part of the MPC version available via self-host

Originally posted by: YZhenY

githubdiscussions · February 18, 2023, 3:39pm

How about this?

By having the Torus nodes not return the social login share and only allowing access to the private key upon a user explicitly providing the backup share to an app which has dapp share, except when the backup share is generated, this would effectively prevent developers from accessing the private key without the user's permission.

Originally posted by: enu-kuro