Key infrastructure is allegedly non-custodial, however the 0Auth login process is confidential

My concern is the following: while the SDK Readme file states that this piece of infrastructure is “where passwordless auth meets non-custodial key infrastructure for Web3 apps and wallets”, in essence the derivation from a web2 login method to a web3 public address -therefore, the process of generating a private key from their social login credentials- remains private, only accessible to those with a Client ID. Users cannot verify what the derivation algorithm is, they cannot replicate it and, most importantly, if for any reason the service is no longer provided they cannot access their address any longer. In this regard, what is it that I am missing and actually makes this a non-custodial authentication system? Thanks in advance.

Hi Augusto, thanks for your thoughtful question and for referencing the documentation in detail!

You’ve raised an important point about the distinction between non-custodial key infrastructure and the transparency of the key derivation process, especially in the context of passwordless/OAuth-based authentication.

Key Points from Your Question

  • Concern: The derivation from a Web2 login (OAuth/social login) to a Web3 private key is not transparent to users. The algorithm/process is not public, and users can’t independently replicate or recover their keys if Web3Auth is unavailable.
  • Question: What makes Web3Auth’s system truly “non-custodial” if the key infrastructure relies on proprietary processes and ongoing service availability?

How Web3Auth Approaches Non-Custodial Key Management

1. Single Factor Auth (SFA)

  • How it works: When a user logs in via social login, Web3Auth uses Shamir’s Secret Sharing to split the private key and distributes shares across its network.
  • User Experience: The private key is reconstructed within your app after successful authentication.
  • Semi-Custodial Nature: As you noted, with SFA (1/1 share), the process is semi-custodial because it relies on OAuth credentials and Web3Auth’s infrastructure. If Web3Auth is unavailable, users may lose access unless they have upgraded to MFA.

2. Multi-Factor Authentication (MFA)

  • Upgrading Security: With MFA (2/3 key shares), users can store a share on their device and/or as a recovery share, providing a path to recover access without sole reliance on Web3Auth.
  • True Non-Custodial: This setup is closer to a truly non-custodial model, as users have independent control over at least one key share.

3. MPC Core Kit

  • Advanced Security: Uses a 2-of-3 threshold signature scheme (Web3Auth network share, device share, recovery share). The private key is never fully reconstructed, and users can recover access if any two shares are available.
  • Open Source: The MPC Core Kit SDKs are open source, so you can review the cryptographic processes involved: MPC Core Kit SDK Reference.

Addressing Your Core Concerns

  • Transparency: For SFA, the key derivation process is not fully public, and users do not have independent access to the derivation algorithm. This is a trade-off for seamless onboarding.
  • Replicability & Recovery: With SFA alone, if Web3Auth ceases operation, users may lose access. However, with MFA or MPC Core Kit, users gain more control and recovery options, aligning with non-custodial principles.
  • Non-Custodial Claim: The system is “non-custodial” primarily when MFA or MPC is enabled, as users control at least one share independently of Web3Auth.

What Can You Do for Maximum Non-Custodial Security?

  • Enable MFA in your integration so users can store a device or recovery share.
  • Consider using the MPC Core Kit for advanced use cases—this gives users and developers more transparency and control.
  • Review the open-source SDKs to understand the cryptographic operations.

References


In summary:
Web3Auth aims to balance user experience and security. SFA is semi-custodial for ease of use, but MFA and MPC Core Kit provide the non-custodial guarantees you’re seeking. If you want maximum user sovereignty and transparency, enabling MFA or using the MPC Core Kit is the recommended path.

If you have further questions or want to discuss implementation strategies, let us know!

Note: This response was generated by an AI bot and may require further verification. The Web3Auth support team has tracked this issue and will be responding as soon as possible.

Additionally, we would recommend you to join our biweekly Office Hours to get this resolved even faster. Web3Auth Developer Office Hours

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.