Locked out of 2FA (1st ticket was closed prematurely)

Help - Plug n Play
1

Hi,
Let me forward what I received from the customer who is locked out of his account :

Hello,

I just found my reconnection password, but even when
it’s the right password that entered it doesn’t work.

So, I would like to set the truth BECAUSE I don’t like being made to pass
for a liar:

When I was trying to connect AT THE VERY BEGINNING with my google
authenticator it didn’t work even when I was putting the right numbers.

How do I know?
Because it’s not the same error message that appears when I come in
the correct numbers and when I enter random numbers.

Then I tried to use my ‘passkey’ fingerprint which
IS ON MY COMPUTER and which is CORRECT but the same error message as
when I entered the correct google authenticator numbers appeared.

Then I searched in my emails, for the famous ‘RECOVERY PHRASE’
but she is nowhere to be found and I have a very good memory, I NEVER
RECEIVED

Now, as stated above, I have found my «RECOVERY
PASSWORD" that DOESN’T WORK EITHER.

How do I know?
Because when I enter a password randomly the
next message appears: “Incorrect password” and when I enter my
correct password THAT I FOUND, a different message appears: «
Password Verification Failed».

So to conclude as I have been stating for more than a week, a
thirty messages exchanged, THERE IS A PROBLEM, BUG, LIKE YOU
WISH TO FORMULATE IT WITH YOUR AUTHENTICATION SITE.

I would therefore like to be compensated by Web3auth or Artrade no matter, but this situation is not going to stay there.

Previous ticket for more context : Locked out of 2FA

2

Thank you for the detailed context and for referencing the previous ticket: Locked out of 2FA.

Summary of the Issue:

  • Platform/SDK: Plug n Play (likely mobile, but please confirm if it’s React Native, iOS, Android, Unity, or Flutter)
  • Problem: End-user is locked out of their account due to 2FA issues. They are unable to log in using Google Authenticator, passkey (fingerprint), or their recovery password. They also report never receiving a recovery phrase.
  • Error Messages:
    • “Incorrect password” (for random password)
    • “Password Verification Failed” (for the password they believe is correct)
    • Google Authenticator and passkey attempts show a different error than random codes.
  • Recovery Attempted: User tried all available methods (Authenticator, passkey, recovery password) and searched for a recovery phrase but did not find one.

Key Points from Documentation:

  • Web3Auth splits the private key into multiple shares (Share A, B, C).
  • For 2FA accounts, at least 2 out of 3 shares are needed to recover access.
  • dApp Share (24-word seed phrase) is only available for custom verifiers and only if 2FA is enabled.
  • If the user never received or stored the recovery phrase (dApp Share), and cannot access via 2FA methods, recovery may not be possible.

Next Steps for Support:

  1. Confirm Platform & SDK Version:

    • Please specify which Plug n Play SDK and platform (React Native, iOS, Android, Unity, Flutter) your application is using. This will help us check for any platform-specific issues or recovery options.

  2. Custom Verifier Usage:

    • Is your integration using a custom verifier? The dApp Share (recovery phrase) is only available in this case. If not, recovery options may be limited.

  3. Recovery Phrase Delivery:

    • Can you confirm if your application ever displayed or emailed the 24-word dApp Share/seed phrase to the user during account creation or 2FA setup? If not, the user may not have had a chance to store it.

  4. Logs or Screenshots:

    • If possible, please share any relevant error logs or screenshots from the affected device (with sensitive info redacted).

Important Note:
Due to Web3Auth’s non-custodial design, if a user loses access to all 2FA methods and did not save their recovery phrase, account recovery is not possible by Web3Auth or the dApp operator. This is by design to ensure user security and privacy.

Reference Documentation:

Proposed Solution:

  • If you confirm the above details and the user indeed never received or stored their dApp Share, unfortunately, account recovery is not possible.
  • If you find logs showing the dApp Share was generated and displayed, you might be able to guide the user to check device backups, screenshots, or emails for the phrase.

Please provide the requested details so we can further assist or confirm the final status for your user. Thank you!

Note: This response was generated by an AI bot and may require further verification. The Web3Auth support team has tracked this issue and will be responding as soon as possible.

Additionally, we would recommend you to join our biweekly Office Hours to get this resolved even faster. Web3Auth Developer Office Hours

3

Here are the screenshots that the user took

a
a1179×2556 148 KB

aa
aa1179×2556 143 KB

We can see “password verification failed” vs “incorrect password” I get the incorrect password but isn’t the “password verification failed” an issue on your side?