Hi,
One of my customer is locked out of his account because the 2FA (G-authenticator) is refused :
You can see the email address of my customer on the screenshot.
Can you please tell me what the steps are for my client to be able to log back in?
Thank you for the detailed context and the screenshot. Here’s a summary of the issue and the relevant details for the support team:
Issue Summary
- User Problem: End-user is locked out of their account because their 2FA (Google Authenticator) code is being refused.
- SDK Details: Plug n Play (PnP), but the exact platform (Unity, React Native, iOS, Android, Flutter) is not specified.
- Screenshot Provided: Yes (shows email and error message during 2FA).
- User Email: Visible in the screenshot (for support reference).
Key Details for Support
- Type of Issue: 2FA/MFA lockout (Google Authenticator code not accepted).
- Likely Flow: User is using 2FA enabled via Google Authenticator.
- Relevant Documentation: dApp Share and recovery flows for PnP SDKs (see docs).
- Recovery Share: If the user did not save their recovery share (dApp Share/seed phrase), account recovery is not possible due to Web3Auth’s non-custodial design.
Next Steps / Questions for You
To help the support team assist you faster, could you please confirm the following:
- Platform: Which SDK/platform is your app using? (Unity, React Native, iOS, Android, Flutter, or other)
- Recovery Share: Did the user save their recovery share (the 24-word dApp Share/seed phrase) during the initial 2FA setup?
- If yes, they can use this to recover access.
- If not, unfortunately, due to the non-custodial nature of Web3Auth, neither you nor Web3Auth can reset or bypass 2FA.
- Custom Authentication: Are you using a custom verifier, or is this the standard Web3Auth login flow?
Proposed Solution
-
If the user has their recovery share (dApp Share/seed phrase), follow the recovery process for your SDK as outlined in the docs:
-
If the user does not have their recovery share, they will not be able to regain access due to the non-custodial design.
Please reply with the SDK/platform you’re using and whether the user has their recovery share. This will help us guide you to the exact recovery steps or confirm the situation.
Let us know if you need more clarification or a step-by-step guide for your platform!
Note: This response was generated by an AI bot and may require further verification. The Web3Auth support team has tracked this issue and will be responding as soon as possible.
Additionally, we would recommend you to join our biweekly Office Hours to get this resolved even faster. Web3Auth Developer Office Hours
It’s not that the G-Auth code is refused but there’s an error message saying “account mismatch, please continue with one you set as a social recovery factor” but the user only had his email and his G-auth setup.
We’re using this : web3auth-web/packages/no-modal at v9.7.0 · Web3Auth/web3auth-web · GitHub
Can you please help us?
The steps are to log In with the same google account that they used to set up MFA with.
No additional steps other than that.
As the screen says, it’s the incorrect email account that they are assuming to be the right one.
The user told me it’s the only addresses he’s using so there is little chances that it’s the wrong one.
Is there a way to reset the 2FA on your side?
hey @artrade
I see that the user is able log in perfectly fine via the primary factor. Which is the email mentioned and is possibly via their Google login.
When MFA onboarding is done there are a bunch of options that is asked from the user to set up. Among the different options given ranging from Github, another email’s google login, SMS passwordless etc. , the user decided to set up passkeys and authenticator and also received the recovery phrase on an email which we make sure is not the same email as the primary login.
If the user, even after setting a bunch of MFA factors isn’t able to access any of them due to any reason, there’s not much we can do to “reset” their account.
We’re a self-custodial solution provider and we make sure that the custody rests on the side of the end-user and with the benefits that come with it, also comes the responsibility to the end user to keep their account safe.
I forward my customer message :
Unfortunately, this method doesn’t work. I never received a
seed phrase, nor did I receive anything via text message. When I try with the passkey, this
message appears
Can you at least ask them which email address they sent the
seed phrase to, because I never received it.
Here’s another message from them:
Hello,
Could you please send another message to Web3auth regarding my issue and
also ask them if they can send me another QR code or secret key
(by email, for example) to create a new Google Authenticator,
because when I use the current one, it doesn’t work.
Also, before, I didn’t need to authenticate myself on my computer.
I only logged in with the code I received by email. I don’t understand
why it no longer works that way and WHY my Google Authenticator isn’t
working.
Thank you in advance.
Hey @artrade, thanks for following up and for sharing your customer’s messages. Let me clarify a few things about how Web3Auth works:
1. Self-custodial by design
Web3Auth is a self-custodial system. That means we never store, resend, or regenerate user MFA factors such as the recovery phrase, recovery password, or authenticator seed. If we were able to do that, it would defeat the whole purpose of being self-custodial.
2. MFA setup process
During MFA onboarding, your customer would have been prompted to:
- Enter an alternate email (not the same as the social login) where the recovery phrase was sent.
- Optionally set up a recovery password and/or a passkey.
- Configure another MFA factor such as Google Authenticator, if chosen.
If the screen says “account mismatch,” it means the account they are trying to use for recovery is not the same one that was originally configured as a backup factor.
3. Why we can’t “reset” MFA
We cannot send a new QR code, secret key, or recovery phrase. Those were generated and given during the user’s onboarding, and only the user had custody of them. Without those, there’s no way to bypass the screen — similar to how Gmail can’t recover an account if both the main password and all backup methods are lost.
4. What the user can try
- Double-check the alternate email inbox (and spam/junk) for the recovery phrase.
- Try the recovery password that was set during MFA.
- If neither is available, unfortunately there’s no path to regain access to that account. The only option is to create a new account and this time make sure to keep all MFA factors safe.
I know that’s not the answer your customer was hoping for, but it’s important to understand: Web3Auth doesn’t lock people out by itself, nor can we “reset” user factors. This setup is what keeps accounts safe in case the primary login is ever compromised.
This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.