Some of our users are experiencing an issue when logging in with social login (google) where they are getting a “New device detected” message and then a prompted to try and verify their account using some methods.
There are several problems with this:
The user is normally not on a new device, they are in fact using the same device and browser. So there must be something wrong with the detection system.
When the user selects the “device” verify option, they are unable to verify even though they are using the same device. We have noticed that the users current Chrome version is different to the version in verification message (their Chrome was updated automatically).
They cannot verify with recovery phrase because the user never configured any recovery phrase.
So now, every user who faces this issue totally locked out of their account.
How can we prevent this issue or help user to unlock and access their accounts?
@benjamin.groves Can you share your Dapp URL if possible to check this behavior? Was this happening earlier or only on the latest version?
If you specify mfaLevel as none in @web3auth/no-modal , your users will only get two shares: a social share and a device share. However, if you enable multi-factor authentication (MFA) in the modal SDKs, your users will receive these two shares plus an additional backup share.
Can you share your entire implementation code to check?
Thanks for the reply @vjgee, our application is houseofboxing.com we are using Web3Auth and IMX.
A couple things to note, we are using the modal SDK, is the mfaLevel option configurable on this SDK?
Even if we set mfaLevel to none and they only have the 2 shares option, it will still be impossible for them to complete the 2 shares. It seems like if Chrome is updated to a new version, Web3Auth thinks this is a new device and it is impossible for the user to downgrade their chrome version.
Yes, browser update will prompt users to input the backup phrase.
Scenarios when you need to verify your login with Backup Phrase
Cleared cookies on your browser: If you clear cookies on the browser for any of the devices, the device share will be broken as they will no longer be registered so you will be asked to verify your login.
Lost your device : If you had multiple devices which had access to your Wallet, you can verify a new device using another device provided you are logged into that device. However, if you accessed your wallet only on a single device and lost that, you will need to verify your login on a new device with the backup phrase.
Browser Update: If you upgrade or downgrade your browser to a version different from that when you registered your device, there is a possibility that your browser settings change and break the device share and you will be promopted to verify your login
OS Update: If you update or reinstall your Operating system(Windows, Mac, iOS or Android depending on the device)
Face/Touch ID: If you enabled Face/Touch ID on your device, you will prompted to verify your login
Are you able to check your inbox and spam folder for your backup phrase. It was sent there on your first day of login. You can search with the script “from: hello@tor.us or no-reply@tor.us subject: backup”.
Please search and share your feedback.
You read the below document for MFA with modal SDK:
Ok thank you for the clarification about browser updates.
So what do we do about users who have not configured MFA and do not have access to a recovery phrase, because they did not configure any and web3auth does not send them an email?
If we set mfaLevel to none will this automatically unlock the currently locked accounts?
I checked your Dapp and it is configured with mfaLevel: default which presents the MFA screen every third login. I tested your Dapp as well and was presented with the 2FA login on the third attempt and all subsequent attemps will prompt the 2FA screen only:
On the screen you see above, users will be presented to send their backup phrase to an email address of their choice, this will send the phrase to their email and they will then be asked to verify the phrase to proceed completing the 2FA setup. If any of your users, chose to download the recovery phrase and did not save the phrase, there is no way to recover their accounts as we are non-custodial and do not save any information on our servers for user phrases.
Once, again ask your users to check from their Inbox for the phrase. They can search with the script “from: hello@tor.us or no-reply@tor.us subject: backup”.
We have users who are not very knowledgable about Web3 and have probably done exactly what you described without saving their recovery phase and so they are probably completely locked out now.
With that knowledge we can explain this to them.
However, now we have a situation where a user cannot log into our application with their email any more because their email is associated to a wallet that they are locked out of. Is it possible to disassociate a users email with a wallet so that they can log in again and have a new wallet created?
No, there is no way to change the email as when they authenticate with that email, it created a unique wallet address. The only option is to use a completely different email address.
No, this will take effect for only new accounts to skip the MFA setup screen. It will not unlock existing accounts.
