Just testing my app, I have run into the New Device Detected issue twice now. Both are incredibly bad U/X because I have to either wipe the full data on the user or transfer the data to a new account.
No MFA recovery popup is showing to the user, and even if it were to - there is no way to guarantee that users will write down the recovery phrase.
They will have funds on their address, and ultimately some will lose access and their funds. How is this acceptable? I understand users can export PKs but theres also a chance they dont do that either.
What can I do here to resolve this issue from happening to users? I cannot block a user from trying to login to an account from different devices. This is not how we can get crypto mainstream…
Does this not happen with google log in? It seems to only happen when I test with Twitter. If that’s the case, I will limit the app to only emails. Please let me know.
If you are using default verifiers, your users may have set up MFA on other dApps that also use default Web3Auth verifiers. In this case, the MFA screen will continue to appear if the user has enabled MFA on other dApps. This is because MFA cannot be turned off once it is enabled.
Could you share more information on how you have setup your app?
Thanks for the response but that’s not necessarily what I was asking.
With a social login, like Twitter, if a user logs in through mobile, then next time tries on a desktop, they will receive this New Device alert every time, yes or no?
Now, same scenario but with Google Auth. I believe this doesn’t occur now. Is this correct? I am trying to understand if some auth methods do not have this “New device detected” scenario.
Do you have documentation that describes when the New Device Detected screen shows? From a technical standpoint. I want to understand it fully so I know how to best handle this use case.
The new device detected screens shows only for those users who have enabled MFA on their account. If they haven’t enabled MFA, the screen should not be presented and it’s something we need to check for that specific account.