Hi, we are trying to use Web3Auth to create private keys for users via social logins. We would like to avoid enforcing multi-factor authentication for every user, so that a user can be signed in as soon as possible.
We've noticed in b64Params variable in the search query that there is the mfaLevel set to "none". We've tried getting it to work, but even though the parameter is being passed in the URL, we still see the 2FA prompt for multiple accounts, for example when signing up using Discord and Google. We did succeed using Twitter.
See the URL below.
https://app.openlogin.com/popup-window#b64Params=eyJfY2xpZW50SWQiOiJCQWZLRE1kd1NyNThGS1dBT2VlNEFETF9NVFlYSmtFWTduU0p1czFKWDRXLW1oSjh4OHJKeVZGcFZFb3hmdWhxRjR3R1RkRTBaallJVnZtaVhwTndTVEEiLCJfb3JpZ2luRGF0YSI6e30sIl93aGl0ZUxhYmVsRGF0YSI6e30sIl9sb2dpbkNvbmZpZyI6e30sIl9zZXNzaW9uSWQiOiI5YjI1ZGM4NmQzZWUzMWMwMDlkOTE0YzM4YjNlYjljNTIyNWI2OThmNzYzYWI1M2ZmMDJjODQ2N2FhMWFhODgxIiwibG9naW5Qcm92aWRlciI6ImZhY2Vib29rIiwicmVkaXJlY3RVcmwiOiJodHRwOi8vbG9jYWxob3N0OjMwMDAvIiwibWZhTGV2ZWwiOiJub25lIiwiY3VydmUiOiJzZWNwMjU2azEiLCJleHRyYUxvZ2luT3B0aW9ucyI6e30sIl9vcmlnaW4iOiJodHRwOi8vbG9jYWxob3N0OjMwMDAifQ&_pid=31aa2c250a742353cc8d4d6a645460bd3806baa24c4314741908453151ff7bcc&_method=openlogin_login
At the end is the code that I'm using.
Below is some context from a discussion with @shahbaz17 from Discord
It seems there are 3 different scenarios for a user account.
- User setup MFA previously and makes sense that it can't be ignored
- User has never completed a login ever, yet is still required to setup MFA
- User has never completed a login ever and doesn't need to setup MFA
Since scenarios (1) and (3) are expected behavior, let's focus on (2). I think (2) happened as a result of testing.
Steps to repro (2):
Browser: Chrome
Login type: OpenLogin - Google or Facebook
- do the normal login flow without setting mfaLevel
- cancel login when OpenLogin request to setup MFA
- do the login flow again with mfaLevel set to 'none'
Going back to scenario (1), I do agree that requiring the use of MFA when it is setup makes sense, but requiring users to keep MFA forever after it is setup seems a bit extreme, even if the user manual logs in to https://app.openlogin.com
import { OpenloginAdapter } from “@web3auth/openlogin-adapter”;
import { LOGIN_PROVIDER } from “@toruslabs/openlogin”;
const web3auth = new Web3AuthCore({
clientId,
chainConfig: {
chainNamespace: “other”,
},
});
const openloginAdapter = new OpenloginAdapter({
adapterSettings: {
clientId,
network: ‘mainnet’,
no3PC: true,
},
loginSettings: {
mfaLevel: “none”,
},
});
web3auth.configureAdapter(openloginAdapter);
await web3auth.init();
const provider = await web3auth.connectTo(“openlogin”, {
loginProvider: LOGIN_PROVIDER.GOOGLE,
mfaLevel: “none”,
});
Originally posted by: Geo25rey
Check the discussion at: https://github.com/orgs/Web3Auth/discussions/687