Prompt MFA screen even though mfaLevel set to "none"

keval.shah · September 19, 2023, 4:02pm

Hello,

We are using react native package in our expo app and we have set mfaLevel to “none” in login parameters. Though we have not encounter this in multiple users but one of our testnet users was prompted with MFA screen and since then he was using that while login in testing environment.
Our concern is that why MFA screen was prompted even though it was not set from our side while calling login method.

Hope, if this is a bug then it is just within testnet enviornment. We want to make sure that our production users would never face MFA screen while login.

SDK Version: 3.5.0
Expo or Bare Version: Expo

code snippet

const info = await web3auth.login({
            redirectUrl: Platform.OS === 'ios' ? resolvedRedirectUrl :  resolvedRedirectUrlForAndroid,
            mfaLevel: "none",
            curve: "secp256k1",
            extraLoginOptions: {
              login_hint: provider == LOGIN_PROVIDER.EMAIL_PASSWORDLESS && loginHint
            },
            loginProvider: provider
          });

vjgee · September 19, 2023, 4:46pm

@keval.shah Thanks for reaching out.

Your concern has been forwarded to our Dev team and we will get back when there is a meaningful update to share.

vjgee · September 19, 2023, 6:15pm

Could you please updated to the latest SDK version v5?

keval.shah · September 20, 2023, 10:05am

Ok, will do as well.

zhen · September 21, 2023, 8:00am

Existing users whom have setup MFA will have MFA. Has your colleague setup MFA on a different W3A build?

keval.shah · September 25, 2023, 6:59am

Yes, that user is not sure but once used same login for other web3auth (for ex - dashboard.web3auth.io) and had setup MFA there.
Does that mean, if user who has used same login creds but for other web app, would face MFA on our app (even if we have disabled it) ?

chai · September 26, 2023, 10:20am

This depends on if your dapp uses the built-in login methods or uses custom verifiers.
If you use custom verifiers, your users and mfa levels are scoped to your app. If not, they’ll be global and shared with all default users of web3auth sdk

keval.shah · September 26, 2023, 10:38am

Thanks for the reply. We are using built-in login method.

const web3auth = new Web3Auth(WebBrowser, {
        clientId,
        network: Constants.expoConfig.extra.ENVIRONMENT == AppEnvironment.PRODUCTION ? OPENLOGIN_NETWORK.CYAN : OPENLOGIN_NETWORK.TESTNET, // or other networks
      });

const info = await web3auth.login({
            redirectUrl: Platform.OS === 'ios' ? resolvedRedirectUrl :  resolvedRedirectUrlForAndroid,
            mfaLevel: "none",
            curve: "secp256k1",
            extraLoginOptions: {
              login_hint: provider == LOGIN_PROVIDER.EMAIL_PASSWORDLESS && loginHint
            },
            loginProvider: provider
          });