Hello,
after reading the documentation, Account Dashboard | Documentation | Web3Auth
I’m confused on how recovery really works if the user loses his/her private key (e.g. say his/her laptop is destroyed).
Web3auth is advertised as non-custodial, but I still see things like MPC/SSS in the docs which point to a semi-custodial solution (i.e. web3auth have some key shares or key parts). Is that’s the case?
The mnemonic phase is straighforward, but is the user expected to backup the mnemonic somewhere safely? What if the mnemonic is compromised (e.g. someone steals the paper with the phrase) or if it is lost?
I see “social recovery” which points to the “guardians” used by Argent. Is this approach similar? Can the user define his/her own guardians?
Also, how do you ensure that the combination of all the available recovery methods is still secure? (is there the possibility of an existence of a loophole when all these are combined?)
I’m glad you’ve gone through the documentation and are looking into understanding the recovery mechanisms within Web3Auth. Let’s address your concerns one by one:
Non-Custodial Nature & MPC/SSS: Web3Auth primarily enables non-custodial key management through Multi-Party Computation (MPC) and Shamir’s Secret Sharing (SSS). While the key is split into parts, Web3Auth does not retain the ability to reconstruct the user’s private key without the user’s participation, thereby maintaining its non-custodial nature. This means you, as the user, are always in control—it’s just a more secure way of managing the keys.
Mnemonic Phrase: Yes, the user is expected to securely store the mnemonic phrase. It is crucial that this information is kept safe, as losing it—or having it compromised—can result in losing access to the crypto assets. It’s a trade-off of security and convenience, something common in blockchain technologies prevalent today.
As for ensuring security with multiple recovery methods, the combination of these methods aims to increase security by providing redundancy. The intent is to prevent single points of failure, although it’s always important to carefully consider the trust model and the setup of your guardians.
If any other questions arise, or if there’s anything specific you want to dive deeper into, let me know!
Note: This response was generated by an AI bot and may require further verification. The Web3Auth support team has tracked this issue and will be responding as soon as possible.
Additionally, we would recommend you to join our biweekly Office Hours to get this resolved even faster. Web3Auth Developer Office Hours
Regarding #1, while this ensures that the shares held by the Web3Auth servers are not sufficient to reconstruct the key (and therefore steal funds, assuming the threshold value is chosen appropriately), this also assumes that the servers will be available if needed. (e.g. what happens if Web3Auth goes out of business and the user loses his/her key?)
Also, are all these recovery methods serving in an OR or AND fashion?