Security & Recovery Questions

[Legacy] GitHub Discussions
1

Hi - a few security and recovery questions regarding the web3Auth solution:

  • My understanding is Web3Auth reconstructs a user's primary key based on the frontend / client. Does that mean that if a user's browser is compromised, the private key can be stolen? (is this the same in core vs. self-host)?
  • If a user logs in via their phone upon first login and then uses their desktop for their second login (same social login provider), will they be able to login from desktop? How are device shares initialized / managed in this instance?
  • If we integrate our own IdP (e.g. Auth0) for the social key share, can a user still recover their keys if our IdP were to go down? i.e. can they use their device share and recovery share as 2/3 to access their keys?


Originally posted by: cfern18

Check the discussion at: https://github.com/orgs/Web3Auth/discussions/1312
2
  • Yes and no, for our Web3auth SSS solution, private key recreated on the front end and if user's browser is compromised, key could be stolen. In our latest solution, we use MPC to enhance security during the transaction signing process. Instead of recreating the private key on the front end, users are only given a share, which minimizes the risk of compromising the final private key, even if the user's browser is compromised.
  • When MFA is enabled by developer, user would need to approve new device from their old device at openlogin.com
  • Yes, they could use their device share and recovery share to reconstruct privately


Originally posted by: ieow