Let's say I have logged into app.openlogin.com and have enabled the 2FA feature. Once enabled I get an email sent to my email (gmail) of the backup phrase.
If my gmail account is compromised and the attacker has access to my gmail, they could search my email for the backup phrase email that web3auth sent when i enabled 2FA. If I never deleted that backup phrase email and the attacker finds it, then they have access to my app.openlogin.com account as well as all the approved/authorized apps that I've visited, thus allowing them to take all of my funds/assets. Given that it only takes 2 factors to get into my account (email and backup phrase in this case), the attacker would be able to do as they please once they find that backup phrase email. Are these assumptions correct?
Originally posted by: tantommy
Check the discussion at: https://github.com/orgs/Web3Auth/discussions/527