Shares recovery when mail connection from another device


I understood from the documentation that the private key is split in 3 shares :

  • 1 associated with the device
  • 1 associated with the service provider (Oauth, Google, Twitter, passwordless)
  • 1 share as a backup (e.g the user downloads the third share as a backup on his computer)
    From these 3 shares, 2 are required to reconstruct the private key.
    However, I noticed a behavior that I can’t figure out.

I did the following test :

  1. I connected myself with the passwordless flow (email) for the first time on my dApp using my computer. I was not asked to save any backup share.
  2. I switched to my phone to connect myself on the same dApp using the same email.
  3. The connection was successful and I got the same wallet address and auth id token than on the computer (which means the private key was reconstructed).

How was it possible knowing that when I connected on my phone I only had access to one share, the one linked with my email ?

@fl.bouchut Welcome Aboard!

Your request has been forwarded to our team and we will get back once more information becomes available.

1 Like

Have you enabled MFA for your application? Only if MFA is enabled, you will be prompted for a recovery factor to complete 2/3 shares to reconstruct the private key.

Which SDK are you using and what platform?

No the MFA wasn’t activated, that’s the point of my question.

we use this concept of incremental onboarding. We prompt users to setup MFA after 3 logins (default) or dapp can trigger this using mfaLevel setting in PlugnPlay SDK.

How is security ensured during this period when the user hadn’t back up his recovery share (MFA) ? And is it really non custodial during this time ?

What if the user never backs up his recovery share if the MFA is not mandatory ? (e.g. I used Web3auth solution for a while and I never did the backup)


ShareA is managed and divided across Web3Auth’s Auth Network and can be accessed through an OAuth login provider owned by the user, like their Google account. Since the key is custodial to the Auth Provider and the Web3Auth Network, it is SEMI-CUSTODIAL in nature

If the user never backs up his recovery share , then the flow results in 1/1 key share and the key is generated directly from the OAuth login provider using the credentials provided by them.

1 Like

Than you very much for the reply, it is very useful !
It brings to me another question, does this mean that the key can be reconstruct from only 1 share ? How is it possible ? Are there other times when this happens ?

If the user does not enable MFA then the key will be reconstructed from 1/1 share. If MFA is enabled then the key will be reconstructed from 2/3 shares.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.