From everything I’ve read online the point of AA is to remove the need to use EOAs by replacing them with smart contract accounts. But my understanding is that with ERC-4337, you still need an EOA to sign a UserOperation. Is this correct or is my understanding wrong and there is some other way a user could authenticate a transaction?
Based on this, I guess the best approach (until AA is more deeply integrated at the protocol level) is to use MPC wallet tech like web3auth to help users manage private keys to the EOA needed to sign UserOperations and use AA tooling like ZeroDev to manage the smart account, batch transactions, sponsor gas, etc?
One other question, is it possible to cycle the EOA key from web3auth every so often and update the smart account signer to improve security? Thanks!
Account abstraction enables a set of new features on Ethereum, among which is a more flexible access control to your account (e.g. using different signature schemes or social recovery mechanisms).
As you pointed out, even with account abstraction, it can be assumed that the default way of accessing an account will still be through signing transactions (even though in a different format), so you still need a wallet to maintain your private keys.
Web3Auth’s tech can definitely be used to manage your private keys also in this scenario, and thereby greatly improve the user experience with key management and wallet access.
Regarding your second question: I don’t think we currently support rotating private keys for a fixed account. However, the usage of Web3Auth’s tech makes this a little less important because we actually allow you to renew your private key factors stored across our infrastructure and the user devices without changing your public key. So this is kind of a key refresh without changing the actual key through the usage of MPC tech.
Nevertheless, your suggestion is an interesting direction that we might be looking further into in the future. Thanks!