We noticed that one of the first things the SDK is doing during login is to call the RPC method VerifierLookupRequest to query the network for the existence of a key for the combination of verifier + verifier_id .
Since this endpoint is public, anyone can call it and discover if different identifiers exist for a given application (verifier). If email addresses are used as user identifiers (it seems to be the default case for social login), then we’re concerned that this personal information can be easily pulled from the Torus network.
What is the recommendation from web3auth to avoid this situation? I’ve seen other applications using random numeric user ids instead of emails. But is that possible when using social logins and not custom verifiers?
- SDK Version: latest tKey SDK
- Verifier Details: Custom JWT