Multi Factor Authentication
With Web3auth, you can enable you users to set users multi-factor authentication (MFA) for embedded wallets. This feature enhances wallet security by tying access to additional authentication factors such as social logins, devices, or recovery phrases. By requiring additional verification, MFA ensures users can securely control and recover their wallets while maintaining a self-custodial setup. The key recovery methods that we support out of the box are:
One-Click Login (Single Factor Auth)
This is the simplest flow for a user to onboard with Web3Auth. The user just needs to click on the login button, connect to their favorite social account (OAuth) or any passwordless flow, like email-passwordless, biometric authentication etc., and a wallet is generated for them. This flow has a 1/1 Key Share setup and the whole key via Web3Auth Auth Network key shares. This flow is still non-custodial since the nodes in the Web3Auth network have a 5/9 consensus mechanism to generate the key shares.
While analyzing, one can claim that this flow is custodial to the OAuth Login provider, since this is directly generated using credentials provided by them. Also, since the Web3Auth Network handles this flow independently, even while being decentralized, we can call this flow a semi-custodial flow.
In our One Click Flow, we add a nonce value, stored in our encrypted metadata server, to the
social login share to keep the threshold 2/2, while it feels like 1/1. This is done to ensure that
the application has the flexibility to move to a 2/n MFA flow in the future if they want to. As the
application triggers the creation of MFA Factors the nonce is automatically deleted.
-
The Single Factor SDKs help you directly achieve this flow.
-
For Plug and Play SDKs, this flow can be achieved by setting the
MFALevelto'none'within the Web3Auth Login while logging a user in.
Adding Multi-Factor Authentication
The Multi-Factor Authentication (MFA) feature refers to the ability of the user to create a backup share (recovery factor). This feature plays a key role in the Wallet Infrastructure of Web3Auth and a developer needs to properly understand it to be able to onboard users safely and effectively.
The most interesting feature of adding a multi-factor authentication is that it makes the keys self-custodial to the user. This is achieved by associating a key share alongside the factor that the user chooses to create, hence making sure the key is further distributed and not just associated with the user's social account or the Web3Auth Network.
Know the best practices to implement MFA effectively to enhance security and user experience.
Types of MFA Flows
With Core Kit MFA and Plug and Play SDKs, you have the choice to use multiple types of multi-factor flows according to your needs. With Plug and Play, we expose various logins out of the box. For Core Kit SDKs, the developers can determine which flow suits them the most, with total freedom of managing key storage and access.
| MFA Type | Custodiality of MFA | Ease of Access | Setup Custodiality | Availability in Plug and Play SDKs |
|---|---|---|---|---|
| Recovery Mnemonic Phrase | Self Custodial to User | Difficult | Fully Non-Custodial | Yes |
| Email Backup Share | Potentially Custodial to Email Provider | Medium | Non-Custodial / Semi-Custodial (if same email as first factor social login) | Yes, SMTP server for email can be customized for Enterprise Customers. |
| Backup Password | Semi Custodial to the Encrypted Metadata Server | Medium | Non-Custodial | Yes |
| Secondary Social Login | Semi Custodial to Social Provider | Easy | Non-Custodial / Semi-Custodial (if same social login provider for first factor) | Yes, with Default Social Providers |
| SMS Passwordless | Semi Custodial to SMS Service | Easy | Non-Custodial | Yes, with Web3Auth SMS Server |
| Email Passwordless | Semi Custodial to Email Provider | Easy | Non-Custodial / Semi-Custodial (if same email as first factor social login) | Yes, with Web3Auth Email Passwordless Server |
| Passkeys | Non Custodial | Easy | Non-Custodial | Yes, with Web3Auth Passkeys Server |
| Authenticator App | Non Custodial | Easy | Non-Custodial | Yes, with Web3Auth Authenticator Server |