Skip to main content

Multi Factor Authentication

With Web3auth, you can enable you users to set users multi-factor authentication (MFA) for embedded wallets. This feature enhances wallet security by tying access to additional authentication factors such as social logins, devices, or recovery phrases. By requiring additional verification, MFA ensures users can securely control and recover their wallets while maintaining a self-custodial setup. The key recovery methods that we support out of the box are:

One-Click Login (Single Factor Auth)

This is the simplest flow for a user to onboard with Web3Auth. The user just needs to click on the login button, connect to their favorite social account (OAuth) or any passwordless flow, like email-passwordless, biometric authentication etc., and a wallet is generated for them. This flow has a 1/1 Key Share setup and the whole key via Web3Auth Auth Network key shares. This flow is still non-custodial since the nodes in the Web3Auth network have a 5/9 consensus mechanism to generate the key shares.

warning

While analyzing, one can claim that this flow is custodial to the OAuth Login provider, since this is directly generated using credentials provided by them. Also, since the Web3Auth Network handles this flow independently, even while being decentralized, we can call this flow a semi-custodial flow.

technical insight

In our One Click Flow, we add a nonce value, stored in our encrypted metadata server, to the social login share to keep the threshold 2/2, while it feels like 1/1. This is done to ensure that the application has the flexibility to move to a 2/n MFA flow in the future if they want to. As the application triggers the creation of MFA Factors the nonce is automatically deleted.

tip
  • The Single Factor SDKs help you directly achieve this flow.

  • For Plug and Play SDKs, this flow can be achieved by setting the MFALevel to 'none' within the Web3Auth Login while logging a user in.

Adding Multi-Factor Authentication

The Multi-Factor Authentication (MFA) feature refers to the ability of the user to create a backup share (recovery factor). This feature plays a key role in the Wallet Infrastructure of Web3Auth and a developer needs to properly understand it to be able to onboard users safely and effectively.

The most interesting feature of adding a multi-factor authentication is that it makes the keys self-custodial to the user. This is achieved by associating a key share alongside the factor that the user chooses to create, hence making sure the key is further distributed and not just associated with the user's social account or the Web3Auth Network.

tip

Know the best practices to implement MFA effectively to enhance security and user experience.

MFA Factors

Types of MFA Flows

With Core Kit MFA and Plug and Play SDKs, you have the choice to use multiple types of multi-factor flows according to your needs. With Plug and Play, we expose various logins out of the box. For Core Kit SDKs, the developers can determine which flow suits them the most, with total freedom of managing key storage and access.

MFA TypeCustodiality of MFAEase of AccessSetup CustodialityAvailability in Plug and Play SDKs
Recovery Mnemonic PhraseSelf Custodial to UserDifficultFully Non-CustodialYes
Email Backup SharePotentially Custodial to Email ProviderMediumNon-Custodial / Semi-Custodial (if same email as first factor social login)Yes, SMTP server for email can be customized for Enterprise Customers.
Backup PasswordSemi Custodial to the Encrypted Metadata ServerMediumNon-CustodialYes
Secondary Social LoginSemi Custodial to Social ProviderEasyNon-Custodial / Semi-Custodial (if same social login provider for first factor)Yes, with Default Social Providers
SMS PasswordlessSemi Custodial to SMS ServiceEasyNon-CustodialYes, with Web3Auth SMS Server
Email PasswordlessSemi Custodial to Email ProviderEasyNon-Custodial / Semi-Custodial (if same email as first factor social login)Yes, with Web3Auth Email Passwordless Server
PasskeysNon CustodialEasyNon-CustodialYes, with Web3Auth Passkeys Server
Authenticator AppNon CustodialEasyNon-CustodialYes, with Web3Auth Authenticator Server