Skip to main content

Multi Factor Authentication with PnP Web Modal SDK

At Web3Auth, we prioritize your security by offering Multi-Factor Authentication (MFA). MFA is an extra layer of protection that verifies your identity when accessing your account. To ensure ownership, you must provide two or more different backup factors. You have the option to choose from the device, social, backup factor (seed phrase), and password factors to guarantee access to your Web3 account. Once you create a recovery factor, MFA is enabled, and your keys are divided into three shares for off-chain multi-sig, making the key self-custodial. With backup factors, you can easily recover your account if you lose access to your original device or helps login into a new device.

For a dApp, we provide various options to set up Multi-Factor Authentication. You can customize the MFA screen by setting the mfaLevel argument. You can enable or disable a backup factor and change their order. Currently, there are four values for mfaLevel:

  • default: presents the MFA screen every third login
  • optional: presents the MFA screen on every login, but you can skip it
  • mandatory: make it mandatory to set up MFA after login
  • none: skips the MFA setup screen

Installing Openlogin Adapter

Social logins in Web3Auth are enabled by the openlogin-adapter. Natively, it is already present and preconfigured within the Plug and Play SDK, but for custom configurations, you need to install the adapter package.

npm install --save @web3auth/openlogin-adapter

Configuring Openlogin Adapter

While instantiating the Openlogin Adapter, you can pass some configuration objects to the constructor. One of these configurations is the loginSettings configuration which enables you to make changes in the adapter, enabling add more settings to your login function using web3auth.

tip

Checkout the openlogin-adapter SDK Reference for more details on different configurations you can pass for customisations.

Login Settings

loginSettings

VariableTypeDescriptionMandatory
loginProviderLOGIN_PROVIDER_TYPE or CUSTOM_LOGIN_PROVIDER_TYPE - GOOGLE, FACEBOOK, REDDIT, DISCORD, TWITCH, APPLE, LINE, GITHUB, KAKAO, LINKEDIN, TWITTER, WEIBO, WECHAT, EMAIL_PASSWORDLESS, SMS_PASSWORDLESS, JWTSets the oauth login method to be used. You can use any of the valid loginProvider from the supported list.

The list of available options: google, facebook, reddit, discord, twitch, apple, line, github, kakao, linkedin, twitter, weibo, wechat, email_passwordless, sms_passwordless, jwt
No
mfaLevel?MfaLevelTypeYou can set the mfaLevel to customize when mfa screen should be shown to user. It currently accepts 4 values:
  • 'default' Setting mfa level to default will present mfa screen to user on every third login.
  • 'optional' Setting mfa level to default will present mfa screen to user on every login but user can skip it.
  • 'mandatory' Setting mfa level to mandatory will make it mandatory for user to setup mfa after login.
  • 'none' Setting mfa level to none will make the user skip the mfa setup screen
No
extraLoginOptions?ExtraLoginOptionsThis can be used to pass standard oauth login options to loginProvider. For ex: you will have to pass login_hint as user's email and domain as your app domain in extraLoginOptions while using email_passwordless loginProviderNo
dappShare?stringCustom Logins can get a dapp share returned to them post successful login. This is useful if the dapps want to use this share to allow users to login seamlessly. dappShare is a 24 word seed phrase.No
curveSUPPORTED_KEY_CURVES_TYPEThis curve will be used to determine the public key encoded in the jwt token which returned in getUserInfo function after user login. You can use that public key from jwt token as a unique user identifier in your backend.
  • 'secp256k1': secp256k1 based pub key is added as a wallet public key in jwt token to use.
  • 'ed25519': ed25519 based pub key is added as a wallet public key in jwt token to use.
Note: This parameter won't change format of private key returned by openlogin. Private key returned by openlogin is always secp256k1.
No
redirectUrl?stringDApp's URL where user will be redirected after login. Register this URL in the developer dashboard, else initialization will give error.No
appState?stringAny custom state you wish to pass along. This will be returned to you post redirect. Use this to store data that you want to be available to the dApp after login.No
Usage
import { OpenloginAdapter } from "@web3auth/openlogin-adapter";

const openloginAdapter = new OpenloginAdapter({
loginSettings: {
mfaLevel: "mandatory", // default, optional, mandatory, none
},
});

Adapter Settings

adapterSettings

VariableTypeDescriptionMandatoryDefault Value
clientId?stringClient ID for web3auth. Obtain your clientId from the Web3Auth Developer Dashboard. Not required if you're passing the clientId in the web3auth core constructor.NoN/A
networkenum (testnet, mainnet, cyan, aqua, )Network specifies the openlogin iframe url url to be used. YesN/A
redirectUrl?stringredirectUrl is the dapp's url where user will be redirected after login. Register this url on the Web3Auth Developer Dashboard else initialization will give error.NoN/A
uxMode?enum (popup and redirect )Two uxModes are supported:
  • 'POPUP': In this uxMode, a popup will be shown to user for login.
  • 'REDIRECT': In this uxMode, user will be redirected to a new window tab for login.
No'POPUP'
replaceUrlOnRedirect?booleanreplaceUrlOnRedirect removes the params from the redirected url after loginNotrue
loginConfig?LoginConfigloginConfig enables you to pass your own login verifiers configuration for various loginProviders. loginConfig is key value map where each key should be a valid loginProvider and value should be custom configuration for that loginProvider.NoN/A
whiteLabel?WhiteLabelDataOptions for whitelabling default openlogin modal.NoN/A
useCoreKitKey?booleanUse useCoreKitKey as true, if you're using this SDK with the Single Factor Auth Web SDKNo
Usage
import { OpenloginAdapter } from "@web3auth/openlogin-adapter";

const openloginAdapter = new OpenloginAdapter({
loginSettings: {
mfaLevel: "mandatory", // default, optional, mandatory, none
},
adapterSettings: {
mfaSettings: {
deviceShareFactor: {
enable: true,
priority: 1,
mandatory: true,
},
backUpShareFactor: {
enable: true,
priority: 2,
mandatory: false,
},
socialBackupFactor: {
enable: true,
priority: 3,
mandatory: false,
},
passwordFactor: {
enable: true,
priority: 4,
mandatory: false,
},
},
},
});