Today, all of us at Web3auth moved a step closer to realising our mission of passing the identity ownership back to the individuals and users. We partnered with FOX -owned Blockchain Creative Labs (BCL) to provide a seamless Web3 user onboarding experience for The Masked Singer Experience.

https://twitter.com/i/status/1626028978220990464

A typical web3 wallet’s user onboarding experience involves setting up a seed phrase for authentication, which is a complex and tedious task. It takes the user anywhere from 10 to 15 minutes. This timeframe has churn written all over it, and it is quite significant in web3 user adoption standards.

But this has been the standard practice over the years. After we launched Web3Auth and had numerous customers using our wallet infrastructure, several consumer-focused applications have seen a 3x increase in conversion rates, from 24% to about 63%, as opposed to conventional seed phrase wallet solutions.

In a significant paradigm shift that we have been able to enable today, we joined forces with FOX Entertainment-owned Blockchain Creative Labs (BCL) to offer the most seamless onboarding experience possible for the fans of The Masked Singer Experience. This digital fan community is an evolution of the singing competition The Masked Singer — television #1 unscripted series.

With this partnership, Web3Auth will allow the fan community to connect to The Masked Singer Experience seamlessly, by logging in to the experience and setting up a web3 wallet directly via email, social and Google accounts instead of having to use the conventional seed phrase-enabled wallets. After this collaboration with us, users will need only less than a minute to set up their wallet accounts.

We decided to give this renewed onboarding journey a special name.

Two-Factor Wallets (2FW)

Users can set up a 2FW via 2FA flows — including social logins, phone, laptops, or even biometrics which would take less than a minute. The 2FW also significantly enhances wallet security — if one factor is damaged, users can still recover the wallet using the other factors.

Our Co-founder and CEO Zhen Yu Yong recommends three key factors for web2 businesses to consider for a successful web3 project launch:

• intuitive user experience
• familiar user journey
• security

He believes that intuitive user experience and accessibility are paramount to allow the show’s fans and crypto enthusiasts to enjoy the reimagined Masker Singer NFT experience.

But the partnership only makes more sense for Blockchain Creative Labs (BCL). It empowers creators to build their communities through web3-centered fandom experiences that allow people to interact with content in new ways, ultimately reshaping the entertainment industry as we know it by infusing it with a new sense of freedom, access and control. BCL believes the future of the entertainment industry lies within Web3, which will help democratize access to Hollywood, strengthen the bond between creators and their communities and pave new avenues for creativity, innovation and success.

Today, we have been able to scale Web3Auth to a place where we have already onboarded over 500 web2 and web3 applications and wallets. Today, we are able to clock over 12 million user keys a month, which is an exponential growth from that of last year. But this is only scratching the surface. Having said that, our larger goal is to provide users with Two-Factor Wallets that are secure and seamless.

“We are all set to partner with larger enterprises within entertainment, gaming and blockchain industries. We want to close the gap between Web2 and Web3.”

~ Zhen Yu Yong, Co-founder and CEO, Web3Auth.

How Web3Auth’s Two-Factor Wallet infra empowered The Masked Singer Experience onboarding experience was originally published in Web3Auth on Medium, where people are continuing the conversation by highlighting and responding to this story.

Simplification in access — a core principle our entire team at Web3Auth consistently strives for. It has been a significant part of our engineering culture. Today, we move a step closer towards our mission to simplify Web3 wallet infrastructure for everyone.

Our Self-host SDK is now Core Kit

We decided to do a little rebranding to our Self-host SDK, and call it Core Kit. Because it is the core infrastructure that resides underneath all of our products. Simple and easy.

Of course, there are reasons why we chose to change the name.

• The very term self-host could possibly imply that our customers had to do a lot of heavy-lifting.
• It could have been very easily interpreted with our Plug & Play SDK.

Here is a little context pertaining to the underlying technological architecture in our two flagship SDKs — Core Kit (previously Self-host) and Plug & Play.

These SDKs are built on top of an underlying SDK called tKey, which stands for Threshold Key. The tKey SDK manages private keys by generating shares using Shamir Secret Sharing, a threshold cryptographic algorithm technique. The image below shows how the tKey SDK architecture plays out in a virtual environment.

Now when it came to Self-host as a term, ‘hosting by the self’ was a possible misinterpretation we did not want our customers to take away from it.

• Self-host offered a bundled package of core components or UI-less SDKs to help a customer customize their desired user interface (UI) to further generate and manage their shares. This implies only one thing — it empowers you to retain your own brand’s user interface (UI) and user experience (UX) flow.
• On the other hand, the core purpose of our Plug & Play SDK was to offer a standardized and default user interface (UI) and a user experience (UX) flow from Web3Auth — so that our customers could seamlessly generate and manage their desired number of shares.

By definition, this particular SDK is supposed to be a set of tools that would help you build an authentication engine for your platform — essentially, a non-custodial wallet. But the problem is that our Plug & Play SDK also has a similar purpose, but the only differentiation is that — it allows no room to customize any shares.

The change of name to Core Kit also refers to exactly what our SDKs offer — a bundled package of UI-less SDKs (or core components) to help you gain better access and control over the user experience (UX) flows, while retaining your brand.

Here is what the Core Kit entails:

• tKey JS SDK, which works on web and react native.
• A web-based Single Factor Auth SDK.
• A NodeJS Server SDK hosted on the backend nodejs server.

“Owing to this potential misinterpretation, we wanted to take this space and opportunity to explain why we decided to do this rebranding.”

As we move forward, we are soon going to launch the tKey Android iOS SDKs over the coming few months. Besides, we are also going to launch an aggregator SDK for all of the Core Kit in Web, to allow for better ease of integration.

If you are an enterprise looking to add a powerful web3 component to your existing systems, look no further — Core Kit is here!

Furthermore, below is a summary of all the other product updates we have:

A revamped Plug & Play SDK

Our Plug & Play suite now has all UI SDKs, giving you quick and easy access to our platform.

Here is what the suit includes:

• a Web Modal SDK
• a Web No Modal SDK
• an Android SDK, an iOS SDK
• a React Native SDK
• a Flutter SDK
• a Unity SDK
• a Unreal SDK is out, documentation will be launched soon

Updated documentation

All of our documentation has been revamped with a new quick start, and general flows to highlight our products and integration better.

Check them out here.

We’re on Discourse, our newest community portal!

We have now fully migrated from GitHub Discussions to a brand new community forum on Discourse to enable a superior community support experience, better search capabilities, more accurate suggestions, and quicker responses.

Join our community forum here.

Over the last 4 years, our team at Web3Auth has been able to onboard over 500 applications and wallets across Web2 and Web3. Today, we manage more than 12 million user keys a month, a growth that is significant and exponential from that of our previous years.

Traditional wallet authentication methods such as seed-phrases, are difficult to remember and are vulnerable to phishing attacks. We have been working hard the last 4 years on various key management technologies and we believe we have been instrumental in pioneering this paradigm shift in the industry, especially after having launched our Multi-Party Computation (MPC) technology.

But this is only the beginning. As we continue this journey to achieve our audacious mission, which is to make digital ownership human-centric and accessible to everyone, we want to thank you for being a part of our thriving community and for your support in helping us build this wallet infrastructure for all.

We’d love for you to try out Core Kit, the Plug & Play SDKs, and join us in the product conversations on Discourse.

Important Product Updates — Web3Auth Self Host and Plug and Play was originally published in Web3Auth on Medium, where people are continuing the conversation by highlighting and responding to this story.

Today, we want to take this opportunity to address a claimed vulnerability on Magic Links in Web3 highlighted by DFNS.co. Read more here.

The disclosure describes a phishing attack on passwordless Magic Links, that affects Web2 applications but was aimed specifically toward Web3 applications.

A short summary of the incident with the timelines:

• This phishing method was disclosed to us privately on Thursday, 23rd February 2023, over a voice call.
• Between 23rd and 25th February, upon discovery of the phishing attack, the Web3Auth team launched a detailed investigation into potentially affected users and their accounts.
• In conclusion, the investigation found no cases of existing users being affected by this attack.
• A verification challenge and stricter IP policies were implemented to prevent future phishing attempts on Monday, 27th February, 2023.

A brief overview of the phishing attack:

When a user wants to sign up and log in to any user account on the internet, the conventional flow is that he or she would get a verification email with a link to confirm and verify the email address. Upon verification, the user would now be able to access the dashboard or the user account.

But in this case, which happens to be a phishing attack, a malicious third party comes into play. It triggers a login request, because of which it sends out a passwordless web3 Magic Link to the user’s email. The link could possibly have a call-to-action button that prompts the user to log in. When the user clicks on it, the malicious third party would now be able to log in on behalf of the user, but the user is kept in the dark about the consequences until the account is accessed or altered.

This was how the claimed vulnerability attack unfolded, which turned out to be a well-known phishing attack.

Upon intimation of the issue on 23rd Feb 2023, Web3Auth conducted a detailed investigation into potential scenarios under which the issue might have occurred.

The investigation found that there were no such cases of this vulnerability found with respect to our existing user accounts. Our current policies that are already in place, display the origination of login requests as well as open channels for support, for identified malicious requests. These shall effectively prepare us for similar malicious incidents where the user did not activate the request in the first place. Rest assured, we continue to conduct our business and everyday operations while our users have absolutely nothing to worry about.

Our future commitment

However, this gave us an opportunity to further tighten our existing security measures. As part of some immediate remedial actions, we have proactively added additional security policies to identify potential and existing phishing attacks. This included matching and verification of a numeric login code to identify false requests, along with more stringent IP blocking, if the attack originated from different locations.

To ensure that we handle similar issues in a timely and effective manner, we have developed a Security SOP. Further, if you happen to discover any issues with our product, please email us at security@web3auth.io. Our team shall quickly review your submission and respond within 72 hours. While submitting these issues, kindly provide as much detail as possible, including steps to reproduce the issue, the potential impact, and any additional information that may be helpful.

Feel free to refer to our bug bounty program as well.

As part of our commitment to platform security, we will acknowledge your submission and keep you informed of our progress in addressing the vulnerabilities. We would also publicly recognize your contribution, with your permission, in our security hall of fame.

We take the security of our platform very seriously. We acknowledge your support and extend our gratitude for joining us in our mission to improve the security of Web3Auth and Web3 as an entirety.

Web3Auth’s statement on the recent Magic Link phishing attack was originally published in Web3Auth on Medium, where people are continuing the conversation by highlighting and responding to this story.

Account Abstraction has been all the rage in recent months. But with all the different specifications, implementations, jargon and use cases it entails, it is very easy to be buried in the weeds. For those looking for an easily pluggable AA SDK, look no further.

Today, Safe Global (previously Gnosis.safe) announced the Safe{Core} SDK, in partnership with Web3Auth in making Account Abstraction an end-to-end and production-ready experience.

Here is a snapshot of what the core SDK entails for developers:

The company (Safe) reports that its custody infrastructure has been closely audited and tested over the last 5 years, and that it is now able to secure $39 billion in assets today.

With Web3Auth, this SDK enables mainstream users to enjoy the benefits of an experience they’re already familiar with. Social logins to Two-Factor wallets that leverage the security of their devices as well. Here is where we echo a similar philosophy and align with Safe on the same.

”Today, there is a binary choice for users. They can either completely give up ownership of their assets to a custodian and play in a walled garden, or bear the full responsibility of protecting their assets and scrutinizing every transaction. Small everyday burdens of gas fees, seed phrases, jumping wallets, and switching networks to do simple transactions have made web3 unusable by the masses.

We need to do better.”

As for developers, if you want to understand more and build on top of the Account Abstraction experience, join us in a month-long global AA Hackathon. The march for this hackathon starts today, with bounties worth $50,000. Join us today here.

Unlock digital ownership for the mainstream user: Safe{Core} SDK built with Web3Auth was originally published in Web3Auth on Medium, where people are continuing the conversation by highlighting and responding to this story.

Web3Auth vs Magic — How to choose your Key Management Solution

Authentication is one of the most important components of any application and as the Web3 movement grows, wallet & private key management becomes its most critical aspect. The right to own your own key and the right to own your own identity.

For any dApps, the fundamental question is — how are you managing your users’ wallet? Keeping in mind this critical question, we are comparing two of the leaders in the wallet management space, Web3Auth and Magic.

Before we deep dive into the technical details and comparison, let’s understand what these solutions are trying to achieve. Both Web3Auth and Magic replace seed phrases with intuitive one-click logins making onboarding into web3 seamless while giving control to the application to manage their flows.

Further to that, the infrastructure and usage of both the platforms is very different and needs a deeper understanding. For this, we will be comparing the two platforms on the following aspects:

1. Wallet Management: How the users’ private keys are managed and held safe?
2. Authentications Options: How many types of authentication and 2FA methods are supported?
3. Multichain Support: How many blockchains are supported and utilised?
4. White Labelling and Customisation: How much control the developer has on the UX flows?
5. Scalability: How the platforms perform for applications at scale.
6. Ease of integration: How easy it is to implement a basic instance of the platform.
7. Open Source & Native platforms support: How much code is publicly available and audited? How many platforms are supported?

Differences in Wallet Management Infrastructure

According to the Magic’s Whitepaper,

“Magic’s Delegated Key Management leverages Hardware Security Modules (HSMs) provided by Amazon Web Services’ Key Management Service (AWS KMS). Dedicated user master keys generated using AES-256 with 384-bits of entropy are stored on the HSMs. The master keys never leave the hardware as they are meant to be locked inside and unable to be exported. All encryption and decryption operations happen inside the hardware modules themselves. HSMs are a lot like popular 7 FIDO devices like YubiKeys or hardware-based wallets for cryptocurrency storage such as Trezor or Ledger, but instead of traditional harddrive storage, they sit in the cloud, secured by AWS’s data centers.

Users’ private keys are encrypted by these hardware-based user master keys, which means that attackers need to gain access to the hardware to be able to retrieve the keys, and are forced to stay within Magic’s adversarial infrastructure — which is capable to detect, impede, and monitor attacker’s progress to prevent and mitigate any damages.”

Hence, we can see that Magic depends on Amazon Web Service’s (AWS) Hardware Security Modules (HSM) for their key encryption. The users’ private keys are encrypted by these hardware-based user master keys and stored separately in a multi-region MySQL database.. This approach is good in terms of speed and availability, however has a major flaw, wherein the entire private key sits encrypted on the cloud secured by AWS KMS which can be a single point of failure. Hence, we can regard their solution as a semi-custodial system.

Web3Auth is a fully non custodial MPC (Multi Party Computation) solution where the user keys are distributed across a network of nodes owned by the top firms in the crypto industry and the user’s own devices. This is enabled by an on chain node network distributed key generation followed by an off chain multi-sig. The key is never fully owned by anyone and only the user has the access to it via their own authentication methods. While making a blockchain transaction, the key is never reconstructed or stored anywhere, rather a series of partial signatures are done across the network and user devices and the final signature is generated for the transaction.

This infrastructure can be used across the world with node availability throughout the world with industry leading speeds and a surety that user keys are never owned by a single entity anytime.

You can read more about Web3Auth’s Wallet Management Infrastructure and the New MPC Solution.

Authentications Options

One of key features of Web3Auth and Magic is the support of any social, federated identity ( Auth0, Firebase, AWS Cognito, etc.) and custom JWT auth providers. This allows developers to integrate any kind of login method, provided they are using JWT ID Token for user registration.

In addition to this, Two Factor Authentication is a key aspect of keeping your accounts secure. Magic supports 2FA with mobile operators like Authy and Google Authenticator and/or SMS authentication giving you the traditional experience of 2FA.

Web3Auth introduces a new layer of security here with the introduction of Two Factor Wallets. Web3Auth actually uses its off chain multi sig to distribute keys into multiple devices and or SMS/ other authentication methods. This enables you to get a true decentralised 2FA setup where your keys are secured even if one of the authentication methods is compromised.

Multichain Support

Web3Auth’s SDKs are chain agnostic, ie. they can be used on any blockchain. Today there are thousands of dApps built on numerous blockchains that have integrated Web3Auth. On the other hand, Magic supports 20+ popular blockchains.

White Labelling and Customisation

Web3Auth allows applications and wallets to fully customise and whitelabel the solution. Using the various options of integration available, you can even make Web3Auth totally invisible in the user flow focusing totally on your application end to end. Magic does provide a range of customisation options, but it is limited as compared to Web3Auth.

Scalability

Both the solutions do very well in terms of scalability of users and availability across multiple regions. Being hosted on AWS HSMs, Magic is available worldwide within their servers. These servers are owned by Amazon.

Web3Auth’s network of nodes are hosted worldwide and by trusted industry leaders like Polygon, Binance, Tendermint, ENS, Etherscan etc. Additionally, with the new Sapphire network of Web3Auth, applications can choose to run their own nodes in addition to the nodes available publicly giving them flexibility and control over their user scalability.

Ease of Integration

A basic integration of both the platforms is quite easy and straightforward. With Web3Auth a basic of the Plug and Play SDKs requires just 4 basic steps and with excellent documentation and examples guiding you throughout the journey of building your own customised solution. A basic integration takes less than 15 mins of work and no extra customisation is required for being production ready. You also have the flexibility to migrate to a more advanced integration with our range of SDKs available for different use cases and platforms. We also have an integration builder which, according to your requirements, shapes up a ready to use code that can be directly implemented in your application.

A basic Magic integration takes a similar approach with one additional step. You need to use custom authentication for using any social login provider apart from email passwordless. Their documentation and guides are great to follow along and one can figure out how to implement them easily.

Open Source & Native Platform Support

Open source is at the heart of decentralisation. Both Web3Auth and Magic have strong multi platform support and an active open source community around their products. Web3Auth supports Android, iOS, Flutter, React Native, Unity and Unreal Engine. Magic supports all of them except Unreal Engine. They additionally support PHP and WordPress logins.

At Web3Auth, all these SDKs are open sourced alongside our core infrastructural SDKs and smart contracts controlling the nodes as well. These are fully audited by some of the top smart contract auditing firms in the world. For Magic, the SDKs are open source, while the encryption and DKMS remain closed source.

Final Thoughts

Although Magic is a great product in terms of getting your users onboarded into the Web3 world, it is evident that Web3Auth has a clear advantage on the core infrastructure level over them. Being a more advanced product with a greater emphasis on security, non-custodiality, and customisation, Web3Auth becomes a clear choice in almost every situation where user wallet management and recoverability is an involved factor.

Web3Auth vs Magic — How to choose your Key Management Solution was originally published in Web3Auth on Medium, where people are continuing the conversation by highlighting and responding to this story.

(Re-posted from MetaMask original blog)

Snaps is the roadmap to making MetaMask the most extensible wallet in the world. As a developer, you can bring your features and APIs to MetaMask in totally new ways. Web3 developers are the core of this growth and this series aims to showcase the novel Snaps being built today.

Web3Auth Snap

Snap Repo: https://github.com/Web3Auth/openlogin-snap/

Why did you build it?

At Web3Auth, we’ve always believed that multi-factor authentication is the best way to secure crypto assets, and is much better than seed phrases. When we saw at ETHBogota that the latest build of MetaMask Snaps allowed Snaps to provide external key management capabilities, we decided to challenge ourselves to integrate MPC tech into MetaMask at the Sozu House hackathon.

Can you walk us through the technical implementation?

• Our goal was to allow a new user to login and set up 2FA to access their account in MetaMask. Subsequently, under the hood, whenever they try to sign a transaction, our MPC SDK does a threshold ECDSA signature. This is done by splitting a private key into two parts: a local share that’s stored in the snap and one that’s stored on a signing server. Over several communication rounds, the signing server and the snap should be able to jointly sign an Ethereum transaction and have it be confirmed on the Goerli network. Unlike seed phrases, this setup does not have a single point of failure that leads to irreversible loss of keys: if the user’s laptop is hacked, or if the signing server is hacked, the user does not lose their private key.
• Like every other snap, our snap consists of two parts, the actual snap package, and a page that loads/interacts with the snap. Our ideal user flow was to keep all key management interactions within the Metamask extension’s UI, but due to limitations in permissions, we could not do that. Instead, the user authentication happens outside of the snap, and then once that is complete, we migrate the state into the snap. Subsequently, we hook into the RPC engine of Metamask and respond to transaction requests by using our MPC SDK and the migrated state in the snap to generate threshold ECDSA signatures on the transactions. Surprisingly, we were done with the state migration part within the first few hours of the hackathon and were just left with the signing functionality.
• The rest of the process can be further split into two major tasks:
• Repurposing existing Web3 providers with our MPC SDK to handle the incoming transaction requests
• Getting the MPC SDKs running in the Metamask Snaps SES environment
• If you’re familiar with how Metamask works, or how other wallets function, you’ll know that signing an Ethereum transaction requires much more work than just using a private key to sign a message. A lot of work goes into forming the message object that is to be signed. Each transaction follows a particular format that’s specific to each chain and transaction type, has legacy behaviors that need to be supported for backward compatibility, has to get information about the current gas prices, has to calculate the gas to be used / gas limits, and also has to track the account nonce, etc. Thankfully, most existing Web3 providers already do these things out of the box. However, in order to get our threshold signature library to work well with these SDKs we had to dig deep into every single module and replace the eth-sig-util library’s signing functions with our own threshold signature library signing functions, which took a significant amount of time. In addition, because our MPC SDK was chain-agnostic, and didn’t account for Ethereum-specific checks, we also had to reverse engineer and reimplement checks from the eth-sig-util libraries which we had replaced. For example, EIP-2 specifies that the s-value in an ECDSA signature must not be larger than n/2 + 1, where n is the order of the secp256k1 elliptic curve, in order to prevent transaction malleability attacks, which requires ECDSA signing libraries to do a “flip” of the signature if its s-value falls outside of this range.
• Another challenge we faced was getting our MPC SDKs to run in the Metamask Snaps environment. Our MPC SDK uses wasm (compiled from rust) to run efficiently in the browser. Due to the multiple rounds of communication between the SDK and the signing server, it also uses Socket.IO to communicate to avoid the overhead of HTTP headers. While attempting to load our wasm code into the snap, we ran into some strange issues with mixed argument types in the wasm methods. Unfortunately, wasm debugging tools are still very lacking, with error messages being unhelpful and uninformative (eg. “Uncaught RuntimeError: unreachable”). In the end, we hacked our way around this limitation by accepting all mixed inputs arguments as strings, and parsing them as integers/byte arrays within the wasm code itself. Another problem we encountered was that socket.io did not work in the Metamask Snaps environment. Socket.IO is a separate library/specification built on top of normal WebSockets that handles things like connection upgrading, dropped connections, fallbacks to long polling, etc. which are very helpful when using WebSockets in production environments. Unfortunately, we could not get Socket.IO’s libraries to run in the Metamask Snap environment. As such, we had to fallback to normal WebSockets, and also rewrite the signing server to use default WebSockets instead of socket.io, and fallback to a polling strategy if the websocket had issues.

Can you tell us a little bit about yourself and your team?

Zhen and I are the cofounders of Web3Auth, and our company specializes in providing intuitive, secure, and non-custodial key management solutions. We believe that good security must be easy to use and invisible, or it will not get adopted widely. That is why we are huge proponents of using multi-factor authentication for private keys.

When were you first introduced to MetaMask Snaps and what was your experience like?

We tried Metamask Snaps about a year ago, but unfortunately, it didn’t have the capabilities to allow us to extend the private key management functions within MetaMask back then. With the introduction of SIP-2 recently (thank you Olaf!), which allows snaps to extend MetaMask’s keyring, we’ve been very excited to see what’s possible! While building our snap, I also explored the SES system that MetaMask Snaps is based on, and I think it’s a very solid foundation for MetaMask to act as a platform for developers to add functionality through Snaps.

What makes MetaMask Snaps different from other wallets?

The extensibility! I think MetaMask Snaps provides a secure interface for developers to experiment and augment MetaMask without compromising the security of the MetaMask extension itself. Unlike other types of projects, wallets require high standards of security, which means merging in new functionality from third-parties is always a long, arduous process of code review and audits, which stifles innovation. MetaMask Snaps allows the MetaMask team to continue building a secure product, while still allowing external developers to experiment and extend its functionality.

Tell us about what building Snaps with MetaMask is like for you and your team?

I think Snaps is definitely the way forward, allowing people to build functionality while still keeping the base MetaMask extension secure. There are a few kinks now but improvements are coming every day but I think it’s very exciting overall.

What does Snaps mean to you?

I hope that adding multi-factor authentication capabilities to MetaMask through snaps helps the millions of mainstream users on MetaMask to more securely manage their accounts and prevents them from falling victim to scams and hacks. MFA is already doing this today for billions of Web2 users, and we want to bring those secure best practices to Web3.

What opportunities do you see with MetaMask Snaps and the possibilities it unlocks for the Web3 space?

In general, I think Snaps represents a realistic way for MetaMask to open up its codebase for others to contribute to it without compromising security.

Any advice you would like to share with developers keen to try MetaMask Snaps?

Just try it! It may seem a little new but it’s been very approachable so far and the support for it is great on the ConsenSys discord channel for Snaps. Lots of amazing devs are working on it and if you want to be part of the conversation in shaping Snaps, now is the time to be building on it and giving feedback!

Web3Auth MPC Snap: Integrating Multi-Factor Authentication Into MetaMask was originally published in Web3Auth on Medium, where people are continuing the conversation by highlighting and responding to this story.

As the leading non-custodial authentication infrastructure provider with over 8M monthly users, Web3Auth has launched the MPC (Multi-Party Computation) wallet SDK. We are aiming to bring seamless logins and enterprise-grade security from the institutional level to the user level.

To date, more than 20% of all mined Bitcoin is lost due to mismanaged or stolen seed phrases. To remove this main friction of web3 onboarding and key management issue, it’s time to say bye to the seed phrase.

On a mission to provide the most seamless login experience for users, wallets, and dapps, recently we integrated our MPC via @Metamask snaps. Take a sneak peek at a Web3 world without seed phrases

Other than Metamask, we are onboarding key Web2 gaming players like NEOWIZ and Glip NAFEZA. Egypt’s newly launched customs platform for importing and exporting also leverages Web3Auth’s MPC technology to seamlessly and securely onboard its users to the blockchain.

A lot of exciting partners in the pipeline, but first let’s review some basics…

What is MPC?

MPC, or Multi-Party Computation, is Web3’s version of multi-factor authentication (MFA). It allows users to manage their keys intuitively by using multiple factors to protect their keys, instead of just relying on a single seed phrase to remove it in the process.

This makes it possible to design crypto wallets that rely on multiple factors to access a user’s funds. It is currently the gold standard for enterprise-grade crypto custody solutions and is used widely by exchanges and financial institutions for managing crypto.

Why use MPC technology?

• MPC is currently the golden standard for enterprise key management which Bitgo and Fireblocks currently offer.
• Coinbase introduced an MPC alpha/beta into their wallet earlier in the year, and now we’re unveiling our MPC SDK that enables any wallet or app to do the same for their users.
• Being able to build on the latest and greatest, we’ve optimized the infrastructure to be usable on all devices, across multiple platforms, with support for globally-distributed low-latency signing.
• Our MPC SDK leverages existing and familiar UI/UX flows, including simple one-click logins and others, check out the flow here

How is our SDK different from other MPC solutions?

• Our MPC is the perfect Externally Owned Account (EOA) and can be paired with Gnosis Safe and other Smart Contract Wallet infrastructure (more on this coming soon).
• The existing MPC solutions offered today are all targeted at large enterprises. These MPC solutions are expensive, require a long setup process, or are just too slow to run on consumer devices.

We think that MPC is too important and too crucial of a technology to be kept out of reach of the average user. MPC security should be the standard for all web3 wallets today. As a wallet infrastructure provider, we have optimized our MPC SDKs to be usable on all devices, across multiple platforms, with support for geo-distributed low-latency signing. It doesn’t matter if you’re a game, an app, a Chrome extension, or even a web wallet running in a mobile browser — our SDKs support that.

Our MPC technology key feature includes

• 1.2-second transaction speed (challenge it if you don’t believe us).
• We are chain agnostic (secp256k1, ed25519, BLS and more support)
• Our SDK can be embedded into any web, mobile, and native application.
• The MPC SDK is geo-distributed and horizontally scaled for global distribution.

For those of you that are already familiar with the multi-factor keys security model at Web3Auth, this blog is just another incremental step towards improving private key security.

For those of you who aren’t familiar, here’s how multi-factor keys work:

Leveraging our MPC SDK, you can expect the following benefits

1. Reduces account loss from misplaced seed phrases

There is no seed phrase to manage — shares are managed by intuitive MFA flows that users are familiar with.

2. Prevent compromised device vulnerabilities

User accounts are not subjected to frontend vulnerabilities as MPC’s joint computation allows for keyless usage.

3. Avoid losing funds from dubious transactions

Safeguard your users’ accounts with a flexible policy engine to set rules — daily transaction limits and blacklist scams.

4. Expect fluid experiences

Expect a low latency of less than 1.5s for both login and transaction signing. Allow your users to focus on engaging with your product.

5. You own the UX, we can be a white-label service provider

Our MPC can be embedded into any dapp and/or wallet — you own the experience.

6. You Don’t need to compromise your stack, any platform any chain

Our MPC SDK is blockchain agnostic, it works on Web, Mobile, and Native applications.

Wanna try it?

We have an alpha SDK that you can use today https://web3auth.io/docs/sdk/web/web3auth-mpc. And if you want to take it to production, sign up for early access here https://web3auth.typeform.com/to/efe3zBzt?typeform-source=web3auth.io

Web3Auth MPC is here was originally published in Web3Auth on Medium, where people are continuing the conversation by highlighting and responding to this story.

Earlier this year we made a special announcement about co-organizing 4 global Hacker Houses with Solana. The first such collaboration took place in Singapore in February this year over 6 unforgettable days.

Regarding the next collaboration, we asked our folks on Twitter on where they thought we would be next and guess what, they got it right. Bengaluru, the Silicon Valley of India was indeed to become our second destination for the global tour.

Web3Auth on Twitter: "Coming May, we will be co-organizing the Hacker House with @solana in which of the following locations? 🤔 / Twitter"

Coming May, we will be co-organizing the Hacker House with @solana in which of the following locations? 🤔

Highest Turnout Ever
India has one of the biggest developer communities in the world and not surprisingly, the event received way more registrations than the venue could accommodate. What happened as a result? A long queue that has never been seen in any of the Solana Hacker House conducted anywhere in the world.

The participants mostly included enterprising college going folks between the age 17–21.

We caught hold of 14-year old X to find out why he was at the Hacker House (and not in school)

Web3Auth on Twitter: "What was a 14-yr old doing at the @solana x Web3Auth @hackerhouses , Bengaluru edition? Shouldn't he have been in school? 🤔 pic.twitter.com/xFSJxBWLHO / Twitter"

What was a 14-yr old doing at the @solana x Web3Auth @hackerhouses , Bengaluru edition? Shouldn't he have been in school? 🤔 pic.twitter.com/xFSJxBWLHO

Office Hours with Team Web3Auth

Fresh from participating at two major blockchain events, first at the Paris Blockchain Week and later at ETHAmsterdam, team Web3Auth was present in full force at the Bengaluru Hacker House. Web3Auth offered office hours which were attended by different participants. The Web3Auth team patiently spent time answering queries of different kinds ranging from UI/UX to user on-boarding to privacy and security.

Influencers on Stage — Tanmay Bhat and Biswa Kalyan Rath

Two major star attractions at the event were two of India’s most famous stand-up comedians. However, only one of them was at the event in capacity as a comic and that was Biswa Kalyan Rath who performed on the second day of the event leaving the young crowd thoroughly entertained. A lot of previously unheard crypto jokes found presence in his set for the Hacker House.

Pranav on Twitter: "Day 2 of Solana Hacker House. Great session of learning and developing followed by a refreshing and detoxing set by Biswa Kalyan Rath. Kudos to the organizers @hackerhouses #crypto #solana #biswakalyanrath #HackerHouseBengaluru pic.twitter.com/QL7uFZzGmi / Twitter"

Day 2 of Solana Hacker House. Great session of learning and developing followed by a refreshing and detoxing set by Biswa Kalyan Rath. Kudos to the organizers @hackerhouses #crypto #solana #biswakalyanrath #HackerHouseBengaluru pic.twitter.com/QL7uFZzGmi

The other star attraction was Tanmay Bhatt who was at the event in capacity as a member of the SuperTeam DAO. The SuperTeam DAO’s main role is to help grow the Solana ecosystem in India, South East Asia, Eastern Europe, and Africa. Tanmay, one of India’s most well-known digital content creators, offered a very insightful presentation on “how to make good content?”

Web3Auth on Twitter: "Throwback to this wonderful session from @thetanmay at The @solana x Web3Auth @hackerhouses Bengaluru. Tanmay spoke about the importance of building suspense and we want you to know that our token launch will happen on... pic.twitter.com/kdMO7B0V4W / Twitter"

Throwback to this wonderful session from @thetanmay at The @solana x Web3Auth @hackerhouses Bengaluru. Tanmay spoke about the importance of building suspense and we want you to know that our token launch will happen on... pic.twitter.com/kdMO7B0V4W

Many Applications Integrated with Web3Auth

Web3Auth was integrated with many applications being built at the Hacker House. We showcase two such integrations in the videos below.

Web3Auth on Twitter: "Want to hang your NFTs at the Taj Mahal? 🤯 #Web3 #nfts pic.twitter.com/P6j72v8vkb / Twitter"

Want to hang your NFTs at the Taj Mahal? 🤯 #Web3 #nfts pic.twitter.com/P6j72v8vkb

Web3Auth on Twitter: "Is it possible to flaunt NFTs to earn? @nftsoul_io #NFT #web3 pic.twitter.com/ww1wDacCWX / Twitter"

Is it possible to flaunt NFTs to earn? @nftsoul_io #NFT #web3 pic.twitter.com/ww1wDacCWX

Web3Auth on Stage
Our Sr Software Engineers Shubham Rathi and Himanshu Chawla presented practical and valuable insights on how the young developers in the audience can leverage Web3Auth’s SDKs to increase conversion rate one their dApps.

Conclusion

All in all, the Bengaluru Hacker House was one of the most successful Hacker Houses conducted till date and we’re already looking forward to the next time we will be in India.

JavaScript is not available.

The biggest Hacker House till date — Web3Auth and Solana Team Up in Bengaluru was originally published in Web3Auth on Medium, where people are continuing the conversation by highlighting and responding to this story.

In a much needed multi-chain extension to Sign-in with Ethereum, users will now be able to control their digital identity with their Ethereum/ENS, Solana, and Starknet accounts instead of relying on traditional/custodial profiles.

Importance of building a non-custodial future

In crypto, there is a saying that goes “Not your keys, not your crypto ‘’ exemplifying the importance of non-custodiality, — the need to shift the dynamic of ownership from entities to the end-user. The principle also extends beyond just the crypto you hold to your very identity itself. While traditional Web2 entities have done a tremendous job in making the user experience incredibly intuitive but that has also come at a cost — the cost of privacy.

There is excessive monetization of the users’ activity and their residing information on the web. Security compromises even among the biggest names in cybersecurity are increasingly common. As the average user is becoming more and more aware of these tradeoffs, the voice to safeguard their identity is growing louder by the day. We at Web3Auth firmly believe that non-custodiality is the future and we want to lead the way in making it happen.

Sign-in With Web3 — You Own Your Identity

Web3 has to a large extent cracked the code for the user privacy problem. The power of public and private keys, enabled by crypto technologies, allows users to own their username, and profile data, and use their accounts across different applications. This is the fundamental on which built Web3Auth was built — to leverage the power of threshold cryptography to shift the dynamic of power from entities to individuals. When the Ethereum Foundation announced Sign-in with Ethereum, it was not only an important(albeit silent) innovation for the internet, it was also a solid validation and acknowledgement of our core values.

Sign-in with Web3 adds on to that innovation with a powerful multi-chain twist. It extends that innovation to some of the biggest chain ecosystems. Starting today, users on the Ethereum, Solana, and Starknet chains can log in to any Web2 application using their web3 identities thereby bringing the security and privacy of Web3 authentication to Web2.

What Does Sign-in With Web3 Solve?

Today, there are multiple blockchain platforms and thus naturally, there arises a need to have a standard specification for authentication with Web3 identities. This led to the birth of CAIP-74 which allows for creating a chain-agnostic Object Capability (CACAO), based on a signing message as an IPLD object. Sign in with Web3 endeavours to maintain compatibility with CAIP-74, thereby adhering to a chain agnostic standard.

Supported Chains​

Currently, Sign-in with Web3 supports

1. Ethereum
2. Solana
3. Starknet

**Support for more chains coming soon.

Do check our documentation for a step by step guide on how to build a Sign-in with Web3 flow to navigate the authentication logic. Feel free to reach out to us in case you have questions on our Telegram Chat

Additionally, Web3Auth, the creator of Sign-in with Web3, offers a dedicated suite of authentication tools for all Web3 Developers. This includes support for OAuth and native biometric login using our Plug and Play SDK. You can also utilise one of the leading wallets in the Web3 ecosystem, i.e., the Torus Web3 Wallet.

Stay in touch with Web3Auth

Website | Docs | Twitter | Telegram | Discord | Linkedin

Introducing Sign-in with Web3 — Building a Non-Custodial World was originally published in Web3Auth on Medium, where people are continuing the conversation by highlighting and responding to this story.

Web3Auth and StarkWare Sign-in a Strategic Partnership

Web3Auth and StakWare enter into a Strategic Partnership that will provide a major push to our shared vision of onboarding the next billion users into Web3. The genesis of StarkWare lies in improving scalability and privacy on the blockchain so as to accommodate more and more users. Web3Auth’s origins lie in the fact that seed phrases create a huge entry barrier in onboarding mainstream users into blockchain applications. Given their strikingly similar genesis, it is only natural that both ecosystem stakeholders joined forces to increase mainstream adoption of crypto.

What does the partnership entail?

Uri Kolodny, CEO & Co-Founder, StarkWare:

“Our teams share the mutual goal of bringing web3 closer to mainstream users. With Web3Auth providing easy login and onboarding of users, and with StarkWare providing low gas costs and security, this partnership is a natural and important step in achieving this goal.”

StarkWare Offers Grant to Web3Auth

In a major endorsement for Web3Auth’s mission, StarkWare has offered Web3Auth a grant to ensure its self-custodial private key infrastructure powers as many dApps and wallets in the Web3 eco-system as possible. How we onboard users and handle their private keys in the next few years will largely determine the pace at which the Web3 eco-system will grow. The grant will be used by Web3Auth to to make its authentication suite available and accessible to as many developers as possible and by doing so, to more and more applications and users.

Web3Auth Announces Sign-in With StarkWare

Also as part of the partnership, last week, Web3Auth and StarkWare announced Sign-in With StarkWare, a unique initiative that brings in the security of StarkWare to Web2 allowing users to sign-in to any Web3 application using their StarkWare account.

Quote from Zhen, CEO & Co-founder, Web3Auth:

“Our partnership with StarkWare is a natural evolution of both our organizations’ genesis — to make blockchain more accessible to the masses. This partnership holds immense possibilities for the ecosystem overall and we are excited to see what it unfolds”

Web3Auth SDK now supports key generation and management on the STARK curve

Web3Auth strongly believes that ZK-Rollups such as StarkWare’s scaling solutions have played and will continue to play a huge role in making the Blockchain more usable and secure. Web3Auth extends 100% support to all developers building on the StarkWare family to seamlessly onboard their userswhile keeping core principles of self-custodiality intact.

Coming Soon…

From TSS on STARKs to JWT verification on StarkNet, stay tuned for more updates.

About Starkware family:

StarkWare develops STARK-based solutions for the blockchain industry.

StarkEx, is a standalone permissioned scaling engine that already powers few of the biggest applications such as dYdX, Sorare, Immutable, DiversiFi and Celer. StarkNet is a decentralized permissionless STARK-powered L2 ZK-Rollup over Ethereum, that supports general-computation based on the Cairo language.

About Web3Auth:

Web3Auth is a leading non-custodial private key management infrastructure that helps dApps and Wallets on-board users eliminating the need for seed phrases.

Stay in touch with Web3Auth

Website | Docs | Twitter | Telegram | Discord | Linkedin

Web3Auth and StarkWare Announce Strategic Partnership was originally published in Web3Auth on Medium, where people are continuing the conversation by highlighting and responding to this story.