Hi, I am from Avici (avici.money), a self-custodial Internet finance app. We have been using Web3Auth for authentication across our Flutter mobile app. We are reporting multiple active issues affecting our users on the Web3Auth Passwordless login flow, with several users currently locked out of accounts holding significant balances.
Issue 1: Account mismatch error despite valid authenticator code
Users who have MFA configured are reaching the “New device detected” screen at auth.web3auth.io, entering their correct authenticator code, and receiving the following error:
“Account mismatch, please continue with one you set as a social recovery factor.”
The social login option on the same screen correctly displays their registered email and is pre-selected, yet the flow still fails. These users have a valid auth code and their social login identity is correctly reflected in the UI. They are still being blocked.
Issue 2: MFA screen shown to users who never set up MFA
Multiple users who logged in via email and never configured any MFA or 2FA are being presented with the “New device detected” MFA verification screen. They have no recovery phrase, no passkey, no authenticator app and no secondary device set up, so they have no way to proceed.
A partial workaround was identified for one user: logging in directly via accounts.web3auth.io, setting up a new MFA factor there, and then using that factor in the app. This is not a scalable fix and places an unacceptable burden on users.
We need to understand why MFA is being triggered for accounts that have no MFA configured, and whether this is related to a session or device fingerprint change on your end.
Issue 3: Google email change creating a new account instead of preserving the existing one
A user changed their Google account email address. Upon next login, Web3Auth created a brand new account rather than recognizing the same underlying Google identity.
Google assigns a persistent unique user ID (the sub claim in the OIDC token) that does not change when a user changes their email. Web3Auth should be keying account identity on this sub value, not the email string. The user logs into Google on all other platforms without any issue, confirming this is specific to how Web3Auth handles the identity mapping.
Additionally, Google now prevents users from reverting an email change for 12 months, so the user cannot undo this on their end. They are locked out of an account with a sizeable balance.
The email addresses of all affected users can be shared over DMs if needed.
