Security when social login account is compromised

[tt0mmy]

Let's say I have logged into app.openlogin.com and have enabled the 2FA feature. Once enabled I get an email sent to my email (gmail) of the backup phrase.

If my gmail account is compromised and the attacker has access to my gmail, they could search my email for the backup phrase email that web3auth sent when i enabled 2FA. If I never deleted that backup phrase email and the attacker finds it, then they have access to my app.openlogin.com account as well as all the approved/authorized apps that I've visited, thus allowing them to take all of my funds/assets. Given that it only takes 2 factors to get into my account (email and backup phrase in this case), the attacker would be able to do as they please once they find that backup phrase email. Are these assumptions correct?

[yashovardhan]

Hey @tantommy,

Thanks for your question. I understand your concern and totally resonate with it. In the worst case scenario this can happen if the user is not careful enough. However, for any social account, we don't recommend users to use the same email id for their own social account OAuth authentication as their backup share email. Even in our screens mentioning the creation of backup phrase we recommend using a different email id. Also while entering the backup phrase we mention the email sent time alongside the particular email it was sent to so that the user doesn't have any problem finding the email containing the backup phrase.