In zk-login, a user's account address is derived jointly from the login password and two-factor authentication (2FA). Therefore, 2FA plays a crucial role in the overall security model:
1.Account generation relies on multiple security factors
-
Account generation is protected by four layers of security: third-party email login, login password, bound security email verification, and Google Authenticator, providing comprehensive protection for user assets.
-
During initial registration or initial setup, the user must create a password and bind at least one 2FA method (security email or Google Authenticator).
2.Preventing risks from password or email leaks
Even if the login email is compromised, an attacker still cannot generate the address or log into the account because:
-
The correct account password is still required — compromising an email does not allow direct login.
-
If attempting to reset a password, the system will require verification via the security email (independent of the login email) or Google Authenticator. Only after passing security email/GA verification can the SALT be retrieved.
-
Without passing security email verification, the attacker cannot obtain the SALT, and therefore cannot generate the address nor recover the wallet.
3.Changing the password or 2FA requires passing the existing 2FA
Any critical security operation (changing a password or replacing 2FA) requires validating the current 2FA method first to prevent unauthorized tampering.
4.Backup recovery also requires passing 2FA
Even if an attacker obtains the backup file and backup password, the wallet still cannot be restored because:
-
Final verification through the bound 2FA is always required.