Several years ago, Mozilla/Firefox created "Persona," which was an open-source federated identity system that provided all the benefits described here. The idea was that it would eventually be built into browsers. I used it on a commercial site myself for many years.
It failed to gain traction, and Mozilla eventually pulled the plug.
Persona had many advantages over the Web3 vision described in this article. It was painless for a new user to create an account, because Mozilla provided a default identity server. It was easy for a website owner to set up, because Mozilla provided a JavaScript shim that worked on any browser. And it didn't rely on a wasteful and slow distributed ledger.
Despite these advantages, Persona failed. I don't see how a blockchain-based approach, with so many disadvantages compared to Persona, could possibly succeed outside of the blockchain enthusiast community. And, on a technical level, a federated approach seems innumerably simpler and less wasteful than a blockchain-based approach.
> Despite these advantages, Persona failed. I don't see how a blockchain-based approach, with so many disadvantages compared to Persona, could possibly succeed outside of the blockchain enthusiast community. And, on a technical level, a federated approach seems innumerably simpler and less wasteful than a blockchain-based approach.
Sometimes it's all about being in the right place, at the right time, with the right amount of hype. Inferior technologies win out all the time.
That being said, if (major if) auth through web3 did take off, I wouldn't be surprised if over time it slowly creeped back toward a solution that doesn't use blockchain since a non-blockchain solution would probably be simpler, cheaper, and faster.
> That being said, if (major if) auth through web3 did take off, I wouldn't be surprised if over time it slowly creeped back toward a solution that doesn't use blockchain since a non-blockchain solution would probably be simpler, cheaper, and faster.
I don't think you necessarily need blockchain. Can't you just prove that you are who you say by signing something and sending it to the service? You can just use the protocol.
For all of its flaws, I find the web3 space fun...but I'm also hoping that some of the non-financialized use cases move to other kinds of distributed algorithms, like Hypercore (https://hypercore-protocol.org/).
Even if the technological ideal comes to fruition in a few years (sharded modular proof-of-stake consensus blockchains with zero-knowledge rollups and dedicated data availability layers), it will still eternally remain enmeshed with speculation and scamming. I think there's a narrow time and place for the speculative assets but wouldn't want that interwoven throughout the fabric of everything online.
The Persona team approached the company I was working for, asking us to add Persona login alongside our other login options. Mozilla came to us because we had a huge web presence at the time (about the size of Wordpress, let's say). We discussed it internally and ultimately rejected their request. We were going through a re-org and just didn't have anyone to spare. We were also rewriting the component where the login would live, and this would have been out of scope.
Looking back, I now see that not volunteering myself for the challenge was one of the biggest mistakes I've made in my career. It was one of those rare opportunities to make a difference.
I also wonder why nobody has tried it since. It's a simple approach, but you'd need a good security team backed by a trusted organization to make an implementation credible.
For what it's worth, the vision does live on and people are working on developing web standards that get us closer towards it. One example is the W3C's "Credential Management Level 1" from 2019, which specifically references[0] Mozilla's work:
"The API defined here does the bare minimum to expose user agent’s credential managers to the web, and allows the web to help those credential managers understand when federated identity providers are in use. The next logical step will be along the lines sketched in documents like [WEB-LOGIN] (and, to some extent, Mozilla’s BrowserID [BROWSERID])."
More recently, in fact, today, I see there is a "Federated Credential Management API" draft published,[1] which has the goal of:
"enabling a website to request a users [sic] federated credentials from a user agent, and to help the user agent store the users [sic] federated credentials for future use."
Didn't Apple try it 2 years ago? Log in with Apple...
I would never use these services unless it was completely open, free and privacy centric though.
Apple comes a bit of the way but they tend to make stuff work only on their own hardware wish won't work for me. Persona would have been a good option. Especially because it could be self hosted. That would be amazing. It was just a bit too early.
I joined the team at Mozilla that developed Persona as an intern, just as they closed it down.
Persona failed because it was fighting against a head-wind of an already established trend of using Google/FB OAuth2, without giving the service provider any new benefits. There was no incentive for a website to actually implement Persona, since it was just another auth provider and users weren't using it. Users didn't use it because no one implemented it. Chicken and egg.
Websites that integrate web3 wallet login do get something new: built-in, straightforward payment rails.
> Websites that integrate web3 wallet login do get something new: built-in, straightforward payment rails.
I'm not convinced it's that a large benefit.
For the foreseeable future, any website that aspires to be anything more than a niche web3 player will need to support web2 auth and web2 payments. So web3 is just adding layers, not removing them. Until web3 becomes powerful enough that you're losing customers because you aren't supporting it, there's no incentive to support it. (Exactly the same predicament Persona was in.)
Additionally, cryptocurrency is not practical as a currency right now because of high transaction fees and slow settlement. This situation won't change until layer 2 networks come of age, which seem to have been "just around the corner" for the past five years.
> Websites that integrate web3 wallet login do get something new: built-in, straightforward payment rails.
Is this really any better than Apple/Google pay? Those are already set up, trustworthy, I don't need to convert my fiat into a cryptocurrency than can swing in value wildly, and it's super easy to set up with stripe or any of the other platforms that the website is probably already using.
> Websites that integrate web3 wallet login do get something new: built-in, straightforward payment rails.
With super high fees, transfers that take litteral minutes to complete, no charge back and the ability to lose all the money yoy have if you ever get hacked. How exciting! Even bank transfer as a mean of payment is way better UX.
Agreed. This comes down to lack of power to push a system onto it's potential users, mozilla didn't have a userbase large enough nor could incentivize 3rd parties to force onto their users. You could argue if the ux was good it would have just succeeded, but I think that's bs. Funds are the number one predictor of success of anything.
My worry with the blockchain is that now it has VCs that are going to pump so much funds in it to keep it spinning and force everybody to use it because you need that service, and now (in the future) it's only provided through the blockchain (because the alternative off-chain company cannot raise funds so it doesn't exist, it fails, or it's a worse experience).
The new hot take (I heard it from Matt Levine, I think, but I doubt it's original to him) is that pyramid schemes solve the adoption problem for technologies with network effects.
Everyone would be better off with better identity management, but it's not worth anyone's time to be one of the first users of a system with no sites supporting it or one of the first site supporting a system with no users. The web3 version of this will be something where if it takes off the first adopters get super rich at the expense of late adopters, and that makes it take off.
Similarly, conventional profit models incentivize the creators of a technology to make it as centralized and locked in as possible, so that they can profit off it over time. The pyramid scheme business model incentivizes the creators to make a decentralized and open system, so that they don't have to do any work over time once it takes off.
Is this the special kind of stupidity that only really smart people can aspire to, or the special kind of genius that only really stupid people can? Time will tell, I guess.
I like Mozilla and Firefox is my default browser, but clearly that was doomed. Google is never going to be OK with Mozilla owning the identity system. Neither would Facebook, or Apple or anyone else. They all have their system for “just use us as the login to every service!” And the only result is that there are 50[1] different “universal” login options for every site.
[1] ok most sites limit it to 2-3 options, but which 2-3 is up in the air.
> I don't see how a blockchain-based approach, with so many disadvantages compared to Persona, could possibly succeed outside of the blockchain enthusiast community
What’s in it for the user to sign up for persona? Nothing
What’s in it for the user to get a crypto wallet? Money
The major problem with crypto-bros is that they think "money" is a good enough answer. Money is an extrinsic motivator, and extrinsic motivators extinguish intrinsic motivation.
Money will never be a good enough reason to do things. Especially not the infinitesimal fractions of garbage coins that web3 will pay.
I don't know about that. I feel like oAuth and other forms of authentication are overly complex to implement. If they build a super simple implementation API then I could see it taking off.
I had a go at writing oAuth from scratch, to understand it. I made a working solution.
But I don't use oAuth; while I was writing the code, I understood it, but I don't any more. An auth system needs to be understandable and transparent to a normal user, and oAuth is not such a system. Like, I couldn't explain it to my non-tech relatives, even if I swotted up on it first.
Explaining blockchain-based auth to a non-tech user is a problem of a much greater magnitude.
I suspect that this will be a major issue in the long-run. Once these sort of crypto-based logins become synonymous with CP and terrorism, they're going to be shunned by the average person on the street.
Yes yes yes, people use email and whatsapp for the same, but at least there is the option for Google and Facebook to censor or block/ban those users (and it feels like there is increasing legal/legislational tension to try and compel the tech giants to actually do something in this area). You cannot say the same about an indelible blockchain.
Yeah the economic incentive is the problem also. People just get into it for the money, not because they believe in it. This is the whole issue with crypto currency and web 3.0 too.
It's a bit sad because it never started out as something intended for "make money fast" kind of investors. Bitcoin started as a way to free users from the centralised banks and regulation.
"Ecosystem" in tech means usually means vertical integration, which is not what it means in nature.
Anybody looking to build a tech ecosystem is looking to build vendor lock-in. There is no advantage to planning for decentralization, and no laws to force companies to adopt a decentralized approach.
One possible advantage web3 has over Persona is that it is not under the control of Mozilla or whatever foundation Mozilla set up to address those very predictable concerns. Being distributed might help it gain early adopter mindshare which could lead to future UX improvements. (Not saying I believe this will definitely happen, just that Persona failing isn't a guarantee of failure here.)
If it only were Persona the thing that failed... But I've seen quite a lot of attempts at federated identity and turns out people don't care too much about that. People just want to login to whatever site to do things. Login with Twitter/FB/whatever is offered to reduce login friction, not because people think of them as identity providers. Offering "another identity provider" is solving the part of the problem most users really don't care for.
Persona wasn't under the control of Mozilla, either. You could still use it today, if you were willing to set up your own identity server, and if you could find any websites that supported it.
This doesn't explain why Persona didn't work. Unless we understand why it didn't work and show how web3 alleviates the problem, how is anyone to believe a web3 login system will work? You could also ask what has changed since Persona tried and failed? In other words, why now?
> We need some way of saying “who we are” on the internet in a consistent manner. That way we can communicate with others in a verified way and associate with digital data that we own. We also often need that data to be interoperable between different web properties.
Do we really need this? Do we really want to permanently tie identity across websites like this? I find this initial "need"/justification/requirement questionable.
I have a login on HN that is totally unique to e.g. Twitter and Instagram and <shudder> LinkedIn. Same with work vs personal. This is deliberate. I do not want to have the same identity here as I do elsewhere. There are many hopefully obvious reasons for this - mostly privacy (both in terms of immediate "in the moment" privacy, but also temporal privacy in the sense that I might not want some potentially ill-advised comments I made on some website 15 years ago to come back and bite me), but also it offers protections against "cancel culture" and general cyber-stalking and doxxing etc as that would become a whole lot easier if you can just run some query on a blockchain and find every single website I've ever used and dredge up my comments/content/etc. Being able to do that sounds very dystopian to me - why don't we just tattoo a barcode on our necks and be done with it?
So the thing about this is that there is no need to permanently tie identity across all sites and services you used (and provide), rather, the ability to do so when and where you need to do it.
There's nothing requiring a user to use the same identity across every service they interact with, but the option should be there. I wouldn't want my matrix username(s) and my fediverse account(s) tied to my HN username(s), but I might want a github/gitlab/codeberg account tied to a social/messaging account while having different "personas" for different applications. Overall it's a useful tool to have in your belt, so long as it doesn't limit you in other ways.
So if you are not going to go whole-hog and have one true identity for everything, why bother using anything apart from an email address?
The argument seems to be that consistency allows you to prove ownership and re-use all of your content etc across the web by tying everything back to one verified identity. If you are having different identities on different sites then that benefit disappears, and I fail to see how it is then any better than using email addresses? You end up with different wallet IDs each with their own island of content, just like you have with email addresses.
Sure you could chose to "move" content with one of your many identities by just logging in with the ID (presumably losing all of your existing content), but we have copy-paste for that already (and I am only half-joking saying that...)
It doesn't give you that ability though. The reason we use Google and Facebook OAuth is because Google and Facebook did their due diligence with the account. We would just accept any OAuth provider if we didn't care about that validation.
And again, with these web3 identities, centralized services would still be providing the authorization even if they did not provide the authentication. I don't see what web3 identities provide.
Yeah I think it is mostly businesses that think this is a huge problem to solve to have identities matched across everything seamlessly.
Mostly what I care about is logins and payments which are addressed by password managers and form filling for credit cards. I just want a friction free experience for setting up an account, logging back into it, and maybe purchasing something.
And ideally I'd like to self-host, maybe with a service that looked like a NAS appliance hanging off a guest network on my router with a forwarded port through the firewall and some method for tracking my IP address (dyndns or similarish).
And ideally payments happen by a handshake between the service I run, the processor and the merchant in a way that my actual credit card details are never used. And for recurring payments I have the ability to just switch them off. Bringing all the control back to me and not leaking out reusable PII everywhere.
Of course corporations would aggressively hate that since it would destroy their business models of recurring payments for services the user is no longer using and the requirement of calling up the business and having to convince some phone operator that you really want to cancel.
> Yeah I think it is mostly businesses that think this is a huge problem to solve to have identities matched across everything seamlessly.
Your comment just gave me a thought - just imagine the online advertisers using this for tracking purposes!
At the risk of spreading FUD, it would not surprise me to learn that perhaps this web3 thing is being fuelled/funded by the existing crop of online advertising networks or their close associates? (or at the very least they are watching this situation develop with an incredibly close level of detail)
Who needs cookies if you have a 100% reliable & long-lived (potentially immortal?) ID that the user takes with them everywhere they go online (and is the same on every site they visit) and for every purchase they make (using that wallet) online and offline?
This would be advertising networks' absolute dream situation if it becomes widespread - users voluntarily creating their own unique tracking fingerprint and using it on all the sites they visit, as well as helpfully logging all of their purchases they make with that ID on a public ledger that anyone can mine the data from.
It really does not get much better for the online advertising industry than that.
If you want a cynical take on web3 and are looking for your next billion dollar startup idea, then web3 ad tracking & targeting might be your best bet :)
I agree that we don't need unique identities across everything, but even if that is a real problem it is also solved by public key cryptography without a requirement of a blockchain.
Sure but the blockchain env like Ethereum gives you that for free along with a few slick chrome extensions like Metamask and a JS library (web3.js) that make all of this super easy to build on.
You don't need to make any transactions or whatever, but you're inheriting all these tools for free.
Private keys are cheap to make. There's no reason you couldn't have a different one for every site. Of course, then it's on you to keep track of them, but it's already on you to keep track of the credentials you're using now. At least this way, the default of "use the same creds everywhere" is secure, if not more private.
This is already solved by existing crypto wallet tooling too, you can create an infinite number of keys all derived from a single root key (usually a 12-20 word phrase in modern wallets). A service with access to a single child public or even private key can't tie them to the sibling keys.
So what happens when you get phished with Web3? If the value of all crypto goes down 10% YoY why would you use it?
The author makes a bunch of silly assumptions:
> We need some way of saying “who we are” on the internet in a consistent manner. That way we can communicate with others in a verified way and associate with digital data that we own. We also often need that data to be interoperable between different web properties.
No, this is not true. That's why most people on this site are not logging in through Google. Sites will store their own data, and if you trust them to store that data there’s really no reason to just trust them to store a link to your identity.
The author advocates third parties like Metamask and using a Chrome extension, which is ridiculous. If you're going to trust that, why not trust Microsoft, or Amazon, or Google?
> With social recovery, instead of having to trust Google, you can choose who you trust, and instead trust a given set of friends, family, and services
Yes, because Google is not a service.
Ultimately the author makes up a problem and says blockchain is the solution.
Even if we suppose it's a solution there's no discussion around phishing, stolen identities, or any failure mode really. Of course there isn't though - in general recourse requires an authority. Blockchain has none.
> No, this is not true. That's why most people on this site are not logging in through Google. Sites will store their own data, and if you trust them to store that data there’s really no reason to just trust them to store a link to your identity.
You're missing the point. Yes, we don't need oAuth to log into HN. But HN is a site that is over 15 years old, and reflects the technology of its time. Instead, look at the companies YC funds and ask yourself how many of them DON'T have oAuth/SSO of some kind. Reddit is roughly HN's age, and you can see that with the introduction of VC money and profit goals, they've shifted towards discouraging anonymous logins. My 10-year old Reddit account doesn't even have an email associated with it; I doubt that's allowed now.
The old web made by hobbyists having fun and not trying to sell anything is long gone. Even sites like HN are disappearing, and everything IS being monetized, whether we like it or not.
Even if HN used oAuth - even if they required oAuth - ultimately oAuth, oAuth as implemented on most sites is just a thin layer over email so you don't have to make another account.
The problem doesn't require blockchain as a solution. What would the website administrator gain from accepting a blockchain login? People would create accounts but you have no way of contacting them since you have no email. Clearly the kinds of sites you're describing wouldn't accept that.
OK so you associate an email with your blockchain login - so now it's the same as the status quo. What's the point?
> Reddit is roughly HN's age, and you can see that with the introduction of VC money and profit goals, they've shifted towards discouraging anonymous logins.
And what, you think they'll be okay with anonymous users if those users log in with web3?
Actually, I wish all of the internet had the simplicity and no-bullshit approach to information consumption that HN offers. RSS, simple login, text based - it's ideal.
Identities on Microsoft, Amazon, and Google are not portable. They can permanently ban you and you lose access to every single service you used them to authenticate to.
What you’re saying is also true with web3. A bad actor’s key could be banned and a list of bad actors could be shared among sites resulting in the same thing.
In fact, if you believe in privacy at all you’d want to reject this idea for that alone.
I'm open to the idea that there are real problems that are best solved by PoW/PoS blockchains and smart contracts, so I was hoping this article would reveal one. It doesn't. As mentioned elsewhere, Persona was already a perfectly good technical solution to this, years ago. It failed for various reasons, none of which would be addressed by blockchains/smart contracts. Likewise, the problem of "conveniently and securely log in everywhere" is well solved by Webauthn.
Arguing that "web3" will help because it will improve UX is ludicrous. "web3" provides nothing directly to boost UX. "web3 hype means there's lots of money sloshing around which can be used to improve UX" is an admission of defeat; all the money being sucked into the crypto space could be better deployed to solve these problems directly.
If this is the best shot at "real problems web3 solves", then there really is nothing there :-(.
Have you actually used a web3 website? Once you have your wallet setup it's the most seamless login experience I've ever had.
Also, I find it funny whenever someone says something like "web3 doesn't actually solve anything that hasn't been solved by other technologies like X". Then why isn't anyone using X? Why is nobody using Persona or Webauthn despite being "superior"?
I haven't used a Web3 site. How is it more seamless than Webauthn's "go to the site and have it verify my identity without me doing anything (using my plugged-in Yubikey plus the browser-stored user credentials)"?
Persona failed for various reasons. Big companies didn't want to offer Persona logins because they wanted to control the user relationship, especially the barrier to getting an account, and were unwilling to delegate that to arbitrary third parties. There was also a chicken-and-egg problem: not many sites accepted Persona logins, so not many people bothered to sign up to Persona, so not many sites bothered to accept Persona logins. This latter problem could have perhaps been solved if Mozilla had worked harder to integrate Persona into Firefox, but mistakes were made.
For Webauthn, AFAIK it's mainly an implementation issue on the server side. Maybe not enough people have the required secure tokens, on some platforms.
Obviously, blockchains and smart contracts don't help with any of the above issues.
Have you actually used a web2 website with a Mac ?
For every website I can just press TouchID once, it will auto complete my credentials and click the login button for me. I can't see how web3 could possibly be faster.
Plus I can still access that website on any device e.g. public or work computer without needing to worry if I can install a Chrome plugin.
Lots of people use and used X, for various X. Various auth only companies exist, like Okta. They don't care for your "data", they are just trying to log you in. Same for Ping, Oracle Identity (or whatever they are called these days), Amazon etc. Then there are services where you use a physical card for auth (many federal government jobs require people to auth using a card which basically just holds keys). There are many auth services with waaaaay more users than any web3 wallet.
The statement that web3 doesn't solve anything which hasn't already been solved wrt authentication... is about as close to a true statement as one can make.
> Also, I find it funny whenever someone says something like "web3 doesn't actually solve anything that hasn't been solved by other technologies like X". Then why isn't anyone using X? Why is nobody using Persona or Webauthn despite being "superior"?
I find it funny that you do not detect the irony in what you just said.
> Have you actually used a web3 website? Once you have your wallet setup it's the most seamless login experience I've ever had.
So much of the web3 discourse involves the same two tropes:
1) "If you ignore the hard parts and only focus on the easy parts, then it looks much easier"
2) Ignoring the fact that regular old solutions are actually even more streamlined. It's not like web3 invented the concept of storing credentials and auto-filling forms. These are basic features used by hundreds of millions of end-users on a daily basis. It takes mountains of effort to get web3 just to almost reach UX parity with what we already have.
The only way web3 can feel like a better UX is if you haven't bothered to try any recent UX advancements in regular, non-web3 technologies.
>Why is nobody using Persona or Webauthn despite being "superior"?
Because the use case itself is flawed and niche? I don't really want my entire digital life and spending history linked and especially not on a public ledger.
He isn't describing the true state of the world. Banks, brokerages, mortgage providers, and medical entities mostly don't use oauth2 and won't use this stuff either.
The world is still old school.
Grandpa dies and I go find the paper will.
I get an affidavit from a lawyer and a death certificate with a seal from the state.
I go into the bank with a bunch of papers and they figure out what to do.
There isn't a chain of trust that the state uploads a PK signed death certificate to, which in conjunction with a PK signed 'will and trust' then triggers a preexisting blockchain contract to effect the asset transfer.
This is 20 or 30 years off. Maybe 10 or 15 in China.
It's forever off because it's the wrong solution to a problem that no one is invested in even fully identifying let alone working at.
My hot-take parallel argument is that full self driving is a smart road problem with 'dumber' cars and not a dumb road and smart cars problem. But there's no scope to VC of profit your way into smart road infrastructure so we do it the wrong way round and hope we can throw resources at it till its fixed.
You are correct. I would be plenty happy with 80% self-driving and lots of safety features, but the VCs want the robot trucks and taxis for their trillion dollar win. No way full self-driving can do the last mile or work in all conditions. For example, human eyes have pretty decent dynamic range in dark, snowy conditions. We basically make intuitive decisions about which patch of white stuff in the dark of night is the best one to smash through to get our driveways, and I don't think the computer vision is yet discerning enough to facilitate that.
This is kind of funny to read, since in Norway basically every interaction with the government (paying taxes, filing for divorce, accessing our health records etc.) is done through an oauth2 system, the same one we use to log in to our bank accounts/get loans through. Most people haven't interacted with the government via paper in years.
Some very few non-digital government services remain, unfortunately, and it seems like the storage of wills is one of them. Asset transfer is still going to remain a manual process though, even when digital wills are here, thankfully.
America's federalism would make this idea a mess here: Each state has their own system for everything and 50%+ of the lower-level governments/agencies (county or municipal level) don't have any digital footprint at all, even a website. For example, there are plenty of elections across the country whose official results can't be accessed online at all. You have to call in, go in person, or request mail/fax. There's basically a minimum of 50 different systems for even the most basic of government services (such as renewing a driver's license). And then you need to multiply that by all the different agencies and services. The federal government couldn't force one system for everything (there are certain things that are constitutionally up to the states), so it would be basically dead in the water since the problem is getting all 50 states (each with their own internal politics) to agree to implement the same system.
Not a problem web3 can solve either. Social Security Numbers aren't secure, but we keep using them everywhere because the political will to implement a better solution doesn't exist.
> Banks, brokerages, mortgage providers, and medical entities mostly don't use oauth2 and won't use this stuff either. The world is still old school.
I work for a bank and it has nothing to do with being old school. We use exactly the same technologies as any modern startup would e.g. Serverless, Kubernetes, Cloud etc and deploy into Production with blue/green releases every week.
It's just that the user experience of our entire customer base comes first. And whilst everyone "gets" usernames, passwords, PINs, TouchID, FaceID etc they really don't understand OAuth and other federated identity approaches. Like what Google or Amazon has to do with my finances and why I have to visit their site to reset my password.
People thinking that Web3 is going to solve this problem really don't understand that it isn't a problem that needs solving.
I'm reading this with an open mind, but I have questions:
> Problem #1: Owning Your Own Digital Identity & Fixing Authentication
My very technical friends who are security minded are on keybase.io. Multiple usernames and passwords across the internet is solved in various ways without blockchain. There are a lot of good password managers (I use and encrypted text file.) I don't feel Google owns my identity because I use their authentication system, so unless I'm missing something, I don't see a problem.
> enables advanced features like social recovery, which lets you recover your account if you lose your key via a smart contract that takes votes from guardians (friends or paid services).
> The idea here is that you could give keys to your friends and family, or to some sort of business service, then if you lose your key, use your friends to “vouch” for you and move the account to a new key.
This doesn't seem very workable in a practical sense. It seems like this could be spoofed fairly easily or the business service gets hacked
Alone the audacity to think a single point of failure without any chance of recovery is a good idea for persona management in the real world is insane.
This is one of those things that has been an absolutely terrible thing for Apple over the years. People would forget their passwords on their phones or their iCloud account and lose access to everything. And there was nothing Apple could do to help them. So the poor people at the Apple Store just had to tell someone that the last pictures of their dead mom are gone forever.
Apple finally implemented a solution in iOS 15 (15.1?). You can designate people you trust to be able to help recover your account. Like your spouse or a sibling. If they don’t have full access, they can just help recover it.
You are 100% right. A single point of failure without any chance of recovery is a complete disaster for normal users.
> The idea here is that you could give keys to your friends and family, or to some sort of business service, then if you lose your key, use your friends to “vouch” for you and move the account to a new key.
Facebook already has this functionality and it's an absolutely massive pain if you're somehow not on their happy path. With no real way to figure out what the issue is and get it fixed or on the happy path.
Social recovery wallets usually use an m of n system where you don't need all keys to recover your wallet but a subset. For example, 9 total keys and any 5 needed to recover your wallet.
Let's say you give a key to a business and that business gets hacked. That's fine because a single key can't steal your wallet and you have 8 keys left. You can even invalidate the keys and generate 9 new ones.
> This doesn't seem very workable in a practical sense. It seems like this could be spoofed fairly easily or the business service gets hacked
You could give keys to two businesses / people and require them both to agree before they can "unlock" the account. You could also add a timelock, so you have time to respond if they get hacked or collude against you.
These aren't really new ideas and exist in existing, non-crypto social recovery schemes.
It's not Web 3.0, that was the semantic web, which also aimed in some sense to be decentralized data but wasn't about turning the internet itself into a vehicle for ridicules investment ponzi-schemes. The "new" one is Web3
This is what bugs me most about this whole web3 situation, if people want to dump their money into these ponzi-scheme pump and dump bs be my guest, but then naming it web3 isn't very nice.
To then attach all kinds of good qualities to it that are not shown, nor proven, and often demonstrable incorrect just finishes it off.
As you say, a lot of the bigger ideas claimed to be part of this "new" web3 thing aren't new, and are interesting ideas that should be further explored, it would be much better without the ponzi sauce.
Agreed - the UX mock up there looks awful. If you go look at coinmarketcap.com there are already hundreds of coins out there. Are users going to have to find their wallet from hundreds/thousands on the lists? Or are maybe not all sites going to support every wallet, so therefore you're going to need to have multiple wallets to support multiple sites ... suddenly that "consistent identity" fails as you are actually juggling 20-30+ wallets for logging into different sites.
.... or it ends up that everyone just logs in using an ethereum wallet and you're back to centralisation.
The image amplifies what we already know is a fundamental problem with OAuth; people, instead of forgetting their username/password combo, now are forgetting which provider they use to sign into a service.
That "Web 3.0 login" portion of the slide only makes that problem worse. Decentralization and a variety of choices absolutely fall apart when they meet non-tech users who have no idea what icon means what.
>The image amplifies what we already know is a fundamental problem with OAuth; people, instead of forgetting their username/password combo, now are forgetting which provider they use to sign into a service.
I already have this problem with Matrix/Element all the time. Not only do I forget my username and/or password on networks I've been logged into for months, I also forget homeserver addresses and all these other settings I had to set up at some point. Every time I get logged out of something, it takes a day or two to figure out how to get back in.
I had the same thought. Imagine listing all blockchains in tiny icons you scroll sideways. I suppose that can be done a lot better, but still, who decides which blockchains are included and which are not?
Precisely. Or what if you're some random grandma that has a wallet (since we're living in a make believe world where this is easy to create). Imagine you've forgotten which blockchain your wallet is on. Will there be a search box to find my wallet in this mess of combinatorics that is a login page?
Because that’s insane. Normal users couldn’t deal with that. Highly technical users can’t deal with that. It’s too much of a pain in the ass.
The solution is that there should only be one or two chains that everyone uses. Then there’s only one or two little icons you need.
The people who run the trains could make sure they keep running by having tens of thousands of computers. Of course that cost money. Luckily they get money out of the block chain because they can spend coins.
Of course users don’t really like buying things. Maybe it wouldn’t be too hard to put an ad or two in there to pay for things.
The easiest thing to get users on board is to use brands they trust. No normal person is going to trust everything they have two the Kakarot blockchain with an anime superhero for a logo.
Do you know who people trust? Facebook and Google. If they were to…
Oops. I invented today. Only with much more energy use.
As other comments have pointed out, there are other technical solutions to decentralized identity. The blockchain doesn't solve this problem any better than private keys or Persona or whatever. The article acknowledges this. The problem with existing solutions is not the technical problem, it's the social problem: making the new solution easy to use, fixing bugs and covering edge cases, and getting it deployed widely. The author claims that the social problem is what Web3 solves; that Web3 is the social solution counterpart to the blockchain technical solution.
Web3 is indeed a social solution to this social problem, but the real problem with Web3 is that it's a terrible social solution. Web3 (aka blockchain enthusiasts, aka cryptobros) is a community comprised of on one end by true believers who believe they're smarter than anyone else in the room and that anyone who brings up complaints are only mad because they didn't get in when the cryptocoin was cheap, and on the other end by grifters and scammers who fully acknowledge that they're only in it for a quick buck off the back of unsuspecting rubes.
This is the core problem with most crypto projects. Most blockchain projects have technical problems [0], but even for the few things that blockchain uniquely solves [1] the general scummyness of everyone involved means that anyone advertising they're solving problems with a blockchain is not someone to trust your money with [2].
Of course, the blockchain isn't the only technology to suffer this problem. Blockchain's at the top of the hype cycle right now so of course it's filled with scammers. But even though Pets.com may not have the most competent business, the technology behind ecommerce was generally sound. Blockchain on the other hand has so few useful niches that the only thing left are the hype-men.
[0] Eg you could use NFTs to prove ownership of IRL property, but why? You're just storing a deed in a different place. It used to be in a SQL server somewhere, now it's on a blockchain instead.
[1] That is, decentralized databases where you don't trust all parties not to modify the data. But uh, with whom do you need to share data that you don't trust, and how do you guarantee they're not just feeding false data into it in the first place?
[2] I'm not implying all blockchain enthusiasts are pretentious and/or scammers. Just that there's a much higher proportion of them in the Web3 community than elsewhere.
Most web2 apps supports a smaller number of SSO providers.
Technically "independent" SSO providers and similar existed, but non made it mainstream because there was no reason for App's to support them, but there was cost to support them.
There is even less reason IMHO for most App's to support Web3 login (more complexity).
Furthermore even if they do the web3 login would probably still list Google etc. as the web2 login still lists email.
It's questionable that more than one maybe two blockchains will be supported.
It's likely that often only a small number of wallets will be supported, it's also likely that "bigtech" companies like google will provide web3 logins if it becomes successful.
So, it might happen. But I don't see it tbh.
There is just no reason to go the extra length to support web3 login for most Apps/Companies.
EDIT:
Also trust of the general public into anything containing the word "crypto" or "blockchain" is constantly undermined by an endless slew of scams, and money grabbing schemes. Which can hurt adoption of web3 login.
> It's questionable that more than one maybe two blockchains will be supported
You don't really need a blockchain unless you need to keep data on a blockchain. To login and identify a user you can simply sign a message. I consider the address as the user "identity". Any blockchain data related to that address is mean to be public (some people register <some-name>.eth on the ENS for example)
My big question with using a Web3 login is what advantages it gives the website owner.
With social Web 2.0 login, I can be fairly sure the person logging in has a valid email address, a name, etc, and it is a single click for the user vs filling in all the info all over again.
With a Web3 login, it is basically the same. Except I'm not really given any personal info like name or email, so I need ask them for that anyway. I guess you can tie that into your wallet somehow?
But I don't see this as a 10x solution. Do people really not trust FB/Google/Twitter that much? Why does currency and money need to get involved?
But in another world, isn't this the problem Keybase was trying to solve? Of course, they got mixed up in their own cryptocurrency as well (XLM) which had so many issues with bots trying to get into the airdrop. So idk.
People already use ENS do register a <some-name>.eth name to the respective ethereum address. It's also easy to write a smart contract that keeps meta-info on an address. This data would be public.
> Why does currency and money need to get involved?
It doesn't. You only need a blockchain to keep public data. You can sign a message and login with that, no need to send a transaction, can be done with balance 0
Buy I thought the whole point was "owning your identity"... and know you're suggesting that we should put or personal data on a blockchain so everybody can see it?
I have a hunch that many services they will probably want to collect the emails anyway. It provides websites a convenient excuse to ask people to join their marketing spam list. In most cases privacy isn't a profitable business proposition.
Correct me if I'm wrong, but the only new idea here is to use a ledger to hold public keys associated with an identity. You could add keys by signing a new key with one of the previously globally accepted ones proving you are that entity and the same would go for removing a lost one, by signing a new message with all the remaining keys.
Having a key copied without your knowledge would be a major disaster, however.
Apart from that, this is not very different from using keys in SSH and providing a challenge/response login form would be very simple.
It's not about using a ledger to hold public keys. The keys exist regardless of the ledger. The idea is to use the ledger to indisputably prove ownership or control over resources. Could be money, could be access to certain services, could be files, anything.
A lot of these "this is not very different from X, you could do Y" replies remind me of the original Dropbox news.yc thread.
What everyone seems to be missing is that the web3 apps and UI conventions already have broad adoption among millions of only mildly techy users. They don't know what SSH is but they do know how to sign things with their in-browser wallet app. Of course, they also seem to not always know that giving away your private keys is quite bad...
But any "solution" that requires e.g. using the terminal is not really competing in the same space.
Do they really? Or did they follow some guide somewhere hoping to cash in on a gold rush?
If a huge number of people were using cryptocurrency to pay for things every day, I would agree with you. But I think a huge number of people just make one purchase and then sit. What percent of them could actually make a purchase without having to go look up how to do it?
All of these decentralization arguments make me think of early git:
>Every Git clone is a full-fledged repository with complete history and full revision tracking capabilities, not dependent on network access or a central server...
not just Git. Email. Money (used to be issued by individual banks). Internet infrastructure. The web. Everything goes centralized.... because... it's easier. And humans seem to show over and over again, easier wins.
Is that a bad thing? Web3 is ultimately about building hierarchies(DAO). I would like to see a diversity of new digital hierarchies, new federated systems with unique properties. Not just a purely decentralized system. Decentralized vs. Centralized is a false dichotomy IMO.
The real issue for me is that I would rather have Apple sitting between me and To Ty's app than a public blockchain with no owners. There are just too many edge cases and circumstances where I would rather have a trillion dollar company defending me, a paying customer, against To Ty if the app turns on me or doesn't meet my expectations.
me < To Ty's app + whatever they can get away with.
Nothing in this article requires or benefits from a blockchain. Social recovery of your account is a feature on Facebook and has been for years... There's nothing novel or particularly interesting here.
The only thing blockchain would add is a gas fee whenever I would log in somewhere, and would keep the same UX problems I'd have with login anywhere else.
Keep in mind the most successful project EVER in managing identity was let's encrypt. A centralized non-profit that got the internet to use https everywhere by signing ssl certificates and vouching for everyone's server for free, and as far as I can tell without collecting any personal data about anyone. Web3 is going to solve "this" (whatever this is)... Riiight.
Article: web3 solves decentralized auth, and you are now in control!
Also article: to use it, you need to trust a centralized entity like Metamask that develops your Chrome extension and some unknown programmers that code some "smart contracts" aka unverifiable code in esoteric programming languages.
I'm glad someone took the time to write this. I think it's quite interesting that the prime example picked here is UI issue. The author freely admits that the "web3" solution is basically just private keys with better UI. I'm not all that up to date on web3 stuff, but... it's not UI.
The quote from Vitalik is great though - the goal of crypto is to let people make all the same mistakes and find out single central authorities actually have been established for a reason.
I do think a lot of these things go round the circle then end up on the same solutions we had before.
Coinbase is a nice example; turns out it's quite nice if some sort of company protects your money, makes sure you don't loose access to it, provides you with insurance in case something goes wrong, and lets you easily send, trade, and convert money. Such a revolutionary idea, right?
Federated/Decentralised identity/authentication is a solved problem.
For example, this is essentially OpenID.
Unfortunately this entire concept failed to gain traction.
Ok that’s one try. And there were… literally zero reasons in the article for actually using blockchains or cryptocurrency.
I believe this guy is being intellectually honest (which is a feeling I don’t get often in this space) but I don’t think he’s capable of asking the right questions.
The question that should be asked is what is a problem we (humans) have that is not only solved by this new tech, but can’t in any way even by bending over backwards be solved with some other technology?
The proposal is strictly inferior to SQRL[1] plus emailing your friends shares of your secret[2]. You get private keys, no third parties at all, social recovery, but with no Blockchain costs. Bonus point: you automatically get a pseudonym for each app.
The point about financial incentives aligning more easily in web3 is good, but I understood that even the poster child Metamask is not complete as it's missing good social recovery UX.
You are missing the point. The article is about login methods. Username/password vs message signed with a private key. The blockchain part is there because is the only ready-to-use way to do it in an browser.
It's absurd how HN users in general are so dismissive of anything cryptocurrency
My point was usability. And being (effectively) forced to join / legitimize their hive to get anything done.
It's absurd how HN users in general are so dismissive of anything cryptocurrency.
It's quite reasonable actually, given the prevalence of not just hype, but frequently delusional / just plain rambling and incoherent hype surrounding it -- not to mention blatant fraud and manipulation aimed specifically at unsophisticated users.
And the skivviness of many people involved in it.
That said, the OP presents one of the more thoughtful proposals I've read recently, and may belong to the 5 percent or so of blockchain applications that just might have a useful application. With emphasis on "just might".
Blockchain isn't the only "ready to use" way to use cryptographic signatures for authentication. One reason people often are dismissive is because people who are pro crypto say things which aren't true, like this.
Various authentication schemes have used digital signatures...on the web... for decades at this point.
>The idea here is that you could give keys to your friends and family, or to some sort of business service, then if you lose your key, use your friends to “vouch” for you and move the account to a new key.
>You can also do this to require approval from your friends before a certain amount of money moves out of your account, making theft significantly harder.
Okay, what if your relationship with those people changes? If you've lost your key or its destroyed (maybe as a result of those relationships changing before you've had a chance to do anything), presumably you can't remove the trust relationship with your former friends. You then can't withdraw unless your new enemies say so, and you can't change that trust relationship.
Plus what are the rules around removing the withdrawal limit? If I can just remove it at any time, how's that going to prevent theft, as I can just remove the limit before the theft?
This is now yet another security consideration for regular users. In addition to ensuring your key is backed up, you have to think about contingencies for if/when these trust relationships change.
But flip this feature on its head and give your bank this trust, and at least you have the same resiliency as your current bank account. Ironically, you likely want to trust a large entity with vast resources (presumably too big to fail) instead of friends and family if you're looking to be secure against loss of your private key.
unless you're running your own servers, you don't own nothing ... you still going to be tied to a 3rd party that does that for you. This is what the web3 crowd don't want to understand, they will keep telling you : big tech ruined the internet bla bla bla switch to us because we are decentralized and you own your own data, ok ... but if anyone wants to use it or access it they need to go through us
Same as Argent.
Elect 4 trusted people, if they all ok it’s really you, the custodian (a company that stores your private keys, like LastPass), releases it to you.
I sincerely don't follow the logic on how Web3 "solves" the problem posited in the "But what if someone loses their private key?" section:
"Some of you might already be familiar with multisig, which is a similar concept... The idea here is that you could give keys to your friends and family, or to some sort of business service, then if you lose your key, use your friends to “vouch” for you and move the account to a new key.
...
With social recovery, instead of having to trust Google, you can choose who you trust, and instead trust a given set of friends, family, and services. If you ever lose access to your private key, there is a smart contract encoded on the blockchain that syas that if some number of your guardians all agree (you pick the number) then you can move your account to a new private key."
I didn't see anything about Google being a requirement for multisig, so I'll skip the author's aside and ask, "How are these two things different?" Multisig lets friends "vouch" for us to move our account to a new key and social recovery lets friends "agree" to let us move our account to a new key.
These sound exactly the same to me?
The original writeup says something about "multisig moves the burden down to the user to issue keys" etc., but setting up smart contracts would still require someone to do some kind of setup work. Those contracts aren't just going to magically appear out of nothing; at the very least you'll have to select your friends, get their agreement, and a contract would have to be issued and signed.
I dunno, I still fail to "get it" (this is not an invitation to try and help me "get it", as helping people "get it" is kind of the point of the original blog post)
WebAuthn is exactly what I thought of too... and hardly anyone is supporting it. In fact the only place I've seen it was Best Buy's website, oddly enough! Having yet another way to do this sort of authentication isn't going to magically make people start using it.
>> The biggest success of crypto has been putting public/private key pairs in the hands of 10s of millions of people.
I would argue that the biggest successes of crypto are selling GPUs and facilitating malware ransom payments.
GPUs have sold like crazy and you are lucky to get a high end one with the current demand. Everybody and their pets are running mining rigs. Good luck getting a nice GPU for machine learning or graphics rendering.
Previously malware authors had to rely on gift cards or similar means to get paid. Now they have variety of cryptocurrencies to choose from and they can even trade cryptocurrencies to launder the paid ransom funds.
It can. It just happens that the easiest way to achieve this is using web3, even if there is no blockchains involved. The article is about login methods, not cryptos or web3
I like the starting focus on identity. Imagine if emails to you were authenticated by a token that you authorized by logging in, and could revoke at any time. In a Web2 world, features like this get created by Google, Apple or whomever inventing a permissions system that works on their platform -- and serves their product goals. In a Web3 world where you issue identity tokens, you can revoke them arbitrarily, so if your identity is shared you can trace and revoke at the root. Services move from worrying about how to game Apple's privacy model to how to avoid a ban that remains strictly in your control.
...and in a Web 1 beta II world this was already done by PGP in 1991. Granted, it never achieved mainstream adoption because it's somewhat cumbersome and solves a problem people do not actually experience. Sort-of like everything blockchain, one might say.
I like the "social wallet" idea, though no blockchain is needed for that. But there's a real danger that if enough of your friends get compromised, you can get compromised as well, and that can snowball. And most people would not be secure enough. So you'd want to have someone more secure as part of your "social set" - a large organization that actually does serious security. But then you're again depending on some large organization. You could require at least one of several large organizations, but that in turn reduces security.
What’s even the difference between «owning your digital identity» with email/password vs any other authentication method? Why does it even matter [0]? You don’t own any data connected to that digital identity [1]. I might be a bit on a radical side here, but to me it’s either you own everything or you own nothing. There’s no in-between.
[0] Except for OAuth since OAuth provider could ban you at any time.
[1] Until it's encrypted with your own public key and isn't stored anywhere in plaintext. Which can't be 100% guaranteed with any proprietary 3rd party service.
This definitely has me thinking more about the extent to which the strength of a particular identity representation is determined by our willingness to bind artifacts of value to it.
... why would I want to share my wallet to something I trust less than a strange dog? Or part of my identity? No thanks.
One of the great things about usernames/passwords is it didn't demand that vulnerability - you could come up with whatever and it was your responsibility to keep up with your shit. Systems that mimic real world systems on average feel less prone to this silliness.
email/password is terrible UX for vast majority of user. it's forgettable, it's not secure, and it exists only because it have existed since dawn of computers.
This is probably the first blockchain use case that I've found compelling, outside of using its obvious use as a speculative asset of course. I hope the author elaborates more on this in the next part because there are still lingering questions - like how much would CRUD operations on your digital identity cost? After all, most blockchain technologies have associated "gas" or other transaction fees.
I still don't see how this is solving any problems. What if I just want to consume the content on the open web as is without logging in? It's one of the reasons why I have to use archiving sites to read the news because half the time NYT or WaPo whine about me not being logged in (as if being able to spam me with ads wasn't enough). I think all the noise about fixing identity and the like is just another way to force end users to give up privacy so content creators can just data mine more and sell it all off to ad companies. Like even to pay for something via crypto currency doesn't need much of a fixed identity other than an wallet address to send/receive coins from/to. Outside of that, why do they need to know I am X person rather than just X wallet/address?
Are there any security risks with signing onto a site with Metamask? Is there any way for them to drain your wallet without prompting you?
If not, then it seems to be a superior method and experience. You don't have to deal with usernames/email/password, and it offers more functionality with currency.
When you sign in with web3 you are signing a message with your private key, and the website is verifying the it was in fact you that signed the message by checking the messages signature with your public key.
The only way anyone can gain control of your wallet is if you give them your private key (or the seed to the privk) or if your PC is compromised (but you have bigger issues then)
The major issue with the article is that the source of the described problems are due to business agenda and not technology. Everybody can run an OAuth2 authority but of course of only tech giants have the marketing to lure everybody into their nest.
All these “web 2” companies are going to create their own “web 3” services that will only work on their own product, and we have overly complicated solutions to an issue which didn’t really need solving.
Can’t wait for my reddit or meta tokens which have a zero value.
My question with any blockchain application is always what does it solve that a centralized trusted database doesn't solve faster and with less waste? You can implement social recovery in a centralized database with less waste.
I suppose blockchain can be a mechanism for the reification of pure information. So turning something that only has a value, into something that has a unique identity that can be 'pointed to'.
In the real world I might have a physical key (or some other interesting object) - there is exactly one of it and it exists in exactly one place (though of course I can create copies - but they are new objects).
In the virtual world this is a bit harder to construct and enforce - information is entirely ephemeral, and has no concrete existence or place. Maybe blockchain can provide that (in the context of the chain only of course).
I don't see any advantage in the proposed system over oauth-based solutions. Currently, you trust one of some set of big companies to verify your identity, but these big companies might misbehave. The web3 solutions mean that you trust that some blockchain-based approach will be programmed correctly and not have bugs that render it useless; requiring N different people to recover an account will impose unacceptable delays in emergencies.
Better to give one or more nonprofits the job, have them manage identities and do nothing else. No energy-sucking blockchain needed.
I believe the key issue of debate is that people ignored the context: "Many people, including myself, believe that the individual should be able to own their own identity."
The cryptocurrency and decentralization are possible because some people believe and live on those ideas. For those who don't care, bitcoin is $0 or worse: a Ponzi scheme. For those who believe in it, the goal is to own one's id, data and money, and collaborate without a big company or a central government.
I'm curious. The main thing he's pitching seems to be logging in with Metamask or similar with I guess the 'username' equivalent being a public key and you verify it with a private key. This tech has been around a while, since 2017 at least. I still have Metamask and keys in my browser from speculating on tokens back in the day.
Do any mainstream sites let you log in that way? Any plans for Metamask login on HN?
So now I have to manage not only my own key, but they keys of any of my friends who want me to vouch for them every time they lose their phone? No thank you.
The contract would likely be constructed to use any address (public key) you prefer, so it could be the public address your favorite private key. Or not. The choice is yours.
Digital signatures have already solved the identity problem for anybody too paranoid to trust Google and OAuth. It doesn't require a blockchain either.
I’m open to web3 being a new and exciting phase of the Internet. I’m just wondering when it will come to me. You’d think if it were such a huge revolution it would start appearing organically in my every day web experience, but I don’t own any crypto, and to the best of my knowledge I have not yet organically stumbled into a new experience built on web3 innovations.
A question that isn't really delved into here, given a social recovery scheme, this iiuc must run on chain, so there are gas fees associated with account recovery. What's the cost to recover an account if I lose it today? Is there any way to reduce that cost, or will there always be some (potentially hundreds-of-dollars) fee associated with account recovery?
> One common refrain is that “blockchain is a solution in search of a problem.”
After reading this article it seems that the most useful thing someone has thought to use the blockchain for is [checks notes] a form of social media popularity contest to recover the key to your blockchain wallet.
There is a group of users here on HN that REALLY like cryptocurrency‘s and blockchains and such. Web3 seems to be the latest on that hype-train.
There is a different group here on HM that REALLY hates it all. It was interesting technologically but then it started producing more CO2 and using more energy than reasonably sized countries. It also seems to be the method du jour for scammers to take money from people. It’s almost single handedly enabled the ransomware industry.
And people like to shit on the current hot thing, deservedly or not.
A lot of HN users were aware of bitcoin when it was worth pennies. Seeing it sitting at 50,000 dollars after trashing it created bitterness and cognitive dissonance.
I visit other sites where I can honestly say their users are honestly ignorant, given their lack of technical understanding. But here? This is sad to watch. If crypto/blockchain/web3 continues the current trajectory (or bitcoin goes to 100K), it will be worse, because the proud/bitter HN user will never admit to themselves that others can "get it" even though "I didn't get it".
That’s not totally wrong but I’d put it differently. This site is home to a lot of people who work hard to try to do something useful. It inspires resentment to see people get rich by just holding a token. Makes you feel like a fool for trying to do useful work.
I think the almost religious zeal makes it much worse. People win the lottery but they don’t claim to be geniuses or representatives of a shining new utopia for it. They just say they won the lottery.
Are there security/UX risks with users getting used to using their wallet for auth ? It's difficult to know a safe vs. potentially unsafe site when it comes to crypto. Reading the docs, it appears to be relatively limited permissions, but either by giving more permissions than desired or phishing? Or can they combine the authentication with additional information to become a more effective spearphishing target?
If my email account is phished or hacked, it's bad, but there's a level between my cash and my email account. If I make a mistake here, potential losses are higher. In which case I'd probably have a 2nd wallet for auth and another I actually use, which then becomes more of a pain. I don't trust my parents or less technical relatives to use this flow safely.
This article doesn't add up the points to anything that solves for the given problem. Owning identity isn't solved by saying "don't trust ${third party}! Come trust ${my preferred third party}, it's better!" Any blockchain is still a third party that all parties involved with need to place trust in. It isn't somehow more or less trustworthy just because it exists.
> Many people, including myself, believe that the individual should be able to own their own identity.
Yes, this is nice wishful thinking, but on a global scale it's not really possible or feasible.
> OAuth2 should be used for what it was intended to, which is for a web service to provide another web service with a user’s data given that user’s consent. It should not be used as a global digital identifier because that’s too important to be owned by anyone but the individual themselves.
So, instead of OAuth being in the hands of FAANG[1] it's in the hands of ${blockchain-of-the-year}? How does moving the trust from a centralized company to a centralized blockchain change MY ownership? If I move everything away from FAANG to someone's blockchain, I have no assurance that chain will continue existing. If there's a flaw found in it and everyone moves to another chain, now what? Sure, we can make the same claim about FAANG not continuing to exist, but the point is there's no inherent advantage here, they're equal. FAANG are supported by millions of individuals and companies that are all, together invested in their success. There's no unilateral agreement on blockchains and I doubt there ever will be.
>With social recovery, instead of having to trust Google, you can choose who you trust, and instead trust a given set of friends, family, and services.
Again with the trust this and not that. All of my friends, family and other services need to then agree that they're all going to trust ${chain} instead of FAANG. It doesn't fix the problem. "the blockchain" isn't just one thing. Who's chain do we all shift trust to and from and based on what security? At least with Google I can rely on their security because if they end up with a breach of trust it's going to have a massive, real impact on share prices and consumer trust around the globe. That's incentive enough for me to rely on it day-to-day.
This article has some interesting tidbits but overall seems like just a baseless rally against FAANG by someone who knows very little about complex authentication or trust and security in the real world.
A properly decentralized blockchain isn't a third party in the traditional sense, a human or organization that is bound to follow its agreements until it doesn't feel like it anymore. It's an algorithm incarnated.
That said, its initial and continued existence is dependent on economics. Who will market a service that they don't stand to profit from? Who will drive large organizations to invest in infrastructure that doesn't improve their profits? Either no one will, or it will be adulterated in the process. Sadly the community spirit that drove a lot of early internet development seems to be lost.
tldr; this article describes one problem that a blockchain solves better than existing non-blockchain solutions (identity).
My issue with the article is that it uses a lot of words to try to explain why web3 and blockchain may be the future. But for what point? If an important technology comes around which happens to use web3 or blockchain, i’ll see it’s important from its description and i’ll adopt it. I don’t need to support “web3” as a concept, because web3 basically means nothing. And i don’t think that web3 or blockchain is intrinsically bad, i just haven’t seen anything particularly useful with those technologies yet.
Several years ago, Mozilla/Firefox created "Persona," which was an open-source federated identity system that provided all the benefits described here. The idea was that it would eventually be built into browsers. I used it on a commercial site myself for many years.
It failed to gain traction, and Mozilla eventually pulled the plug.
Persona had many advantages over the Web3 vision described in this article. It was painless for a new user to create an account, because Mozilla provided a default identity server. It was easy for a website owner to set up, because Mozilla provided a JavaScript shim that worked on any browser. And it didn't rely on a wasteful and slow distributed ledger.
Despite these advantages, Persona failed. I don't see how a blockchain-based approach, with so many disadvantages compared to Persona, could possibly succeed outside of the blockchain enthusiast community. And, on a technical level, a federated approach seems innumerably simpler and less wasteful than a blockchain-based approach.
> Despite these advantages, Persona failed. I don't see how a blockchain-based approach, with so many disadvantages compared to Persona, could possibly succeed outside of the blockchain enthusiast community. And, on a technical level, a federated approach seems innumerably simpler and less wasteful than a blockchain-based approach.
Sometimes it's all about being in the right place, at the right time, with the right amount of hype. Inferior technologies win out all the time.
That being said, if (major if) auth through web3 did take off, I wouldn't be surprised if over time it slowly creeped back toward a solution that doesn't use blockchain since a non-blockchain solution would probably be simpler, cheaper, and faster.
> That being said, if (major if) auth through web3 did take off, I wouldn't be surprised if over time it slowly creeped back toward a solution that doesn't use blockchain since a non-blockchain solution would probably be simpler, cheaper, and faster.
I don't think you necessarily need blockchain. Can't you just prove that you are who you say by signing something and sending it to the service? You can just use the protocol.
15 replies →
For all of its flaws, I find the web3 space fun...but I'm also hoping that some of the non-financialized use cases move to other kinds of distributed algorithms, like Hypercore (https://hypercore-protocol.org/).
Even if the technological ideal comes to fruition in a few years (sharded modular proof-of-stake consensus blockchains with zero-knowledge rollups and dedicated data availability layers), it will still eternally remain enmeshed with speculation and scamming. I think there's a narrow time and place for the speculative assets but wouldn't want that interwoven throughout the fabric of everything online.
1 reply →
The Persona team approached the company I was working for, asking us to add Persona login alongside our other login options. Mozilla came to us because we had a huge web presence at the time (about the size of Wordpress, let's say). We discussed it internally and ultimately rejected their request. We were going through a re-org and just didn't have anyone to spare. We were also rewriting the component where the login would live, and this would have been out of scope.
Looking back, I now see that not volunteering myself for the challenge was one of the biggest mistakes I've made in my career. It was one of those rare opportunities to make a difference.
I also wonder why nobody has tried it since. It's a simple approach, but you'd need a good security team backed by a trusted organization to make an implementation credible.
> I also wonder why nobody has tried it since.
For what it's worth, the vision does live on and people are working on developing web standards that get us closer towards it. One example is the W3C's "Credential Management Level 1" from 2019, which specifically references[0] Mozilla's work:
"The API defined here does the bare minimum to expose user agent’s credential managers to the web, and allows the web to help those credential managers understand when federated identity providers are in use. The next logical step will be along the lines sketched in documents like [WEB-LOGIN] (and, to some extent, Mozilla’s BrowserID [BROWSERID])."
More recently, in fact, today, I see there is a "Federated Credential Management API" draft published,[1] which has the goal of:
"enabling a website to request a users [sic] federated credentials from a user agent, and to help the user agent store the users [sic] federated credentials for future use."
[0] https://www.w3.org/TR/credential-management-1/#teh-futur
[1] https://wicg.github.io/FedCM/
Didn't Apple try it 2 years ago? Log in with Apple...
I would never use these services unless it was completely open, free and privacy centric though.
Apple comes a bit of the way but they tend to make stuff work only on their own hardware wish won't work for me. Persona would have been a good option. Especially because it could be self hosted. That would be amazing. It was just a bit too early.
I think that unless you worked at FAANG it wouldn't have made much of a difference for Personas
Google / FB login still would have probably won
I joined the team at Mozilla that developed Persona as an intern, just as they closed it down.
Persona failed because it was fighting against a head-wind of an already established trend of using Google/FB OAuth2, without giving the service provider any new benefits. There was no incentive for a website to actually implement Persona, since it was just another auth provider and users weren't using it. Users didn't use it because no one implemented it. Chicken and egg.
Websites that integrate web3 wallet login do get something new: built-in, straightforward payment rails.
> Websites that integrate web3 wallet login do get something new: built-in, straightforward payment rails.
I'm not convinced it's that a large benefit.
For the foreseeable future, any website that aspires to be anything more than a niche web3 player will need to support web2 auth and web2 payments. So web3 is just adding layers, not removing them. Until web3 becomes powerful enough that you're losing customers because you aren't supporting it, there's no incentive to support it. (Exactly the same predicament Persona was in.)
Additionally, cryptocurrency is not practical as a currency right now because of high transaction fees and slow settlement. This situation won't change until layer 2 networks come of age, which seem to have been "just around the corner" for the past five years.
2 replies →
> Websites that integrate web3 wallet login do get something new: built-in, straightforward payment rails.
Is this really any better than Apple/Google pay? Those are already set up, trustworthy, I don't need to convert my fiat into a cryptocurrency than can swing in value wildly, and it's super easy to set up with stripe or any of the other platforms that the website is probably already using.
7 replies →
> Websites that integrate web3 wallet login do get something new: built-in, straightforward payment rails.
With super high fees, transfers that take litteral minutes to complete, no charge back and the ability to lose all the money yoy have if you ever get hacked. How exciting! Even bank transfer as a mean of payment is way better UX.
> built-in, straightforward payment rails.
Yeah. Crappy ones with high latency and high fees.
2 replies →
Agreed. This comes down to lack of power to push a system onto it's potential users, mozilla didn't have a userbase large enough nor could incentivize 3rd parties to force onto their users. You could argue if the ux was good it would have just succeeded, but I think that's bs. Funds are the number one predictor of success of anything.
My worry with the blockchain is that now it has VCs that are going to pump so much funds in it to keep it spinning and force everybody to use it because you need that service, and now (in the future) it's only provided through the blockchain (because the alternative off-chain company cannot raise funds so it doesn't exist, it fails, or it's a worse experience).
The new hot take (I heard it from Matt Levine, I think, but I doubt it's original to him) is that pyramid schemes solve the adoption problem for technologies with network effects.
Everyone would be better off with better identity management, but it's not worth anyone's time to be one of the first users of a system with no sites supporting it or one of the first site supporting a system with no users. The web3 version of this will be something where if it takes off the first adopters get super rich at the expense of late adopters, and that makes it take off.
Similarly, conventional profit models incentivize the creators of a technology to make it as centralized and locked in as possible, so that they can profit off it over time. The pyramid scheme business model incentivizes the creators to make a decentralized and open system, so that they don't have to do any work over time once it takes off.
Is this the special kind of stupidity that only really smart people can aspire to, or the special kind of genius that only really stupid people can? Time will tell, I guess.
I like Mozilla and Firefox is my default browser, but clearly that was doomed. Google is never going to be OK with Mozilla owning the identity system. Neither would Facebook, or Apple or anyone else. They all have their system for “just use us as the login to every service!” And the only result is that there are 50[1] different “universal” login options for every site.
[1] ok most sites limit it to 2-3 options, but which 2-3 is up in the air.
> I don't see how a blockchain-based approach, with so many disadvantages compared to Persona, could possibly succeed outside of the blockchain enthusiast community
What’s in it for the user to sign up for persona? Nothing
What’s in it for the user to get a crypto wallet? Money
There’s your answer.
The major problem with crypto-bros is that they think "money" is a good enough answer. Money is an extrinsic motivator, and extrinsic motivators extinguish intrinsic motivation.
Money will never be a good enough reason to do things. Especially not the infinitesimal fractions of garbage coins that web3 will pay.
I don't know. Brave promised me money, and I still haven't gotten anything of significant value from that.
4 replies →
Despite these advantages, MySpace failed. I don't see how facebook, with so many disadvantages compared to MySpace, could possibly succeed.
fwiw I agreee, but first to market is often first to fail.
I don't know about that. I feel like oAuth and other forms of authentication are overly complex to implement. If they build a super simple implementation API then I could see it taking off.
I had a go at writing oAuth from scratch, to understand it. I made a working solution.
But I don't use oAuth; while I was writing the code, I understood it, but I don't any more. An auth system needs to be understandable and transparent to a normal user, and oAuth is not such a system. Like, I couldn't explain it to my non-tech relatives, even if I swotted up on it first.
Explaining blockchain-based auth to a non-tech user is a problem of a much greater magnitude.
Cryptocurrency ecosystems have the advantage of economic incentivization and if they're decentralised, uncensorability.
Those are two major advantages.
> uncensorability
I suspect that this will be a major issue in the long-run. Once these sort of crypto-based logins become synonymous with CP and terrorism, they're going to be shunned by the average person on the street.
Yes yes yes, people use email and whatsapp for the same, but at least there is the option for Google and Facebook to censor or block/ban those users (and it feels like there is increasing legal/legislational tension to try and compel the tech giants to actually do something in this area). You cannot say the same about an indelible blockchain.
7 replies →
Yeah the economic incentive is the problem also. People just get into it for the money, not because they believe in it. This is the whole issue with crypto currency and web 3.0 too.
It's a bit sad because it never started out as something intended for "make money fast" kind of investors. Bitcoin started as a way to free users from the centralised banks and regulation.
1 reply →
"Ecosystem" in tech means usually means vertical integration, which is not what it means in nature.
Anybody looking to build a tech ecosystem is looking to build vendor lock-in. There is no advantage to planning for decentralization, and no laws to force companies to adopt a decentralized approach.
federated systems are bad, they combine the negatives of centralized and decentralized systems it is no wonder that they fail repeatedly
Perhaps, but I think in this case what killed Persona was lack of adoption and interest from the public, nothing inherent to the actual technology
1 reply →
They fail because they are in the best interest of users, not corporations.
> Persona had many advantages over the Web3
it has none now ;)
One possible advantage web3 has over Persona is that it is not under the control of Mozilla or whatever foundation Mozilla set up to address those very predictable concerns. Being distributed might help it gain early adopter mindshare which could lead to future UX improvements. (Not saying I believe this will definitely happen, just that Persona failing isn't a guarantee of failure here.)
If it only were Persona the thing that failed... But I've seen quite a lot of attempts at federated identity and turns out people don't care too much about that. People just want to login to whatever site to do things. Login with Twitter/FB/whatever is offered to reduce login friction, not because people think of them as identity providers. Offering "another identity provider" is solving the part of the problem most users really don't care for.
Persona wasn't under the control of Mozilla, either. You could still use it today, if you were willing to set up your own identity server, and if you could find any websites that supported it.
That’s a lot of words to say “this will have better marketing thanks to crypto hype.”
Seems to be the selling point of most web3 and blockchain solutions once you brush the buzzwords off the copy.
1 reply →
This doesn't explain why Persona didn't work. Unless we understand why it didn't work and show how web3 alleviates the problem, how is anyone to believe a web3 login system will work? You could also ask what has changed since Persona tried and failed? In other words, why now?
2 replies →
> We need some way of saying “who we are” on the internet in a consistent manner. That way we can communicate with others in a verified way and associate with digital data that we own. We also often need that data to be interoperable between different web properties.
Do we really need this? Do we really want to permanently tie identity across websites like this? I find this initial "need"/justification/requirement questionable.
I have a login on HN that is totally unique to e.g. Twitter and Instagram and <shudder> LinkedIn. Same with work vs personal. This is deliberate. I do not want to have the same identity here as I do elsewhere. There are many hopefully obvious reasons for this - mostly privacy (both in terms of immediate "in the moment" privacy, but also temporal privacy in the sense that I might not want some potentially ill-advised comments I made on some website 15 years ago to come back and bite me), but also it offers protections against "cancel culture" and general cyber-stalking and doxxing etc as that would become a whole lot easier if you can just run some query on a blockchain and find every single website I've ever used and dredge up my comments/content/etc. Being able to do that sounds very dystopian to me - why don't we just tattoo a barcode on our necks and be done with it?
So the thing about this is that there is no need to permanently tie identity across all sites and services you used (and provide), rather, the ability to do so when and where you need to do it.
There's nothing requiring a user to use the same identity across every service they interact with, but the option should be there. I wouldn't want my matrix username(s) and my fediverse account(s) tied to my HN username(s), but I might want a github/gitlab/codeberg account tied to a social/messaging account while having different "personas" for different applications. Overall it's a useful tool to have in your belt, so long as it doesn't limit you in other ways.
So if you are not going to go whole-hog and have one true identity for everything, why bother using anything apart from an email address?
The argument seems to be that consistency allows you to prove ownership and re-use all of your content etc across the web by tying everything back to one verified identity. If you are having different identities on different sites then that benefit disappears, and I fail to see how it is then any better than using email addresses? You end up with different wallet IDs each with their own island of content, just like you have with email addresses.
Sure you could chose to "move" content with one of your many identities by just logging in with the ID (presumably losing all of your existing content), but we have copy-paste for that already (and I am only half-joking saying that...)
21 replies →
It doesn't give you that ability though. The reason we use Google and Facebook OAuth is because Google and Facebook did their due diligence with the account. We would just accept any OAuth provider if we didn't care about that validation.
And again, with these web3 identities, centralized services would still be providing the authorization even if they did not provide the authentication. I don't see what web3 identities provide.
Yeah I think it is mostly businesses that think this is a huge problem to solve to have identities matched across everything seamlessly.
Mostly what I care about is logins and payments which are addressed by password managers and form filling for credit cards. I just want a friction free experience for setting up an account, logging back into it, and maybe purchasing something.
And ideally I'd like to self-host, maybe with a service that looked like a NAS appliance hanging off a guest network on my router with a forwarded port through the firewall and some method for tracking my IP address (dyndns or similarish).
And ideally payments happen by a handshake between the service I run, the processor and the merchant in a way that my actual credit card details are never used. And for recurring payments I have the ability to just switch them off. Bringing all the control back to me and not leaking out reusable PII everywhere.
Of course corporations would aggressively hate that since it would destroy their business models of recurring payments for services the user is no longer using and the requirement of calling up the business and having to convince some phone operator that you really want to cancel.
> Yeah I think it is mostly businesses that think this is a huge problem to solve to have identities matched across everything seamlessly.
Your comment just gave me a thought - just imagine the online advertisers using this for tracking purposes!
At the risk of spreading FUD, it would not surprise me to learn that perhaps this web3 thing is being fuelled/funded by the existing crop of online advertising networks or their close associates? (or at the very least they are watching this situation develop with an incredibly close level of detail)
Who needs cookies if you have a 100% reliable & long-lived (potentially immortal?) ID that the user takes with them everywhere they go online (and is the same on every site they visit) and for every purchase they make (using that wallet) online and offline?
This would be advertising networks' absolute dream situation if it becomes widespread - users voluntarily creating their own unique tracking fingerprint and using it on all the sites they visit, as well as helpfully logging all of their purchases they make with that ID on a public ledger that anyone can mine the data from.
It really does not get much better for the online advertising industry than that.
If you want a cynical take on web3 and are looking for your next billion dollar startup idea, then web3 ad tracking & targeting might be your best bet :)
4 replies →
This sounds ideal. Especially the self hosted part.
I agree that we don't need unique identities across everything, but even if that is a real problem it is also solved by public key cryptography without a requirement of a blockchain.
Sure but the blockchain env like Ethereum gives you that for free along with a few slick chrome extensions like Metamask and a JS library (web3.js) that make all of this super easy to build on.
You don't need to make any transactions or whatever, but you're inheriting all these tools for free.
1 reply →
Private keys are cheap to make. There's no reason you couldn't have a different one for every site. Of course, then it's on you to keep track of them, but it's already on you to keep track of the credentials you're using now. At least this way, the default of "use the same creds everywhere" is secure, if not more private.
This is already solved by existing crypto wallet tooling too, you can create an infinite number of keys all derived from a single root key (usually a 12-20 word phrase in modern wallets). A service with access to a single child public or even private key can't tie them to the sibling keys.
Exactly, we do not need it. If it weren't for job negotiations I'd be making all my contributions on the net masked.
So what happens when you get phished with Web3? If the value of all crypto goes down 10% YoY why would you use it?
The author makes a bunch of silly assumptions:
> We need some way of saying “who we are” on the internet in a consistent manner. That way we can communicate with others in a verified way and associate with digital data that we own. We also often need that data to be interoperable between different web properties.
No, this is not true. That's why most people on this site are not logging in through Google. Sites will store their own data, and if you trust them to store that data there’s really no reason to just trust them to store a link to your identity.
The author advocates third parties like Metamask and using a Chrome extension, which is ridiculous. If you're going to trust that, why not trust Microsoft, or Amazon, or Google?
> With social recovery, instead of having to trust Google, you can choose who you trust, and instead trust a given set of friends, family, and services
Yes, because Google is not a service.
Ultimately the author makes up a problem and says blockchain is the solution.
Even if we suppose it's a solution there's no discussion around phishing, stolen identities, or any failure mode really. Of course there isn't though - in general recourse requires an authority. Blockchain has none.
> No, this is not true. That's why most people on this site are not logging in through Google. Sites will store their own data, and if you trust them to store that data there’s really no reason to just trust them to store a link to your identity.
You're missing the point. Yes, we don't need oAuth to log into HN. But HN is a site that is over 15 years old, and reflects the technology of its time. Instead, look at the companies YC funds and ask yourself how many of them DON'T have oAuth/SSO of some kind. Reddit is roughly HN's age, and you can see that with the introduction of VC money and profit goals, they've shifted towards discouraging anonymous logins. My 10-year old Reddit account doesn't even have an email associated with it; I doubt that's allowed now.
The old web made by hobbyists having fun and not trying to sell anything is long gone. Even sites like HN are disappearing, and everything IS being monetized, whether we like it or not.
I don't understand your point.
Even if HN used oAuth - even if they required oAuth - ultimately oAuth, oAuth as implemented on most sites is just a thin layer over email so you don't have to make another account.
The problem doesn't require blockchain as a solution. What would the website administrator gain from accepting a blockchain login? People would create accounts but you have no way of contacting them since you have no email. Clearly the kinds of sites you're describing wouldn't accept that.
OK so you associate an email with your blockchain login - so now it's the same as the status quo. What's the point?
> Reddit is roughly HN's age, and you can see that with the introduction of VC money and profit goals, they've shifted towards discouraging anonymous logins.
And what, you think they'll be okay with anonymous users if those users log in with web3?
1 reply →
> I doubt that's allowed now.
It is. You have to hit next when prompted to enter an email address when registering (the input is not required)
Actually, I wish all of the internet had the simplicity and no-bullshit approach to information consumption that HN offers. RSS, simple login, text based - it's ideal.
Identities on Microsoft, Amazon, and Google are not portable. They can permanently ban you and you lose access to every single service you used them to authenticate to.
Private keys are portable between wallets.
What you’re saying is also true with web3. A bad actor’s key could be banned and a list of bad actors could be shared among sites resulting in the same thing.
In fact, if you believe in privacy at all you’d want to reject this idea for that alone.
17 replies →
I lost access to my Google account because I was away too long, and therefore all the accounts it was tied to.
Which is a problem 99.999999999% of people will never experience in their lifetime.
And even if it is a problem you can always reach out to the website and get them involved in moving your account to a different provider.
I'm open to the idea that there are real problems that are best solved by PoW/PoS blockchains and smart contracts, so I was hoping this article would reveal one. It doesn't. As mentioned elsewhere, Persona was already a perfectly good technical solution to this, years ago. It failed for various reasons, none of which would be addressed by blockchains/smart contracts. Likewise, the problem of "conveniently and securely log in everywhere" is well solved by Webauthn.
Arguing that "web3" will help because it will improve UX is ludicrous. "web3" provides nothing directly to boost UX. "web3 hype means there's lots of money sloshing around which can be used to improve UX" is an admission of defeat; all the money being sucked into the crypto space could be better deployed to solve these problems directly.
If this is the best shot at "real problems web3 solves", then there really is nothing there :-(.
Have you actually used a web3 website? Once you have your wallet setup it's the most seamless login experience I've ever had.
Also, I find it funny whenever someone says something like "web3 doesn't actually solve anything that hasn't been solved by other technologies like X". Then why isn't anyone using X? Why is nobody using Persona or Webauthn despite being "superior"?
I haven't used a Web3 site. How is it more seamless than Webauthn's "go to the site and have it verify my identity without me doing anything (using my plugged-in Yubikey plus the browser-stored user credentials)"?
Persona failed for various reasons. Big companies didn't want to offer Persona logins because they wanted to control the user relationship, especially the barrier to getting an account, and were unwilling to delegate that to arbitrary third parties. There was also a chicken-and-egg problem: not many sites accepted Persona logins, so not many people bothered to sign up to Persona, so not many sites bothered to accept Persona logins. This latter problem could have perhaps been solved if Mozilla had worked harder to integrate Persona into Firefox, but mistakes were made.
For Webauthn, AFAIK it's mainly an implementation issue on the server side. Maybe not enough people have the required secure tokens, on some platforms.
Obviously, blockchains and smart contracts don't help with any of the above issues.
1 reply →
Have you actually used a web2 website with a Mac ?
For every website I can just press TouchID once, it will auto complete my credentials and click the login button for me. I can't see how web3 could possibly be faster.
Plus I can still access that website on any device e.g. public or work computer without needing to worry if I can install a Chrome plugin.
Have you actually used a OIDC website? Once you have your account setup it's the most seamless login experience I've ever had.
Sorry, there are plenty of standard ways to make logins seamless without a Blockchain.
Lots of people use and used X, for various X. Various auth only companies exist, like Okta. They don't care for your "data", they are just trying to log you in. Same for Ping, Oracle Identity (or whatever they are called these days), Amazon etc. Then there are services where you use a physical card for auth (many federal government jobs require people to auth using a card which basically just holds keys). There are many auth services with waaaaay more users than any web3 wallet.
The statement that web3 doesn't solve anything which hasn't already been solved wrt authentication... is about as close to a true statement as one can make.
> Also, I find it funny whenever someone says something like "web3 doesn't actually solve anything that hasn't been solved by other technologies like X". Then why isn't anyone using X? Why is nobody using Persona or Webauthn despite being "superior"?
I find it funny that you do not detect the irony in what you just said.
> Have you actually used a web3 website? Once you have your wallet setup it's the most seamless login experience I've ever had.
So much of the web3 discourse involves the same two tropes:
1) "If you ignore the hard parts and only focus on the easy parts, then it looks much easier"
2) Ignoring the fact that regular old solutions are actually even more streamlined. It's not like web3 invented the concept of storing credentials and auto-filling forms. These are basic features used by hundreds of millions of end-users on a daily basis. It takes mountains of effort to get web3 just to almost reach UX parity with what we already have.
The only way web3 can feel like a better UX is if you haven't bothered to try any recent UX advancements in regular, non-web3 technologies.
>Why is nobody using Persona or Webauthn despite being "superior"?
Because the use case itself is flawed and niche? I don't really want my entire digital life and spending history linked and especially not on a public ledger.
He isn't describing the true state of the world. Banks, brokerages, mortgage providers, and medical entities mostly don't use oauth2 and won't use this stuff either.
The world is still old school.
Grandpa dies and I go find the paper will.
I get an affidavit from a lawyer and a death certificate with a seal from the state.
I go into the bank with a bunch of papers and they figure out what to do.
There isn't a chain of trust that the state uploads a PK signed death certificate to, which in conjunction with a PK signed 'will and trust' then triggers a preexisting blockchain contract to effect the asset transfer.
This is 20 or 30 years off. Maybe 10 or 15 in China.
It's forever off because it's the wrong solution to a problem that no one is invested in even fully identifying let alone working at.
My hot-take parallel argument is that full self driving is a smart road problem with 'dumber' cars and not a dumb road and smart cars problem. But there's no scope to VC of profit your way into smart road infrastructure so we do it the wrong way round and hope we can throw resources at it till its fixed.
You are correct. I would be plenty happy with 80% self-driving and lots of safety features, but the VCs want the robot trucks and taxis for their trillion dollar win. No way full self-driving can do the last mile or work in all conditions. For example, human eyes have pretty decent dynamic range in dark, snowy conditions. We basically make intuitive decisions about which patch of white stuff in the dark of night is the best one to smash through to get our driveways, and I don't think the computer vision is yet discerning enough to facilitate that.
This is kind of funny to read, since in Norway basically every interaction with the government (paying taxes, filing for divorce, accessing our health records etc.) is done through an oauth2 system, the same one we use to log in to our bank accounts/get loans through. Most people haven't interacted with the government via paper in years.
https://docs.digdir.no/idporten_overordnet.html
https://www.altinn.no/hjelp/innlogging/id-portenminidbankid/
Some very few non-digital government services remain, unfortunately, and it seems like the storage of wills is one of them. Asset transfer is still going to remain a manual process though, even when digital wills are here, thankfully.
America's federalism would make this idea a mess here: Each state has their own system for everything and 50%+ of the lower-level governments/agencies (county or municipal level) don't have any digital footprint at all, even a website. For example, there are plenty of elections across the country whose official results can't be accessed online at all. You have to call in, go in person, or request mail/fax. There's basically a minimum of 50 different systems for even the most basic of government services (such as renewing a driver's license). And then you need to multiply that by all the different agencies and services. The federal government couldn't force one system for everything (there are certain things that are constitutionally up to the states), so it would be basically dead in the water since the problem is getting all 50 states (each with their own internal politics) to agree to implement the same system.
Not a problem web3 can solve either. Social Security Numbers aren't secure, but we keep using them everywhere because the political will to implement a better solution doesn't exist.
1 reply →
> Banks, brokerages, mortgage providers, and medical entities mostly don't use oauth2 and won't use this stuff either. The world is still old school.
I work for a bank and it has nothing to do with being old school. We use exactly the same technologies as any modern startup would e.g. Serverless, Kubernetes, Cloud etc and deploy into Production with blue/green releases every week.
It's just that the user experience of our entire customer base comes first. And whilst everyone "gets" usernames, passwords, PINs, TouchID, FaceID etc they really don't understand OAuth and other federated identity approaches. Like what Google or Amazon has to do with my finances and why I have to visit their site to reset my password.
People thinking that Web3 is going to solve this problem really don't understand that it isn't a problem that needs solving.
Whoever has the ability to generate that PK is the real centralized authority.
I'm reading this with an open mind, but I have questions:
> Problem #1: Owning Your Own Digital Identity & Fixing Authentication
My very technical friends who are security minded are on keybase.io. Multiple usernames and passwords across the internet is solved in various ways without blockchain. There are a lot of good password managers (I use and encrypted text file.) I don't feel Google owns my identity because I use their authentication system, so unless I'm missing something, I don't see a problem.
> enables advanced features like social recovery, which lets you recover your account if you lose your key via a smart contract that takes votes from guardians (friends or paid services).
> The idea here is that you could give keys to your friends and family, or to some sort of business service, then if you lose your key, use your friends to “vouch” for you and move the account to a new key.
This doesn't seem very workable in a practical sense. It seems like this could be spoofed fairly easily or the business service gets hacked
Alone the audacity to think a single point of failure without any chance of recovery is a good idea for persona management in the real world is insane.
This is one of those things that has been an absolutely terrible thing for Apple over the years. People would forget their passwords on their phones or their iCloud account and lose access to everything. And there was nothing Apple could do to help them. So the poor people at the Apple Store just had to tell someone that the last pictures of their dead mom are gone forever.
Apple finally implemented a solution in iOS 15 (15.1?). You can designate people you trust to be able to help recover your account. Like your spouse or a sibling. If they don’t have full access, they can just help recover it.
You are 100% right. A single point of failure without any chance of recovery is a complete disaster for normal users.
> The idea here is that you could give keys to your friends and family, or to some sort of business service, then if you lose your key, use your friends to “vouch” for you and move the account to a new key.
Facebook already has this functionality and it's an absolutely massive pain if you're somehow not on their happy path. With no real way to figure out what the issue is and get it fixed or on the happy path.
Social recovery wallets usually use an m of n system where you don't need all keys to recover your wallet but a subset. For example, 9 total keys and any 5 needed to recover your wallet.
Let's say you give a key to a business and that business gets hacked. That's fine because a single key can't steal your wallet and you have 8 keys left. You can even invalidate the keys and generate 9 new ones.
> This doesn't seem very workable in a practical sense. It seems like this could be spoofed fairly easily or the business service gets hacked
You could give keys to two businesses / people and require them both to agree before they can "unlock" the account. You could also add a timelock, so you have time to respond if they get hacked or collude against you.
These aren't really new ideas and exist in existing, non-crypto social recovery schemes.
I honestly thought this was going to be a joke post because that top image is ridiculous. Maybe I'm just old, but it reads to me as
Web 1.0: Great
Web 2.0: Ugh, ok
Web 3.0: You're serious with this?
It's not Web 3.0, that was the semantic web, which also aimed in some sense to be decentralized data but wasn't about turning the internet itself into a vehicle for ridicules investment ponzi-schemes. The "new" one is Web3
This is what bugs me most about this whole web3 situation, if people want to dump their money into these ponzi-scheme pump and dump bs be my guest, but then naming it web3 isn't very nice.
To then attach all kinds of good qualities to it that are not shown, nor proven, and often demonstrable incorrect just finishes it off.
As you say, a lot of the bigger ideas claimed to be part of this "new" web3 thing aren't new, and are interesting ideas that should be further explored, it would be much better without the ponzi sauce.
3 replies →
Agreed - the UX mock up there looks awful. If you go look at coinmarketcap.com there are already hundreds of coins out there. Are users going to have to find their wallet from hundreds/thousands on the lists? Or are maybe not all sites going to support every wallet, so therefore you're going to need to have multiple wallets to support multiple sites ... suddenly that "consistent identity" fails as you are actually juggling 20-30+ wallets for logging into different sites.
.... or it ends up that everyone just logs in using an ethereum wallet and you're back to centralisation.
The image amplifies what we already know is a fundamental problem with OAuth; people, instead of forgetting their username/password combo, now are forgetting which provider they use to sign into a service.
That "Web 3.0 login" portion of the slide only makes that problem worse. Decentralization and a variety of choices absolutely fall apart when they meet non-tech users who have no idea what icon means what.
>The image amplifies what we already know is a fundamental problem with OAuth; people, instead of forgetting their username/password combo, now are forgetting which provider they use to sign into a service.
I already have this problem with Matrix/Element all the time. Not only do I forget my username and/or password on networks I've been logged into for months, I also forget homeserver addresses and all these other settings I had to set up at some point. Every time I get logged out of something, it takes a day or two to figure out how to get back in.
I had the same thought. Imagine listing all blockchains in tiny icons you scroll sideways. I suppose that can be done a lot better, but still, who decides which blockchains are included and which are not?
Precisely. Or what if you're some random grandma that has a wallet (since we're living in a make believe world where this is easy to create). Imagine you've forgotten which blockchain your wallet is on. Will there be a search box to find my wallet in this mess of combinatorics that is a login page?
1 reply →
Because that’s insane. Normal users couldn’t deal with that. Highly technical users can’t deal with that. It’s too much of a pain in the ass.
The solution is that there should only be one or two chains that everyone uses. Then there’s only one or two little icons you need.
The people who run the trains could make sure they keep running by having tens of thousands of computers. Of course that cost money. Luckily they get money out of the block chain because they can spend coins.
Of course users don’t really like buying things. Maybe it wouldn’t be too hard to put an ad or two in there to pay for things.
The easiest thing to get users on board is to use brands they trust. No normal person is going to trust everything they have two the Kakarot blockchain with an anime superhero for a logo.
Do you know who people trust? Facebook and Google. If they were to…
Oops. I invented today. Only with much more energy use.
1 reply →
As other comments have pointed out, there are other technical solutions to decentralized identity. The blockchain doesn't solve this problem any better than private keys or Persona or whatever. The article acknowledges this. The problem with existing solutions is not the technical problem, it's the social problem: making the new solution easy to use, fixing bugs and covering edge cases, and getting it deployed widely. The author claims that the social problem is what Web3 solves; that Web3 is the social solution counterpart to the blockchain technical solution.
Web3 is indeed a social solution to this social problem, but the real problem with Web3 is that it's a terrible social solution. Web3 (aka blockchain enthusiasts, aka cryptobros) is a community comprised of on one end by true believers who believe they're smarter than anyone else in the room and that anyone who brings up complaints are only mad because they didn't get in when the cryptocoin was cheap, and on the other end by grifters and scammers who fully acknowledge that they're only in it for a quick buck off the back of unsuspecting rubes.
This is the core problem with most crypto projects. Most blockchain projects have technical problems [0], but even for the few things that blockchain uniquely solves [1] the general scummyness of everyone involved means that anyone advertising they're solving problems with a blockchain is not someone to trust your money with [2].
Of course, the blockchain isn't the only technology to suffer this problem. Blockchain's at the top of the hype cycle right now so of course it's filled with scammers. But even though Pets.com may not have the most competent business, the technology behind ecommerce was generally sound. Blockchain on the other hand has so few useful niches that the only thing left are the hype-men.
[0] Eg you could use NFTs to prove ownership of IRL property, but why? You're just storing a deed in a different place. It used to be in a SQL server somewhere, now it's on a blockchain instead.
[1] That is, decentralized databases where you don't trust all parties not to modify the data. But uh, with whom do you need to share data that you don't trust, and how do you guarantee they're not just feeding false data into it in the first place?
[2] I'm not implying all blockchain enthusiasts are pretentious and/or scammers. Just that there's a much higher proportion of them in the Web3 community than elsewhere.
Ownership IRL is proved by notarial deeds, what do you want to prove with a blockchain and how?
Most web2 apps supports a smaller number of SSO providers.
Technically "independent" SSO providers and similar existed, but non made it mainstream because there was no reason for App's to support them, but there was cost to support them.
There is even less reason IMHO for most App's to support Web3 login (more complexity).
Furthermore even if they do the web3 login would probably still list Google etc. as the web2 login still lists email.
It's questionable that more than one maybe two blockchains will be supported.
It's likely that often only a small number of wallets will be supported, it's also likely that "bigtech" companies like google will provide web3 logins if it becomes successful.
So, it might happen. But I don't see it tbh.
There is just no reason to go the extra length to support web3 login for most Apps/Companies.
EDIT: Also trust of the general public into anything containing the word "crypto" or "blockchain" is constantly undermined by an endless slew of scams, and money grabbing schemes. Which can hurt adoption of web3 login.
> It's questionable that more than one maybe two blockchains will be supported
You don't really need a blockchain unless you need to keep data on a blockchain. To login and identify a user you can simply sign a message. I consider the address as the user "identity". Any blockchain data related to that address is mean to be public (some people register <some-name>.eth on the ENS for example)
If you don’t need a blockchain what makes this web3? I thought that was supposed to be the defining feature.
If it’s just cryptographically signing things we’ve had that ability since PGP came out.
1 reply →
My big question with using a Web3 login is what advantages it gives the website owner.
With social Web 2.0 login, I can be fairly sure the person logging in has a valid email address, a name, etc, and it is a single click for the user vs filling in all the info all over again.
With a Web3 login, it is basically the same. Except I'm not really given any personal info like name or email, so I need ask them for that anyway. I guess you can tie that into your wallet somehow?
But I don't see this as a 10x solution. Do people really not trust FB/Google/Twitter that much? Why does currency and money need to get involved?
But in another world, isn't this the problem Keybase was trying to solve? Of course, they got mixed up in their own cryptocurrency as well (XLM) which had so many issues with bots trying to get into the airdrop. So idk.
People already use ENS do register a <some-name>.eth name to the respective ethereum address. It's also easy to write a smart contract that keeps meta-info on an address. This data would be public.
> Why does currency and money need to get involved?
It doesn't. You only need a blockchain to keep public data. You can sign a message and login with that, no need to send a transaction, can be done with balance 0
Buy I thought the whole point was "owning your identity"... and know you're suggesting that we should put or personal data on a blockchain so everybody can see it?
2 replies →
>Do people really not trust FB/Google/Twitter that much?
People in general or HN audience?
Web3 emphasizes privacy be default. Emails are no longer needed for password management so if u need them for something else users should opt-in.
Apple already provides something like that that’s WAY more popular and doesn’t require the waste of resources a public blockchain would.
I know some people (especially us techies) like to control the whole stack but who do you think the majority of normal users would prefer?
2 replies →
I have a hunch that many services they will probably want to collect the emails anyway. It provides websites a convenient excuse to ask people to join their marketing spam list. In most cases privacy isn't a profitable business proposition.
I was fully expecting to see an empty HTML page.
Correct me if I'm wrong, but the only new idea here is to use a ledger to hold public keys associated with an identity. You could add keys by signing a new key with one of the previously globally accepted ones proving you are that entity and the same would go for removing a lost one, by signing a new message with all the remaining keys.
Having a key copied without your knowledge would be a major disaster, however.
Apart from that, this is not very different from using keys in SSH and providing a challenge/response login form would be very simple.
It's not about using a ledger to hold public keys. The keys exist regardless of the ledger. The idea is to use the ledger to indisputably prove ownership or control over resources. Could be money, could be access to certain services, could be files, anything.
Also, the ledger doesn't have to be public.
If the ledger is not public, why would I trust it? If someone else claims they are you, how would I differentiate the conflicting claims?
6 replies →
A lot of these "this is not very different from X, you could do Y" replies remind me of the original Dropbox news.yc thread.
What everyone seems to be missing is that the web3 apps and UI conventions already have broad adoption among millions of only mildly techy users. They don't know what SSH is but they do know how to sign things with their in-browser wallet app. Of course, they also seem to not always know that giving away your private keys is quite bad...
But any "solution" that requires e.g. using the terminal is not really competing in the same space.
Do they really? Or did they follow some guide somewhere hoping to cash in on a gold rush?
If a huge number of people were using cryptocurrency to pay for things every day, I would agree with you. But I think a huge number of people just make one purchase and then sit. What percent of them could actually make a purchase without having to go look up how to do it?
> But any "solution" that requires e.g. using the terminal is not really competing in the same space.
The UI required for that is something that can be done in a couple minutes. The heavy lifting is done by libraries provided with the OS.
2 replies →
I hate all this "web3" stuff by default, but this is so important to remember so you don't miss out on what actually makes it through the hype cycle.
All of these decentralization arguments make me think of early git:
>Every Git clone is a full-fledged repository with complete history and full revision tracking capabilities, not dependent on network access or a central server...
http://web.archive.org/web/20080821113906/http://git-scm.com...
Sure git can be used without the need to have have a central server, but everything became so much simpler with github and other code repositories.
Decentralized systems are hard to navigate and humans will choose the easy thing every time.
not just Git. Email. Money (used to be issued by individual banks). Internet infrastructure. The web. Everything goes centralized.... because... it's easier. And humans seem to show over and over again, easier wins.
Is that a bad thing? Web3 is ultimately about building hierarchies(DAO). I would like to see a diversity of new digital hierarchies, new federated systems with unique properties. Not just a purely decentralized system. Decentralized vs. Centralized is a false dichotomy IMO.
This problem is currently being solved by WebAuthn. For social recovery, if desired, the private key can be split up using Shamir's secret sharing.
Yes webauthn is a much better solution to this.
The real issue for me is that I would rather have Apple sitting between me and To Ty's app than a public blockchain with no owners. There are just too many edge cases and circumstances where I would rather have a trillion dollar company defending me, a paying customer, against To Ty if the app turns on me or doesn't meet my expectations.
me < To Ty's app + whatever they can get away with.
me + apple > To Ty's app.
Nothing in this article requires or benefits from a blockchain. Social recovery of your account is a feature on Facebook and has been for years... There's nothing novel or particularly interesting here.
The only thing blockchain would add is a gas fee whenever I would log in somewhere, and would keep the same UX problems I'd have with login anywhere else.
Keep in mind the most successful project EVER in managing identity was let's encrypt. A centralized non-profit that got the internet to use https everywhere by signing ssl certificates and vouching for everyone's server for free, and as far as I can tell without collecting any personal data about anyone. Web3 is going to solve "this" (whatever this is)... Riiight.
Article: web3 solves decentralized auth, and you are now in control!
Also article: to use it, you need to trust a centralized entity like Metamask that develops your Chrome extension and some unknown programmers that code some "smart contracts" aka unverifiable code in esoteric programming languages.
Also article: look! a solution! it's better!
You don't need to specifically use Metamask to use a blockchain, just like you don't need to use a specific browser to view this site.
It doesn't matter. You end up trusting a centralized entity with your auth.
Unless, of course, you are a programmer yourself and can implement that "decentralized auth smart contract" from scratch
I'm glad someone took the time to write this. I think it's quite interesting that the prime example picked here is UI issue. The author freely admits that the "web3" solution is basically just private keys with better UI. I'm not all that up to date on web3 stuff, but... it's not UI.
The quote from Vitalik is great though - the goal of crypto is to let people make all the same mistakes and find out single central authorities actually have been established for a reason.
I do think a lot of these things go round the circle then end up on the same solutions we had before.
Coinbase is a nice example; turns out it's quite nice if some sort of company protects your money, makes sure you don't loose access to it, provides you with insurance in case something goes wrong, and lets you easily send, trade, and convert money. Such a revolutionary idea, right?
Federated/Decentralised identity/authentication is a solved problem. For example, this is essentially OpenID. Unfortunately this entire concept failed to gain traction.
Ok that’s one try. And there were… literally zero reasons in the article for actually using blockchains or cryptocurrency.
I believe this guy is being intellectually honest (which is a feeling I don’t get often in this space) but I don’t think he’s capable of asking the right questions.
The question that should be asked is what is a problem we (humans) have that is not only solved by this new tech, but can’t in any way even by bending over backwards be solved with some other technology?
The proposal is strictly inferior to SQRL[1] plus emailing your friends shares of your secret[2]. You get private keys, no third parties at all, social recovery, but with no Blockchain costs. Bonus point: you automatically get a pseudonym for each app.
The point about financial incentives aligning more easily in web3 is good, but I understood that even the poster child Metamask is not complete as it's missing good social recovery UX.
Please stop trying to sell snake oil.
[1]: https://www.grc.com/sqrl/sqrl.htm
[2]: https://en.m.wikipedia.org/wiki/Secret_sharing
Great - now I'm forced to be on some blockchain somewhere to get anything done.
This is progress?
You are missing the point. The article is about login methods. Username/password vs message signed with a private key. The blockchain part is there because is the only ready-to-use way to do it in an browser.
It's absurd how HN users in general are so dismissive of anything cryptocurrency
My point was usability. And being (effectively) forced to join / legitimize their hive to get anything done.
It's absurd how HN users in general are so dismissive of anything cryptocurrency.
It's quite reasonable actually, given the prevalence of not just hype, but frequently delusional / just plain rambling and incoherent hype surrounding it -- not to mention blatant fraud and manipulation aimed specifically at unsophisticated users.
And the skivviness of many people involved in it.
That said, the OP presents one of the more thoughtful proposals I've read recently, and may belong to the 5 percent or so of blockchain applications that just might have a useful application. With emphasis on "just might".
We'll see.
3 replies →
Blockchain isn't the only "ready to use" way to use cryptographic signatures for authentication. One reason people often are dismissive is because people who are pro crypto say things which aren't true, like this.
Various authentication schemes have used digital signatures...on the web... for decades at this point.
I like how "trustless" falls through the cracks at each and any of the Web3 posts I read.
It shows up as a marketing trick because it obviously means something very specific for that crowd and it is explained somewhere with a fine print.
I will stay with a thought that trust is not something that can be solved by technology :)
>The idea here is that you could give keys to your friends and family, or to some sort of business service, then if you lose your key, use your friends to “vouch” for you and move the account to a new key.
>You can also do this to require approval from your friends before a certain amount of money moves out of your account, making theft significantly harder.
Okay, what if your relationship with those people changes? If you've lost your key or its destroyed (maybe as a result of those relationships changing before you've had a chance to do anything), presumably you can't remove the trust relationship with your former friends. You then can't withdraw unless your new enemies say so, and you can't change that trust relationship.
Plus what are the rules around removing the withdrawal limit? If I can just remove it at any time, how's that going to prevent theft, as I can just remove the limit before the theft?
This is now yet another security consideration for regular users. In addition to ensuring your key is backed up, you have to think about contingencies for if/when these trust relationships change.
But flip this feature on its head and give your bank this trust, and at least you have the same resiliency as your current bank account. Ironically, you likely want to trust a large entity with vast resources (presumably too big to fail) instead of friends and family if you're looking to be secure against loss of your private key.
unless you're running your own servers, you don't own nothing ... you still going to be tied to a 3rd party that does that for you. This is what the web3 crowd don't want to understand, they will keep telling you : big tech ruined the internet bla bla bla switch to us because we are decentralized and you own your own data, ok ... but if anyone wants to use it or access it they need to go through us
Not to be that HN poster, But wouldn’t pgp key browser plug-in do just as well?
What recourse would you have if you lose your private key? The author mentions a solution to that problem.
Same as Argent. Elect 4 trusted people, if they all ok it’s really you, the custodian (a company that stores your private keys, like LastPass), releases it to you.
I sincerely don't follow the logic on how Web3 "solves" the problem posited in the "But what if someone loses their private key?" section:
"Some of you might already be familiar with multisig, which is a similar concept... The idea here is that you could give keys to your friends and family, or to some sort of business service, then if you lose your key, use your friends to “vouch” for you and move the account to a new key. ... With social recovery, instead of having to trust Google, you can choose who you trust, and instead trust a given set of friends, family, and services. If you ever lose access to your private key, there is a smart contract encoded on the blockchain that syas that if some number of your guardians all agree (you pick the number) then you can move your account to a new private key."
I didn't see anything about Google being a requirement for multisig, so I'll skip the author's aside and ask, "How are these two things different?" Multisig lets friends "vouch" for us to move our account to a new key and social recovery lets friends "agree" to let us move our account to a new key.
These sound exactly the same to me?
The original writeup says something about "multisig moves the burden down to the user to issue keys" etc., but setting up smart contracts would still require someone to do some kind of setup work. Those contracts aren't just going to magically appear out of nothing; at the very least you'll have to select your friends, get their agreement, and a contract would have to be issued and signed.
I dunno, I still fail to "get it" (this is not an invitation to try and help me "get it", as helping people "get it" is kind of the point of the original blog post)
Why can't this be done with existing public key cryptography?
There’s even a standard for doing this with WebAuthn.
WebAuthn is exactly what I thought of too... and hardly anyone is supporting it. In fact the only place I've seen it was Best Buy's website, oddly enough! Having yet another way to do this sort of authentication isn't going to magically make people start using it.
...which has effectively neither adoption not momentum to achieve adoption: https://sec.okta.com/articles/2020/04/webauthn-great-and-it-...
For better or worse, there are a large (and ever growing) number of Metamask users these days...
3 replies →
It can. The biggest success of crypto has been putting public/private key pairs in the hands of 10s of millions of people.
>> The biggest success of crypto has been putting public/private key pairs in the hands of 10s of millions of people.
I would argue that the biggest successes of crypto are selling GPUs and facilitating malware ransom payments.
GPUs have sold like crazy and you are lucky to get a high end one with the current demand. Everybody and their pets are running mining rigs. Good luck getting a nice GPU for machine learning or graphics rendering.
Previously malware authors had to rely on gift cards or similar means to get paid. Now they have variety of cryptocurrencies to choose from and they can even trade cryptocurrencies to launder the paid ransom funds.
Here is a good thread with more information on why giving everyone a public private key pair is a big deal and the kinds of use cases it unlocks: https://twitter.com/BrantlyMillegan/status/13892701158840975...
It can. It just happens that the easiest way to achieve this is using web3, even if there is no blockchains involved. The article is about login methods, not cryptos or web3
> It just happens that the easiest way to achieve this is using web3
Is it? U2F is actually rolling out to more and more websites but I've never seen any website offer to log in with a dropdown for cryptocurrencies
2 replies →
> The article is about login methods, not […] web3
It’s literally titled “ Real Problems That Web3 Solves, Part 1”
The author discusses this explicitly in the article.
IndieAuth[0] is an open standard decentralised authentication protocol which doesn't need blockchain or cryptocurrency.
[0] https://en.wikipedia.org/wiki/IndieAuth and https://indieweb.org/IndieAuth
I was expecting a blank page.
I like the starting focus on identity. Imagine if emails to you were authenticated by a token that you authorized by logging in, and could revoke at any time. In a Web2 world, features like this get created by Google, Apple or whomever inventing a permissions system that works on their platform -- and serves their product goals. In a Web3 world where you issue identity tokens, you can revoke them arbitrarily, so if your identity is shared you can trace and revoke at the root. Services move from worrying about how to game Apple's privacy model to how to avoid a ban that remains strictly in your control.
...and in a Web 1 beta II world this was already done by PGP in 1991. Granted, it never achieved mainstream adoption because it's somewhat cumbersome and solves a problem people do not actually experience. Sort-of like everything blockchain, one might say.
I like the "social wallet" idea, though no blockchain is needed for that. But there's a real danger that if enough of your friends get compromised, you can get compromised as well, and that can snowball. And most people would not be secure enough. So you'd want to have someone more secure as part of your "social set" - a large organization that actually does serious security. But then you're again depending on some large organization. You could require at least one of several large organizations, but that in turn reduces security.
What’s even the difference between «owning your digital identity» with email/password vs any other authentication method? Why does it even matter [0]? You don’t own any data connected to that digital identity [1]. I might be a bit on a radical side here, but to me it’s either you own everything or you own nothing. There’s no in-between.
[0] Except for OAuth since OAuth provider could ban you at any time.
[1] Until it's encrypted with your own public key and isn't stored anywhere in plaintext. Which can't be 100% guaranteed with any proprietary 3rd party service.
Great post!
This definitely has me thinking more about the extent to which the strength of a particular identity representation is determined by our willingness to bind artifacts of value to it.
... why would I want to share my wallet to something I trust less than a strange dog? Or part of my identity? No thanks.
One of the great things about usernames/passwords is it didn't demand that vulnerability - you could come up with whatever and it was your responsibility to keep up with your shit. Systems that mimic real world systems on average feel less prone to this silliness.
email/password is terrible UX for vast majority of user. it's forgettable, it's not secure, and it exists only because it have existed since dawn of computers.
I disagree. Email and password is terrible compared to what?
This is probably the first blockchain use case that I've found compelling, outside of using its obvious use as a speculative asset of course. I hope the author elaborates more on this in the next part because there are still lingering questions - like how much would CRUD operations on your digital identity cost? After all, most blockchain technologies have associated "gas" or other transaction fees.
I still don't see how this is solving any problems. What if I just want to consume the content on the open web as is without logging in? It's one of the reasons why I have to use archiving sites to read the news because half the time NYT or WaPo whine about me not being logged in (as if being able to spam me with ads wasn't enough). I think all the noise about fixing identity and the like is just another way to force end users to give up privacy so content creators can just data mine more and sell it all off to ad companies. Like even to pay for something via crypto currency doesn't need much of a fixed identity other than an wallet address to send/receive coins from/to. Outside of that, why do they need to know I am X person rather than just X wallet/address?
Are there any security risks with signing onto a site with Metamask? Is there any way for them to drain your wallet without prompting you?
If not, then it seems to be a superior method and experience. You don't have to deal with usernames/email/password, and it offers more functionality with currency.
There have already been many many scams perpetrated by things CLAIMING to be MM/OpenSea
When you sign in with web3 you are signing a message with your private key, and the website is verifying the it was in fact you that signed the message by checking the messages signature with your public key.
The only way anyone can gain control of your wallet is if you give them your private key (or the seed to the privk) or if your PC is compromised (but you have bigger issues then)
The major issue with the article is that the source of the described problems are due to business agenda and not technology. Everybody can run an OAuth2 authority but of course of only tech giants have the marketing to lure everybody into their nest.
Technology won't fix greed which drives business.
So the main selling point to "rational" people is that you can connect your wallet to websites?
As in potentially link your income to every site you want access to?
If I wanted to do micro transactions, and let everyone drain my bank account, I'd not have 2fa on, use my real name, address DoB for things.
All these “web 2” companies are going to create their own “web 3” services that will only work on their own product, and we have overly complicated solutions to an issue which didn’t really need solving.
Can’t wait for my reddit or meta tokens which have a zero value.
My question with any blockchain application is always what does it solve that a centralized trusted database doesn't solve faster and with less waste? You can implement social recovery in a centralized database with less waste.
trustless, immutable, censorship resistant, permissionless.
How is any of that useful for a particular application? For every single application blockchain has been applied to, these are downsides.
I suppose blockchain can be a mechanism for the reification of pure information. So turning something that only has a value, into something that has a unique identity that can be 'pointed to'.
In the real world I might have a physical key (or some other interesting object) - there is exactly one of it and it exists in exactly one place (though of course I can create copies - but they are new objects).
In the virtual world this is a bit harder to construct and enforce - information is entirely ephemeral, and has no concrete existence or place. Maybe blockchain can provide that (in the context of the chain only of course).
I'm not sure about the present tense here; a conditional would fit better.
I don't see any advantage in the proposed system over oauth-based solutions. Currently, you trust one of some set of big companies to verify your identity, but these big companies might misbehave. The web3 solutions mean that you trust that some blockchain-based approach will be programmed correctly and not have bugs that render it useless; requiring N different people to recover an account will impose unacceptable delays in emergencies.
Better to give one or more nonprofits the job, have them manage identities and do nothing else. No energy-sucking blockchain needed.
I believe the key issue of debate is that people ignored the context: "Many people, including myself, believe that the individual should be able to own their own identity."
The cryptocurrency and decentralization are possible because some people believe and live on those ideas. For those who don't care, bitcoin is $0 or worse: a Ponzi scheme. For those who believe in it, the goal is to own one's id, data and money, and collaborate without a big company or a central government.
So the author made up a problem and said blockchian was a solution.
Web3 did not invent cryptographic login!
Client cert auth has been available for decades. There was never a need for centralized login.
It’s a one-liner in Apache with mod-ssl, and here’s a random google result showing the entire thing in a few lines of standard library python: https://gist.github.com/nebulak/6d865ddd768fb905a562d6026cdd...
I'm curious. The main thing he's pitching seems to be logging in with Metamask or similar with I guess the 'username' equivalent being a public key and you verify it with a private key. This tech has been around a while, since 2017 at least. I still have Metamask and keys in my browser from speculating on tokens back in the day.
Do any mainstream sites let you log in that way? Any plans for Metamask login on HN?
So now I have to manage not only my own key, but they keys of any of my friends who want me to vouch for them every time they lose their phone? No thank you.
The contract would likely be constructed to use any address (public key) you prefer, so it could be the public address your favorite private key. Or not. The choice is yours.
Digital signatures have already solved the identity problem for anybody too paranoid to trust Google and OAuth. It doesn't require a blockchain either.
I’m open to web3 being a new and exciting phase of the Internet. I’m just wondering when it will come to me. You’d think if it were such a huge revolution it would start appearing organically in my every day web experience, but I don’t own any crypto, and to the best of my knowledge I have not yet organically stumbled into a new experience built on web3 innovations.
A question that isn't really delved into here, given a social recovery scheme, this iiuc must run on chain, so there are gas fees associated with account recovery. What's the cost to recover an account if I lose it today? Is there any way to reduce that cost, or will there always be some (potentially hundreds-of-dollars) fee associated with account recovery?
> One common refrain is that “blockchain is a solution in search of a problem.”
After reading this article it seems that the most useful thing someone has thought to use the blockchain for is [checks notes] a form of social media popularity contest to recover the key to your blockchain wallet.
Identity is a system of vouching so as to gain access to protected resources.
The article suggests, you should let a network vouch for u instead of a corporation. By doing this you gain “ownership”
You only “own” something when you can create, destroy and erase all signs of its existence at will.
Explain how you do this with Web3.
So, web3 regularly gets updated into the front page, only to be utterly trashed in the comments session.
What gives?
There is a group of users here on HN that REALLY like cryptocurrency‘s and blockchains and such. Web3 seems to be the latest on that hype-train.
There is a different group here on HM that REALLY hates it all. It was interesting technologically but then it started producing more CO2 and using more energy than reasonably sized countries. It also seems to be the method du jour for scammers to take money from people. It’s almost single handedly enabled the ransomware industry.
And people like to shit on the current hot thing, deservedly or not.
So here we are.
A lot of HN users were aware of bitcoin when it was worth pennies. Seeing it sitting at 50,000 dollars after trashing it created bitterness and cognitive dissonance.
I visit other sites where I can honestly say their users are honestly ignorant, given their lack of technical understanding. But here? This is sad to watch. If crypto/blockchain/web3 continues the current trajectory (or bitcoin goes to 100K), it will be worse, because the proud/bitter HN user will never admit to themselves that others can "get it" even though "I didn't get it".
That’s not totally wrong but I’d put it differently. This site is home to a lot of people who work hard to try to do something useful. It inspires resentment to see people get rich by just holding a token. Makes you feel like a fool for trying to do useful work.
I think the almost religious zeal makes it much worse. People win the lottery but they don’t claim to be geniuses or representatives of a shining new utopia for it. They just say they won the lottery.
1 reply →
The only tangible authentication solution is MetaMask, a crypto wallet. This is just typical Web3 dishonesty.
The article doesn’t show any problem solved by web3 tech that existing solutions can address much better.
Are there security/UX risks with users getting used to using their wallet for auth ? It's difficult to know a safe vs. potentially unsafe site when it comes to crypto. Reading the docs, it appears to be relatively limited permissions, but either by giving more permissions than desired or phishing? Or can they combine the authentication with additional information to become a more effective spearphishing target?
If my email account is phished or hacked, it's bad, but there's a level between my cash and my email account. If I make a mistake here, potential losses are higher. In which case I'd probably have a 2nd wallet for auth and another I actually use, which then becomes more of a pain. I don't trust my parents or less technical relatives to use this flow safely.
What’s the recourse if you lose your private key?
This article doesn't add up the points to anything that solves for the given problem. Owning identity isn't solved by saying "don't trust ${third party}! Come trust ${my preferred third party}, it's better!" Any blockchain is still a third party that all parties involved with need to place trust in. It isn't somehow more or less trustworthy just because it exists.
> Many people, including myself, believe that the individual should be able to own their own identity.
Yes, this is nice wishful thinking, but on a global scale it's not really possible or feasible.
> OAuth2 should be used for what it was intended to, which is for a web service to provide another web service with a user’s data given that user’s consent. It should not be used as a global digital identifier because that’s too important to be owned by anyone but the individual themselves.
So, instead of OAuth being in the hands of FAANG[1] it's in the hands of ${blockchain-of-the-year}? How does moving the trust from a centralized company to a centralized blockchain change MY ownership? If I move everything away from FAANG to someone's blockchain, I have no assurance that chain will continue existing. If there's a flaw found in it and everyone moves to another chain, now what? Sure, we can make the same claim about FAANG not continuing to exist, but the point is there's no inherent advantage here, they're equal. FAANG are supported by millions of individuals and companies that are all, together invested in their success. There's no unilateral agreement on blockchains and I doubt there ever will be.
>With social recovery, instead of having to trust Google, you can choose who you trust, and instead trust a given set of friends, family, and services.
Again with the trust this and not that. All of my friends, family and other services need to then agree that they're all going to trust ${chain} instead of FAANG. It doesn't fix the problem. "the blockchain" isn't just one thing. Who's chain do we all shift trust to and from and based on what security? At least with Google I can rely on their security because if they end up with a breach of trust it's going to have a massive, real impact on share prices and consumer trust around the globe. That's incentive enough for me to rely on it day-to-day.
This article has some interesting tidbits but overall seems like just a baseless rally against FAANG by someone who knows very little about complex authentication or trust and security in the real world.
[1]https://www.investopedia.com/terms/f/faang-stocks.asp
A properly decentralized blockchain isn't a third party in the traditional sense, a human or organization that is bound to follow its agreements until it doesn't feel like it anymore. It's an algorithm incarnated.
That said, its initial and continued existence is dependent on economics. Who will market a service that they don't stand to profit from? Who will drive large organizations to invest in infrastructure that doesn't improve their profits? Either no one will, or it will be adulterated in the process. Sadly the community spirit that drove a lot of early internet development seems to be lost.
Finally straight to the point: Web3 log in with your wallet.
Major browsers support client certificate authentication. rfc5246, is this it? And where is web 3.0 part?
tldr; this article describes one problem that a blockchain solves better than existing non-blockchain solutions (identity).
My issue with the article is that it uses a lot of words to try to explain why web3 and blockchain may be the future. But for what point? If an important technology comes around which happens to use web3 or blockchain, i’ll see it’s important from its description and i’ll adopt it. I don’t need to support “web3” as a concept, because web3 basically means nothing. And i don’t think that web3 or blockchain is intrinsically bad, i just haven’t seen anything particularly useful with those technologies yet.