Comment by jdlshore
4 years ago
Several years ago, Mozilla/Firefox created "Persona," which was an open-source federated identity system that provided all the benefits described here. The idea was that it would eventually be built into browsers. I used it on a commercial site myself for many years.
It failed to gain traction, and Mozilla eventually pulled the plug.
Persona had many advantages over the Web3 vision described in this article. It was painless for a new user to create an account, because Mozilla provided a default identity server. It was easy for a website owner to set up, because Mozilla provided a JavaScript shim that worked on any browser. And it didn't rely on a wasteful and slow distributed ledger.
Despite these advantages, Persona failed. I don't see how a blockchain-based approach, with so many disadvantages compared to Persona, could possibly succeed outside of the blockchain enthusiast community. And, on a technical level, a federated approach seems innumerably simpler and less wasteful than a blockchain-based approach.
> Despite these advantages, Persona failed. I don't see how a blockchain-based approach, with so many disadvantages compared to Persona, could possibly succeed outside of the blockchain enthusiast community. And, on a technical level, a federated approach seems innumerably simpler and less wasteful than a blockchain-based approach.
Sometimes it's all about being in the right place, at the right time, with the right amount of hype. Inferior technologies win out all the time.
That being said, if (major if) auth through web3 did take off, I wouldn't be surprised if over time it slowly creeped back toward a solution that doesn't use blockchain since a non-blockchain solution would probably be simpler, cheaper, and faster.
> That being said, if (major if) auth through web3 did take off, I wouldn't be surprised if over time it slowly creeped back toward a solution that doesn't use blockchain since a non-blockchain solution would probably be simpler, cheaper, and faster.
I don't think you necessarily need blockchain. Can't you just prove that you are who you say by signing something and sending it to the service? You can just use the protocol.
> I don't think you necessarily need blockchain. Can't you just prove that you are who you say by signing something and sending it to the service?
It's important to remember that blockchains are just public-key cryptography where you have a private key that can sign things and, importantly, everyone knows everyone else's verified public keys. That's it. It solves the key distribution and verification problem that PGP and TLS etc have and this enables a lot of use cases such as universal private communication channels and authentication.
Signing the message is key for this yes but knowing that a certain key is connected to a specific user and that user having the ability to use it to sign verified messages everyone in the world can trust is the real utility here and what makes this universal SSO system work well.
13 replies →
As far as the technology goes, you could have the user GPG sign something and upload that attestation. Something about the UX of that leads me to believe that'll be a non-starter though.
Login/verification doesn't require a transaction though, so is relatively quick. Blockchain in this context can be thought of as a collection of (public) keys.
For all of its flaws, I find the web3 space fun...but I'm also hoping that some of the non-financialized use cases move to other kinds of distributed algorithms, like Hypercore (https://hypercore-protocol.org/).
Even if the technological ideal comes to fruition in a few years (sharded modular proof-of-stake consensus blockchains with zero-knowledge rollups and dedicated data availability layers), it will still eternally remain enmeshed with speculation and scamming. I think there's a narrow time and place for the speculative assets but wouldn't want that interwoven throughout the fabric of everything online.
I see the speculation-everywhere mode that web3 is currently in as a something that the future web will occasionally devolve into.
An idea will come along that enough of us can get behind, that idea will attract money and solve real problems for a while and when they're no longer problematic enough to warrant spending money on the system will collapse back into speculation hell until the next idea-that-we-can-get-behind comes along.
The Persona team approached the company I was working for, asking us to add Persona login alongside our other login options. Mozilla came to us because we had a huge web presence at the time (about the size of Wordpress, let's say). We discussed it internally and ultimately rejected their request. We were going through a re-org and just didn't have anyone to spare. We were also rewriting the component where the login would live, and this would have been out of scope.
Looking back, I now see that not volunteering myself for the challenge was one of the biggest mistakes I've made in my career. It was one of those rare opportunities to make a difference.
I also wonder why nobody has tried it since. It's a simple approach, but you'd need a good security team backed by a trusted organization to make an implementation credible.
> I also wonder why nobody has tried it since.
For what it's worth, the vision does live on and people are working on developing web standards that get us closer towards it. One example is the W3C's "Credential Management Level 1" from 2019, which specifically references[0] Mozilla's work:
"The API defined here does the bare minimum to expose user agent’s credential managers to the web, and allows the web to help those credential managers understand when federated identity providers are in use. The next logical step will be along the lines sketched in documents like [WEB-LOGIN] (and, to some extent, Mozilla’s BrowserID [BROWSERID])."
More recently, in fact, today, I see there is a "Federated Credential Management API" draft published,[1] which has the goal of:
"enabling a website to request a users [sic] federated credentials from a user agent, and to help the user agent store the users [sic] federated credentials for future use."
[0] https://www.w3.org/TR/credential-management-1/#teh-futur
[1] https://wicg.github.io/FedCM/
Didn't Apple try it 2 years ago? Log in with Apple...
I would never use these services unless it was completely open, free and privacy centric though.
Apple comes a bit of the way but they tend to make stuff work only on their own hardware wish won't work for me. Persona would have been a good option. Especially because it could be self hosted. That would be amazing. It was just a bit too early.
I think that unless you worked at FAANG it wouldn't have made much of a difference for Personas
Google / FB login still would have probably won
I joined the team at Mozilla that developed Persona as an intern, just as they closed it down.
Persona failed because it was fighting against a head-wind of an already established trend of using Google/FB OAuth2, without giving the service provider any new benefits. There was no incentive for a website to actually implement Persona, since it was just another auth provider and users weren't using it. Users didn't use it because no one implemented it. Chicken and egg.
Websites that integrate web3 wallet login do get something new: built-in, straightforward payment rails.
> Websites that integrate web3 wallet login do get something new: built-in, straightforward payment rails.
I'm not convinced it's that a large benefit.
For the foreseeable future, any website that aspires to be anything more than a niche web3 player will need to support web2 auth and web2 payments. So web3 is just adding layers, not removing them. Until web3 becomes powerful enough that you're losing customers because you aren't supporting it, there's no incentive to support it. (Exactly the same predicament Persona was in.)
Additionally, cryptocurrency is not practical as a currency right now because of high transaction fees and slow settlement. This situation won't change until layer 2 networks come of age, which seem to have been "just around the corner" for the past five years.
I'm not convinced it's that a large benefit.
That's because you're not a merchant that has to deal with the monopoly of Visa/Mastercard which inflict high fees on your business and who at a moments notice can bankrupt your business by blocking all payments.
Companies that are built around "SIN" such as weed and porn have basically been strong-armed by this financial monopoly, to the point that Crypto is a welcome addition and which they offer big discounts to users who pay with it.
Additionally, cryptocurrency is not practical as a currency right now because of high transaction fees and slow settlement. This situation won't change until layer 2 networks come of age
There are plenty of L1 solutions like Solana and Avalanche which offer low txn fees and high TPS. L2 networks such as Polygon have already launched and are being used.
1 reply →
> Websites that integrate web3 wallet login do get something new: built-in, straightforward payment rails.
Is this really any better than Apple/Google pay? Those are already set up, trustworthy, I don't need to convert my fiat into a cryptocurrency than can swing in value wildly, and it's super easy to set up with stripe or any of the other platforms that the website is probably already using.
I'm not very knowledgeable about Web3, but what you point out, I also find confusing. Why do I need to use ETH to buy an NFT -- my credit card should just do fine -- shouldn't it?
Clicking the "Connect My Wallet" button is kind of fun. But I feel like I've gained nothing over just using my credit card -- in fact my credit card provides me (as the consumer) tons more benefit than using ETH -- and don't get me started on gas fees!
3 replies →
What happens if Visa/Mastercard decides to block the merchant you want to use? Or you yourself are a merchant that gets hit with high fees simply because you're in a business that is deemed "high-risk"
2 replies →
> Websites that integrate web3 wallet login do get something new: built-in, straightforward payment rails.
With super high fees, transfers that take litteral minutes to complete, no charge back and the ability to lose all the money yoy have if you ever get hacked. How exciting! Even bank transfer as a mean of payment is way better UX.
> built-in, straightforward payment rails.
Yeah. Crappy ones with high latency and high fees.
Solana transactions currently cost $0.00025 and can handle 50,000 transactions per second. For comparison visa handles 1700 TPS and MasterCard 5000.
1 reply →
Agreed. This comes down to lack of power to push a system onto it's potential users, mozilla didn't have a userbase large enough nor could incentivize 3rd parties to force onto their users. You could argue if the ux was good it would have just succeeded, but I think that's bs. Funds are the number one predictor of success of anything.
My worry with the blockchain is that now it has VCs that are going to pump so much funds in it to keep it spinning and force everybody to use it because you need that service, and now (in the future) it's only provided through the blockchain (because the alternative off-chain company cannot raise funds so it doesn't exist, it fails, or it's a worse experience).
The new hot take (I heard it from Matt Levine, I think, but I doubt it's original to him) is that pyramid schemes solve the adoption problem for technologies with network effects.
Everyone would be better off with better identity management, but it's not worth anyone's time to be one of the first users of a system with no sites supporting it or one of the first site supporting a system with no users. The web3 version of this will be something where if it takes off the first adopters get super rich at the expense of late adopters, and that makes it take off.
Similarly, conventional profit models incentivize the creators of a technology to make it as centralized and locked in as possible, so that they can profit off it over time. The pyramid scheme business model incentivizes the creators to make a decentralized and open system, so that they don't have to do any work over time once it takes off.
Is this the special kind of stupidity that only really smart people can aspire to, or the special kind of genius that only really stupid people can? Time will tell, I guess.
I like Mozilla and Firefox is my default browser, but clearly that was doomed. Google is never going to be OK with Mozilla owning the identity system. Neither would Facebook, or Apple or anyone else. They all have their system for “just use us as the login to every service!” And the only result is that there are 50[1] different “universal” login options for every site.
[1] ok most sites limit it to 2-3 options, but which 2-3 is up in the air.
> I don't see how a blockchain-based approach, with so many disadvantages compared to Persona, could possibly succeed outside of the blockchain enthusiast community
What’s in it for the user to sign up for persona? Nothing
What’s in it for the user to get a crypto wallet? Money
There’s your answer.
The major problem with crypto-bros is that they think "money" is a good enough answer. Money is an extrinsic motivator, and extrinsic motivators extinguish intrinsic motivation.
Money will never be a good enough reason to do things. Especially not the infinitesimal fractions of garbage coins that web3 will pay.
I don't know. Brave promised me money, and I still haven't gotten anything of significant value from that.
Really? BAT was pretty profitable. Showing me a few ads as desktop notifications paid for a lot of my transaction costs in the early days. I just looked, BAT is up 754% over all time.
2 replies →
I have about $100 in BAT from the initial Brave giveaway, even though I almost never use Brave aside from testing.
Despite these advantages, MySpace failed. I don't see how facebook, with so many disadvantages compared to MySpace, could possibly succeed.
fwiw I agreee, but first to market is often first to fail.
I don't know about that. I feel like oAuth and other forms of authentication are overly complex to implement. If they build a super simple implementation API then I could see it taking off.
I had a go at writing oAuth from scratch, to understand it. I made a working solution.
But I don't use oAuth; while I was writing the code, I understood it, but I don't any more. An auth system needs to be understandable and transparent to a normal user, and oAuth is not such a system. Like, I couldn't explain it to my non-tech relatives, even if I swotted up on it first.
Explaining blockchain-based auth to a non-tech user is a problem of a much greater magnitude.
Cryptocurrency ecosystems have the advantage of economic incentivization and if they're decentralised, uncensorability.
Those are two major advantages.
> uncensorability
I suspect that this will be a major issue in the long-run. Once these sort of crypto-based logins become synonymous with CP and terrorism, they're going to be shunned by the average person on the street.
Yes yes yes, people use email and whatsapp for the same, but at least there is the option for Google and Facebook to censor or block/ban those users (and it feels like there is increasing legal/legislational tension to try and compel the tech giants to actually do something in this area). You cannot say the same about an indelible blockchain.
if I run an online service, and you login with web3, if you're an asshole, I can still ban your "indelible" account
6 replies →
Yeah the economic incentive is the problem also. People just get into it for the money, not because they believe in it. This is the whole issue with crypto currency and web 3.0 too.
It's a bit sad because it never started out as something intended for "make money fast" kind of investors. Bitcoin started as a way to free users from the centralised banks and regulation.
Freeing users from regulated banks and taxes is a way to make money fast. It s never been the goal of bitcoin to provide any utility to businesses (insured loans, public offering, leverage financing, future contracts, merger consulting, asset management, wealth optimization).
And if they cant do what banks already provide, what sort of "freedom" do they offer ? The ability not to have a retail account, the low hanging fruit of banking ?
This BS kneejerk 2008 crisis reaction Satoshi pretend to have had at the time, made him both one of the richest financial force in the world and the biggest financial risk (if he sells for some random reason just one btc from a genesis wallet of 1M BTC, what do you think will happen?). He became Maddoff...
"Ecosystem" in tech means usually means vertical integration, which is not what it means in nature.
Anybody looking to build a tech ecosystem is looking to build vendor lock-in. There is no advantage to planning for decentralization, and no laws to force companies to adopt a decentralized approach.
federated systems are bad, they combine the negatives of centralized and decentralized systems it is no wonder that they fail repeatedly
Perhaps, but I think in this case what killed Persona was lack of adoption and interest from the public, nothing inherent to the actual technology
Yea, but that's kind of my point. Actually decentralized software is just out there and you can use it if you find a use case for yourself, there is no one that would shut it down if it isn't popular enough.
They fail because they are in the best interest of users, not corporations.
> Persona had many advantages over the Web3
it has none now ;)
One possible advantage web3 has over Persona is that it is not under the control of Mozilla or whatever foundation Mozilla set up to address those very predictable concerns. Being distributed might help it gain early adopter mindshare which could lead to future UX improvements. (Not saying I believe this will definitely happen, just that Persona failing isn't a guarantee of failure here.)
If it only were Persona the thing that failed... But I've seen quite a lot of attempts at federated identity and turns out people don't care too much about that. People just want to login to whatever site to do things. Login with Twitter/FB/whatever is offered to reduce login friction, not because people think of them as identity providers. Offering "another identity provider" is solving the part of the problem most users really don't care for.
Persona wasn't under the control of Mozilla, either. You could still use it today, if you were willing to set up your own identity server, and if you could find any websites that supported it.
That’s a lot of words to say “this will have better marketing thanks to crypto hype.”
Seems to be the selling point of most web3 and blockchain solutions once you brush the buzzwords off the copy.
The best product doesn't win, the 'sexiest' ones do because they can drum up the press coverage and mainstream recognition necessary to become a household name.
WeWork might not have a a 'tech' company, but it behaved like one after juicing on all that Softbank money. Turns out they had nothing Regus or other 'boring' companies couldn't provide. But they bought a lot prestige properties and advertised constantly, so they became the household name for co-working.
This doesn't explain why Persona didn't work. Unless we understand why it didn't work and show how web3 alleviates the problem, how is anyone to believe a web3 login system will work? You could also ask what has changed since Persona tried and failed? In other words, why now?
Web3 login has been working for awhile. I've used uniswap for example and it's a fantastic experience.
1 reply →