← Back to context

Comment by endisneigh

4 years ago

> Apologies if I'm missing something, if it's easy to spin up unique identities on both what's the difference here? It seems like it would be one or the other.

Yes except for a centralized entity the admin would have recourse. How does a web server admin deal with it in the case of blockchain?

> I've seen posts on this forum about it. It happens and there's not much you can do if it does.

If we are talking about anecdotes I’ve seen people lose their private keys to phishing and consequently all of their money, so…

> You have to trust MetaMask to some extent, like any software you run locally, but MetaMask never gains control of your keys or identities, it's just a tool for using them (obviously 99.9% of users aren't auditing the code or building from source, but that's a totally different threat model). If MetaMask stops working for you, you can use a different tool with the same keys. If Google stops working for you you cannot transfer your account to Microsoft or Facebook.

This is not true, depending on implementation. Even if we accept what you’re saying as true you can run your own oauth server.

Basically it seems the entirety of your argument rests upon trusting a centralized service. However the scenarios posited by the author are ones where blockchain is used to login to a centralized service to begin with so I don’t understand the criticism. Furthermore, unless one is to accept the infinite possibility and quantity of accounts, inevitably just like most other identity services, blacklists will be created.

If that is not effective then blockchain will simply not be an option for most sites.

Ultimately this convoluted web3 is no better than using an email address forwarder and a regular email and password.

10 comments

endisneigh

Reply
thebean11  4 years ago

> Yes except for a centralized entity the admin would have recourse.

Can you be more specific? How is it easier to sniff out a user using multiple emails vs multiple keys?

> If we are talking about anecdotes I’ve seen people lose their private keys to phishing and consequently all of their money, so…

Losing your keys is a huge problem that needs to be solved. I think social recovery is super promising in that respect but you're right that we aren't there yet. Phishing exists in both worlds, although I'd argue for logins specifically it's less of an issue in the MetaMask world, as you do not need to expose your private keys for that. You need to expose your password to log into Google.

> This is not true, depending on implementation. Even if we accept what you’re saying as true you can run your own oauth server.

Which part isn't true?

There is..some difficulty gap between a browser extension and running your own authentication infra..

  • endisneigh  4 years ago

    > Can you be more specific? How is it easier to sniff out a user using multiple emails vs multiple keys?

    If someone made 2109@gmail.com 238@gmail.com 2398@gmail.com you could contact Google, send them the information and potentially block all of them collectively and/or find the person responsible. This would be important if your application has to do with financial activity. How would you do this if someone kept making random private keys?

    > I'd argue for logins specifically it's less of an issue in the MetaMask world, as you do not need to expose your private keys for that. You need to expose your password to log into Google.

    I'm not understanding you. If you're someone who won't use Google, or a centralized service, then you are capable of hosting your own web server. If you're capable of that an email address + password is superior to blockchain and gives you more control.

    If you're not capable of that and are using centralized services for things like email then you lose no more control using their oauth server.

    You and author have yet to address failure modes, or the superiority of this compared to email and password.

    • thebean11  4 years ago

      > If someone made 2109@gmail.com 238@gmail.com 2398@gmail.com you could contact Google, send them the information and potentially block all of them collectively and/or find the person responsible.

      Citation needed, I very much doubt Google would comply without a search warrant. For financial activity, it depends whether the application requires authentication, or simply funds. For authentication see things like DECO, where you could prove some personal information about yourself without actually revealing that information (SSN for example). Obviously that is piggy backing off of a legacy system; it's up to the application to say what data they need.

      > I'm not understanding you. If you're someone who won't use Google, or a centralized service, then you are capable of hosting your own web server. If you're capable of that an email address + password is superior to blockchain and gives you more control.

      You are completely wrong that everyone currently using MetaMask is capable of hosting their own web server. Securely hosting a web server is orders of magnitude harder than securely using MetaMask.

      I think I did address both failure modes and the benefits. I agree with you that it's not ready to replace email and password, but I don't think the issues are insurmountable either.

      7 replies →