This definitely has me thinking more about the extent to which the strength of a particular identity representation is determined by our willingness to bind artifacts of value to it.
I like the starting focus on identity. Imagine if emails to you were authenticated by a token that you authorized by logging in, and could revoke at any time. In a Web2 world, features like this get created by Google, Apple or whomever inventing a permissions system that works on their platform -- and serves their product goals. In a Web3 world where you issue identity tokens, you can revoke them arbitrarily, so if your identity is shared you can trace and revoke at the root. Services move from worrying about how to game Apple's privacy model to how to avoid a ban that remains strictly in your control.
...and in a Web 1 beta II world this was already done by PGP in 1991. Granted, it never achieved mainstream adoption because it's somewhat cumbersome and solves a problem people do not actually experience. Sort-of like everything blockchain, one might say.
My big question with using a Web3 login is what advantages it gives the website owner.
With social Web 2.0 login, I can be fairly sure the person logging in has a valid email address, a name, etc, and it is a single click for the user vs filling in all the info all over again.
With a Web3 login, it is basically the same. Except I'm not really given any personal info like name or email, so I need ask them for that anyway. I guess you can tie that into your wallet somehow?
But I don't see this as a 10x solution. Do people really not trust FB/Google/Twitter that much? Why does currency and money need to get involved?
But in another world, isn't this the problem Keybase was trying to solve? Of course, they got mixed up in their own cryptocurrency as well (XLM) which had so many issues with bots trying to get into the airdrop. So idk.
Bitcoin doesn't support web3. Ethereum is moving to proof-of-stake, so the resources issue is gonna become a thing of the past. Also using web3 for authentication doesn't broadcast any transaction. So zero resources are used at that point.
Apple has a closed platform mindset, I hope users will see the benefits in a decentralized open protocol.
> I hope users will see the benefits in a decentralized open protocol.
See I think this here is the biggest issue. I feel like we have 30+ years of proof that normal users LIKE centralization for the convenience and ease it provides.
Email is basically the last man standing when it comes to distributed implementations and 1) it had reached mass adoption early enough to survive and 2) we’ve centralized it to a large degree anyway with Gmail and outlook.com
I have a hunch that many services they will probably want to collect the emails anyway. It provides websites a convenient excuse to ask people to join their marketing spam list. In most cases privacy isn't a profitable business proposition.
People already use ENS do register a <some-name>.eth name to the respective ethereum address. It's also easy to write a smart contract that keeps meta-info on an address. This data would be public.
> Why does currency and money need to get involved?
It doesn't. You only need a blockchain to keep public data. You can sign a message and login with that, no need to send a transaction, can be done with balance 0
Buy I thought the whole point was "owning your identity"... and know you're suggesting that we should put or personal data on a blockchain so everybody can see it?
I suppose blockchain can be a mechanism for the reification of pure information. So turning something that only has a value, into something that has a unique identity that can be 'pointed to'.
In the real world I might have a physical key (or some other interesting object) - there is exactly one of it and it exists in exactly one place (though of course I can create copies - but they are new objects).
In the virtual world this is a bit harder to construct and enforce - information is entirely ephemeral, and has no concrete existence or place. Maybe blockchain can provide that (in the context of the chain only of course).
Most web2 apps supports a smaller number of SSO providers.
Technically "independent" SSO providers and similar existed, but non made it mainstream because there was no reason for App's to support them, but there was cost to support them.
There is even less reason IMHO for most App's to support Web3 login (more complexity).
Furthermore even if they do the web3 login would probably still list Google etc. as the web2 login still lists email.
It's questionable that more than one maybe two blockchains will be supported.
It's likely that often only a small number of wallets will be supported, it's also likely that "bigtech" companies like google will provide web3 logins if it becomes successful.
So, it might happen. But I don't see it tbh.
There is just no reason to go the extra length to support web3 login for most Apps/Companies.
EDIT:
Also trust of the general public into anything containing the word "crypto" or "blockchain" is constantly undermined by an endless slew of scams, and money grabbing schemes. Which can hurt adoption of web3 login.
> It's questionable that more than one maybe two blockchains will be supported
You don't really need a blockchain unless you need to keep data on a blockchain. To login and identify a user you can simply sign a message. I consider the address as the user "identity". Any blockchain data related to that address is mean to be public (some people register <some-name>.eth on the ENS for example)
And we had "independent" SSO schemes based on it, non of which gained widespread adoption (in the "independent" form).
The reason is the UX/UI flow, complexity for integrating them and users which already have it.
So if all people have a wallet at some point which they also can use for SSO that might get adoption.
Through for investment into crypto, instead of "daily using it" you probably don't want a hot walled on your phone.
So as long as "daily/frequent/casual crypto usage" doesn't become a supper common thing for large parts of the society (in the "western" world) it's hard for it to gain wide spread adoption I think.
Several years ago, Mozilla/Firefox created "Persona," which was an open-source federated identity system that provided all the benefits described here. The idea was that it would eventually be built into browsers. I used it on a commercial site myself for many years.
It failed to gain traction, and Mozilla eventually pulled the plug.
Persona had many advantages over the Web3 vision described in this article. It was painless for a new user to create an account, because Mozilla provided a default identity server. It was easy for a website owner to set up, because Mozilla provided a JavaScript shim that worked on any browser. And it didn't rely on a wasteful and slow distributed ledger.
Despite these advantages, Persona failed. I don't see how a blockchain-based approach, with so many disadvantages compared to Persona, could possibly succeed outside of the blockchain enthusiast community. And, on a technical level, a federated approach seems innumerably simpler and less wasteful than a blockchain-based approach.
One possible advantage web3 has over Persona is that it is not under the control of Mozilla or whatever foundation Mozilla set up to address those very predictable concerns. Being distributed might help it gain early adopter mindshare which could lead to future UX improvements. (Not saying I believe this will definitely happen, just that Persona failing isn't a guarantee of failure here.)
Persona wasn't under the control of Mozilla, either. You could still use it today, if you were willing to set up your own identity server, and if you could find any websites that supported it.
This doesn't explain why Persona didn't work. Unless we understand why it didn't work and show how web3 alleviates the problem, how is anyone to believe a web3 login system will work? You could also ask what has changed since Persona tried and failed? In other words, why now?
The best product doesn't win, the 'sexiest' ones do because they can drum up the press coverage and mainstream recognition necessary to become a household name.
WeWork might not have a a 'tech' company, but it behaved like one after juicing on all that Softbank money. Turns out they had nothing Regus or other 'boring' companies couldn't provide. But they bought a lot prestige properties and advertised constantly, so they became the household name for co-working.
If it only were Persona the thing that failed... But I've seen quite a lot of attempts at federated identity and turns out people don't care too much about that. People just want to login to whatever site to do things. Login with Twitter/FB/whatever is offered to reduce login friction, not because people think of them as identity providers. Offering "another identity provider" is solving the part of the problem most users really don't care for.
Agreed. This comes down to lack of power to push a system onto it's potential users, mozilla didn't have a userbase large enough nor could incentivize 3rd parties to force onto their users. You could argue if the ux was good it would have just succeeded, but I think that's bs. Funds are the number one predictor of success of anything.
My worry with the blockchain is that now it has VCs that are going to pump so much funds in it to keep it spinning and force everybody to use it because you need that service, and now (in the future) it's only provided through the blockchain (because the alternative off-chain company cannot raise funds so it doesn't exist, it fails, or it's a worse experience).
Yea, but that's kind of my point. Actually decentralized software is just out there and you can use it if you find a use case for yourself, there is no one that would shut it down if it isn't popular enough.
The Persona team approached the company I was working for, asking us to add Persona login alongside our other login options. Mozilla came to us because we had a huge web presence at the time (about the size of Wordpress, let's say). We discussed it internally and ultimately rejected their request. We were going through a re-org and just didn't have anyone to spare. We were also rewriting the component where the login would live, and this would have been out of scope.
Looking back, I now see that not volunteering myself for the challenge was one of the biggest mistakes I've made in my career. It was one of those rare opportunities to make a difference.
I also wonder why nobody has tried it since. It's a simple approach, but you'd need a good security team backed by a trusted organization to make an implementation credible.
For what it's worth, the vision does live on and people are working on developing web standards that get us closer towards it. One example is the W3C's "Credential Management Level 1" from 2019, which specifically references[0] Mozilla's work:
"The API defined here does the bare minimum to expose user agent’s credential managers to the web, and allows the web to help those credential managers understand when federated identity providers are in use. The next logical step will be along the lines sketched in documents like [WEB-LOGIN] (and, to some extent, Mozilla’s BrowserID [BROWSERID])."
More recently, in fact, today, I see there is a "Federated Credential Management API" draft published,[1] which has the goal of:
"enabling a website to request a users [sic] federated credentials from a user agent, and to help the user agent store the users [sic] federated credentials for future use."
Didn't Apple try it 2 years ago? Log in with Apple...
I would never use these services unless it was completely open, free and privacy centric though.
Apple comes a bit of the way but they tend to make stuff work only on their own hardware wish won't work for me. Persona would have been a good option. Especially because it could be self hosted. That would be amazing. It was just a bit too early.
> Despite these advantages, Persona failed. I don't see how a blockchain-based approach, with so many disadvantages compared to Persona, could possibly succeed outside of the blockchain enthusiast community. And, on a technical level, a federated approach seems innumerably simpler and less wasteful than a blockchain-based approach.
Sometimes it's all about being in the right place, at the right time, with the right amount of hype. Inferior technologies win out all the time.
That being said, if (major if) auth through web3 did take off, I wouldn't be surprised if over time it slowly creeped back toward a solution that doesn't use blockchain since a non-blockchain solution would probably be simpler, cheaper, and faster.
For all of its flaws, I find the web3 space fun...but I'm also hoping that some of the non-financialized use cases move to other kinds of distributed algorithms, like Hypercore (https://hypercore-protocol.org/).
Even if the technological ideal comes to fruition in a few years (sharded modular proof-of-stake consensus blockchains with zero-knowledge rollups and dedicated data availability layers), it will still eternally remain enmeshed with speculation and scamming. I think there's a narrow time and place for the speculative assets but wouldn't want that interwoven throughout the fabric of everything online.
I see the speculation-everywhere mode that web3 is currently in as a something that the future web will occasionally devolve into.
An idea will come along that enough of us can get behind, that idea will attract money and solve real problems for a while and when they're no longer problematic enough to warrant spending money on the system will collapse back into speculation hell until the next idea-that-we-can-get-behind comes along.
> That being said, if (major if) auth through web3 did take off, I wouldn't be surprised if over time it slowly creeped back toward a solution that doesn't use blockchain since a non-blockchain solution would probably be simpler, cheaper, and faster.
I don't think you necessarily need blockchain. Can't you just prove that you are who you say by signing something and sending it to the service? You can just use the protocol.
As far as the technology goes, you could have the user GPG sign something and upload that attestation. Something about the UX of that leads me to believe that'll be a non-starter though.
Login/verification doesn't require a transaction though, so is relatively quick. Blockchain in this context can be thought of as a collection of (public) keys.
> I don't think you necessarily need blockchain. Can't you just prove that you are who you say by signing something and sending it to the service?
It's important to remember that blockchains are just public-key cryptography where you have a private key that can sign things and, importantly, everyone knows everyone else's verified public keys. That's it. It solves the key distribution and verification problem that PGP and TLS etc have and this enables a lot of use cases such as universal private communication channels and authentication.
Signing the message is key for this yes but knowing that a certain key is connected to a specific user and that user having the ability to use it to sign verified messages everyone in the world can trust is the real utility here and what makes this universal SSO system work well.
But it doesn't solve that at all since there's no way to tie something on the block chain to the real world. All the same problems of knowing whether some particular PGP key belongs to the person you want apply the same to a wallet address.
I probably should have worded it differently to avoid that connotation. There are a lot of identity protocols but that's not what I was focusing on.
On HN I am Sargos. You know this because I am replying to you and only I can do that with this account. I can also tell you that I'm @JamesCarnley on Twitter but there's no way for you to verify that. If I were using my public key to log into HN and Twitter you would know those are both my accounts and thus my persona is verified across multiple applications. If I were to link my public key to my government's identity database then you'd also be able to verify I am really James in real life as well.
It feels like you're trying really hard to not get web3 any credit here. Try making something like this in the traditional web. People have tried and failed.
Ethereum provides a robust, secure, and increasingly usable key storage and usage system to everyone which makes "just signing a message" a simple task and not a 10 step process probably involving a CLI. It's worth considering the utility of this and the possibilities everyone having a person public/private key pair allows. My fellow software developers among us likely have their mouths watering at the use cases this unlocks. Here's a pretty good thread about the implications: https://twitter.com/BrantlyMillegan/status/13892701158840975...
I’m not sure what utility signing a message has inherently. You do this already behind the scenes on apps like iMessage or Signal with end to end encryption.[1] Or if you want to do it more directly but without the command line, there is Keybase: https://keybase.io/sign
Unless you were to upload each and every chat to a blockchain - which is prohibitively expensive - I don’t see the killer advantage over the previous alternatives. Also, many people here are also programmers, developers, and - surprise - hackers, so I am sure we would be interested in the mouth-watering use cases you’re thinking of (I looked at the Tweet thread you linked but it was just an explanation of public key cryptography in general.)
How does everyone know everyone's verified public keys? How are they verified? Who does the verification? How do you trust the verifiers? How do you know that person x in the real world has pubkey x?
Verified probably isn't the right word here. Authentic would probably work better.
I as a person have accounts on lots of apps but no real way to prove I own all of them. When you use a public key as your identifier then everyone can verify that the entity that owns Sargos on HN also owns Blah on Reddit if I want them to. Essentially you can trust that the digital entity you are interacting with is the digital entity you knew and trusted on the rest of the web in the past.
If you are using a web3 app and see vitalik.eth then you know for a fact that it's Vitalik Buterin. Unfortunately we only know this for sure because he said that is his address in public but there are many identity protocols trying to solve this problem and if you were to tie your public key to your government's identity database then you would be able to prove real world provenance.
1. They can (theoretically) examine the whole ledger.
2. Your possession of the private key “verifies” your public key, if someone takes it they are now you.
3. Depends on the consensus mechanism but in the best case, “everyone” and in the worst case “coinbase.”
4. You don’t trust them, the system is supposed to be trustworthy with untrustworthy participants, and when that’s not true you will just have to trust the architects of the hard fork.
> I don't see how a blockchain-based approach, with so many disadvantages compared to Persona, could possibly succeed outside of the blockchain enthusiast community
What’s in it for the user to sign up for persona? Nothing
What’s in it for the user to get a crypto wallet? Money
Really? BAT was pretty profitable. Showing me a few ads as desktop notifications paid for a lot of my transaction costs in the early days. I just looked, BAT is up 754% over all time.
Twice, on different devices, I tried Brave as my default browser for month with ads turned on, and both times after a month of clicking on ads, the browser still said I had 0.0 BAT.
The major problem with crypto-bros is that they think "money" is a good enough answer. Money is an extrinsic motivator, and extrinsic motivators extinguish intrinsic motivation.
Money will never be a good enough reason to do things. Especially not the infinitesimal fractions of garbage coins that web3 will pay.
I suspect that this will be a major issue in the long-run. Once these sort of crypto-based logins become synonymous with CP and terrorism, they're going to be shunned by the average person on the street.
Yes yes yes, people use email and whatsapp for the same, but at least there is the option for Google and Facebook to censor or block/ban those users (and it feels like there is increasing legal/legislational tension to try and compel the tech giants to actually do something in this area). You cannot say the same about an indelible blockchain.
That's not true if it's a smart contract. People are still using the uniswap v2 smart-contract even though the uniswap website has completely moved on to v3.
In that case you're running a traditional centralised web2 service. If your service runs as a set of smart contracts, anyone willing to pay the fees can always use it. Forever.
"Ecosystem" in tech means usually means vertical integration, which is not what it means in nature.
Anybody looking to build a tech ecosystem is looking to build vendor lock-in. There is no advantage to planning for decentralization, and no laws to force companies to adopt a decentralized approach.
Yeah the economic incentive is the problem also. People just get into it for the money, not because they believe in it. This is the whole issue with crypto currency and web 3.0 too.
It's a bit sad because it never started out as something intended for "make money fast" kind of investors. Bitcoin started as a way to free users from the centralised banks and regulation.
Freeing users from regulated banks and taxes is a way to make money fast. It s never been the goal of bitcoin to provide any utility to businesses (insured loans, public offering, leverage financing, future contracts, merger consulting, asset management, wealth optimization).
And if they cant do what banks already provide, what sort of "freedom" do they offer ? The ability not to have a retail account, the low hanging fruit of banking ?
This BS kneejerk 2008 crisis reaction Satoshi pretend to have had at the time, made him both one of the richest financial force in the world and the biggest financial risk (if he sells for some random reason just one btc from a genesis wallet of 1M BTC, what do you think will happen?). He became Maddoff...
I joined the team at Mozilla that developed Persona as an intern, just as they closed it down.
Persona failed because it was fighting against a head-wind of an already established trend of using Google/FB OAuth2, without giving the service provider any new benefits. There was no incentive for a website to actually implement Persona, since it was just another auth provider and users weren't using it. Users didn't use it because no one implemented it. Chicken and egg.
Websites that integrate web3 wallet login do get something new: built-in, straightforward payment rails.
> Websites that integrate web3 wallet login do get something new: built-in, straightforward payment rails.
Is this really any better than Apple/Google pay? Those are already set up, trustworthy, I don't need to convert my fiat into a cryptocurrency than can swing in value wildly, and it's super easy to set up with stripe or any of the other platforms that the website is probably already using.
I'm not very knowledgeable about Web3, but what you point out, I also find confusing. Why do I need to use ETH to buy an NFT -- my credit card should just do fine -- shouldn't it?
Clicking the "Connect My Wallet" button is kind of fun. But I feel like I've gained nothing over just using my credit card -- in fact my credit card provides me (as the consumer) tons more benefit than using ETH -- and don't get me started on gas fees!
There's work happening now to make this a reality by partnering with on-ramps and off-ramps to go from fiat to crypto.
One can imagine a world in which this is completely transparent to the end user.
High ETH gas fees are also being solved by Layer 2 solutions which get fees down to cents by either batching transactions or doing the work off the main chain and posting only the proofs to the main ETH chain. Checkout zero knowledge rollups, aka zk-rollups.
What happens if Visa/Mastercard decides to block the merchant you want to use? Or you yourself are a merchant that gets hit with high fees simply because you're in a business that is deemed "high-risk"
I seem to remember pornhub being hit by this, which is why they removed unverified content. Perhaps it's also why OnlyFans decided to ban explicit content a few months back (before backpedaling).
> Websites that integrate web3 wallet login do get something new: built-in, straightforward payment rails.
I'm not convinced it's that a large benefit.
For the foreseeable future, any website that aspires to be anything more than a niche web3 player will need to support web2 auth and web2 payments. So web3 is just adding layers, not removing them. Until web3 becomes powerful enough that you're losing customers because you aren't supporting it, there's no incentive to support it. (Exactly the same predicament Persona was in.)
Additionally, cryptocurrency is not practical as a currency right now because of high transaction fees and slow settlement. This situation won't change until layer 2 networks come of age, which seem to have been "just around the corner" for the past five years.
That's because you're not a merchant that has to deal with the monopoly of Visa/Mastercard which inflict high fees on your business and who at a moments notice can bankrupt your business by blocking all payments.
Companies that are built around "SIN" such as weed and porn have basically been strong-armed by this financial monopoly, to the point that Crypto is a welcome addition and which they offer big discounts to users who pay with it.
Additionally, cryptocurrency is not practical as a currency right now because of high transaction fees and slow settlement. This situation won't change until layer 2 networks come of age
There are plenty of L1 solutions like Solana and Avalanche which offer low txn fees and high TPS. L2 networks such as Polygon have already launched and are being used.
> That's because you're not a merchant that has to deal with the monopoly of Visa/Mastercard
Visa and MasterCard don't have a duopoly on payment. They have a duopoly on “instant credit-card-based payment with charge back”, and Blockchain "tech" isn't competing in any of these features. If you don't need this and don't care about subpar UX, you can use bank transfers and still have a better solution than a blockchain-based one.
> high fees on your business
You think Visa fees are high? Blockchain transaction fees must look giagantic to you then…
> Websites that integrate web3 wallet login do get something new: built-in, straightforward payment rails.
With super high fees, transfers that take litteral minutes to complete, no charge back and the ability to lose all the money yoy have if you ever get hacked. How exciting! Even bank transfer as a mean of payment is way better UX.
The new hot take (I heard it from Matt Levine, I think, but I doubt it's original to him) is that pyramid schemes solve the adoption problem for technologies with network effects.
Everyone would be better off with better identity management, but it's not worth anyone's time to be one of the first users of a system with no sites supporting it or one of the first site supporting a system with no users. The web3 version of this will be something where if it takes off the first adopters get super rich at the expense of late adopters, and that makes it take off.
Similarly, conventional profit models incentivize the creators of a technology to make it as centralized and locked in as possible, so that they can profit off it over time. The pyramid scheme business model incentivizes the creators to make a decentralized and open system, so that they don't have to do any work over time once it takes off.
Is this the special kind of stupidity that only really smart people can aspire to, or the special kind of genius that only really stupid people can? Time will tell, I guess.
I like Mozilla and Firefox is my default browser, but clearly that was doomed. Google is never going to be OK with Mozilla owning the identity system. Neither would Facebook, or Apple or anyone else. They all have their system for “just use us as the login to every service!” And the only result is that there are 50[1] different “universal” login options for every site.
[1] ok most sites limit it to 2-3 options, but which 2-3 is up in the air.
I don't know about that. I feel like oAuth and other forms of authentication are overly complex to implement. If they build a super simple implementation API then I could see it taking off.
I had a go at writing oAuth from scratch, to understand it. I made a working solution.
But I don't use oAuth; while I was writing the code, I understood it, but I don't any more. An auth system needs to be understandable and transparent to a normal user, and oAuth is not such a system. Like, I couldn't explain it to my non-tech relatives, even if I swotted up on it first.
Explaining blockchain-based auth to a non-tech user is a problem of a much greater magnitude.
tldr; this article describes one problem that a blockchain solves better than existing non-blockchain solutions (identity).
My issue with the article is that it uses a lot of words to try to explain why web3 and blockchain may be the future. But for what point? If an important technology comes around which happens to use web3 or blockchain, i’ll see it’s important from its description and i’ll adopt it. I don’t need to support “web3” as a concept, because web3 basically means nothing. And i don’t think that web3 or blockchain is intrinsically bad, i just haven’t seen anything particularly useful with those technologies yet.
I had the same thought. Imagine listing all blockchains in tiny icons you scroll sideways. I suppose that can be done a lot better, but still, who decides which blockchains are included and which are not?
Precisely. Or what if you're some random grandma that has a wallet (since we're living in a make believe world where this is easy to create). Imagine you've forgotten which blockchain your wallet is on. Will there be a search box to find my wallet in this mess of combinatorics that is a login page?
I mined a teeny tiny bit of Dogecoin years ago. One of the times it spiked in price, I decided to convert my teeny tiny bit into Etherium. So I used a wallet on a cryptocurrency trading site.
Do you know what site that was? I don’t. I can’t remember. I think the password may be in my password manager, but I’m not sure. I’d have to go digging.
But I am SURE I’ll remember which of the 1200 common block chains I use for my credentials.
Because that’s insane. Normal users couldn’t deal with that. Highly technical users can’t deal with that. It’s too much of a pain in the ass.
The solution is that there should only be one or two chains that everyone uses. Then there’s only one or two little icons you need.
The people who run the trains could make sure they keep running by having tens of thousands of computers. Of course that cost money. Luckily they get money out of the block chain because they can spend coins.
Of course users don’t really like buying things. Maybe it wouldn’t be too hard to put an ad or two in there to pay for things.
The easiest thing to get users on board is to use brands they trust. No normal person is going to trust everything they have two the Kakarot blockchain with an anime superhero for a logo.
Do you know who people trust? Facebook and Google. If they were to…
Oops. I invented today. Only with much more energy use.
It's not Web 3.0, that was the semantic web, which also aimed in some sense to be decentralized data but wasn't about turning the internet itself into a vehicle for ridicules investment ponzi-schemes. The "new" one is Web3
This is what bugs me most about this whole web3 situation, if people want to dump their money into these ponzi-scheme pump and dump bs be my guest, but then naming it web3 isn't very nice.
To then attach all kinds of good qualities to it that are not shown, nor proven, and often demonstrable incorrect just finishes it off.
As you say, a lot of the bigger ideas claimed to be part of this "new" web3 thing aren't new, and are interesting ideas that should be further explored, it would be much better without the ponzi sauce.
Agreed - the UX mock up there looks awful. If you go look at coinmarketcap.com there are already hundreds of coins out there. Are users going to have to find their wallet from hundreds/thousands on the lists? Or are maybe not all sites going to support every wallet, so therefore you're going to need to have multiple wallets to support multiple sites ... suddenly that "consistent identity" fails as you are actually juggling 20-30+ wallets for logging into different sites.
.... or it ends up that everyone just logs in using an ethereum wallet and you're back to centralisation.
The image amplifies what we already know is a fundamental problem with OAuth; people, instead of forgetting their username/password combo, now are forgetting which provider they use to sign into a service.
That "Web 3.0 login" portion of the slide only makes that problem worse. Decentralization and a variety of choices absolutely fall apart when they meet non-tech users who have no idea what icon means what.
>The image amplifies what we already know is a fundamental problem with OAuth; people, instead of forgetting their username/password combo, now are forgetting which provider they use to sign into a service.
I already have this problem with Matrix/Element all the time. Not only do I forget my username and/or password on networks I've been logged into for months, I also forget homeserver addresses and all these other settings I had to set up at some point. Every time I get logged out of something, it takes a day or two to figure out how to get back in.
Absolutely, but let’s not pretend this is some magic technology that only cryptocurrency can solve. Nor is it clear cut that we’ll see adoption of wallet logins outside of crypto circles.
There’s a trade off there though. There are also other standards. People should probably want their cryptowallets to be better secured than they are. But crypto is facing the same UX challenge which leads to a worse model with the same attendant risks as phishing passwords.
The point still is that logging in with public-key cryptography is not exclusively a technology supported by cryptowallets.
WebAuthn is exactly what I thought of too... and hardly anyone is supporting it. In fact the only place I've seen it was Best Buy's website, oddly enough! Having yet another way to do this sort of authentication isn't going to magically make people start using it.
>> The biggest success of crypto has been putting public/private key pairs in the hands of 10s of millions of people.
I would argue that the biggest successes of crypto are selling GPUs and facilitating malware ransom payments.
GPUs have sold like crazy and you are lucky to get a high end one with the current demand. Everybody and their pets are running mining rigs. Good luck getting a nice GPU for machine learning or graphics rendering.
Previously malware authors had to rely on gift cards or similar means to get paid. Now they have variety of cryptocurrencies to choose from and they can even trade cryptocurrencies to launder the paid ransom funds.
It can. It just happens that the easiest way to achieve this is using web3, even if there is no blockchains involved. The article is about login methods, not cryptos or web3
... why would I want to share my wallet to something I trust less than a strange dog? Or part of my identity? No thanks.
One of the great things about usernames/passwords is it didn't demand that vulnerability - you could come up with whatever and it was your responsibility to keep up with your shit. Systems that mimic real world systems on average feel less prone to this silliness.
email/password is terrible UX for vast majority of user. it's forgettable, it's not secure, and it exists only because it have existed since dawn of computers.
The real issue for me is that I would rather have Apple sitting between me and To Ty's app than a public blockchain with no owners. There are just too many edge cases and circumstances where I would rather have a trillion dollar company defending me, a paying customer, against To Ty if the app turns on me or doesn't meet my expectations.
me < To Ty's app + whatever they can get away with.
My question with any blockchain application is always what does it solve that a centralized trusted database doesn't solve faster and with less waste? You can implement social recovery in a centralized database with less waste.
Are there security/UX risks with users getting used to using their wallet for auth ? It's difficult to know a safe vs. potentially unsafe site when it comes to crypto. Reading the docs, it appears to be relatively limited permissions, but either by giving more permissions than desired or phishing? Or can they combine the authentication with additional information to become a more effective spearphishing target?
If my email account is phished or hacked, it's bad, but there's a level between my cash and my email account. If I make a mistake here, potential losses are higher. In which case I'd probably have a 2nd wallet for auth and another I actually use, which then becomes more of a pain. I don't trust my parents or less technical relatives to use this flow safely.
Are there any security risks with signing onto a site with Metamask? Is there any way for them to drain your wallet without prompting you?
If not, then it seems to be a superior method and experience. You don't have to deal with usernames/email/password, and it offers more functionality with currency.
When you sign in with web3 you are signing a message with your private key, and the website is verifying the it was in fact you that signed the message by checking the messages signature with your public key.
The only way anyone can gain control of your wallet is if you give them your private key (or the seed to the privk) or if your PC is compromised (but you have bigger issues then)
I like the "social wallet" idea, though no blockchain is needed for that. But there's a real danger that if enough of your friends get compromised, you can get compromised as well, and that can snowball. And most people would not be secure enough. So you'd want to have someone more secure as part of your "social set" - a large organization that actually does serious security. But then you're again depending on some large organization. You could require at least one of several large organizations, but that in turn reduces security.
You are missing the point. The article is about login methods. Username/password vs message signed with a private key. The blockchain part is there because is the only ready-to-use way to do it in an browser.
It's absurd how HN users in general are so dismissive of anything cryptocurrency
My point was usability. And being (effectively) forced to join / legitimize their hive to get anything done.
It's absurd how HN users in general are so dismissive of anything cryptocurrency.
It's quite reasonable actually, given the prevalence of not just hype, but frequently delusional / just plain rambling and incoherent hype surrounding it -- not to mention blatant fraud and manipulation aimed specifically at unsophisticated users.
And the skivviness of many people involved in it.
That said, the OP presents one of the more thoughtful proposals I've read recently, and may belong to the 5 percent or so of blockchain applications that just might have a useful application. With emphasis on "just might".
> My point was usability. And being (effectively) forced to join / legitimize their hive to get anything done
I agree with you on this. For the purpose of login in with a private key, i would prefer some browser extension (or built in the browser) that generates a key from a seed (like a crypto wallet) and only does that. This doesn't exist at this point.
> ... not to mention blatant fraud and manipulation aimed specifically and unsophisticated users
Also agree, but probably for different reasons. Many people on twitter have the tendency to be mean, twitter doesn't make people mean, but it amplifies it. There is so many scams and manipulation because scammers and con artists always existed and people's greed for that 100x token and so does the scamming
The speed of communication that the internet gave us also serves as an amplifier of the ugliness of human nature
> For the purpose of login in with a private key, i would prefer some browser extension (or built in the browser) that generates a key from a seed (like a crypto wallet) and only does that. This doesn't exist at this point.
i'm familiar with those (yubikey and titan, didn't knew about krypt). Don't own any of those but always install the FIDO U2F [1] app on my ledger hardware wallets (which is a nice extra).
my issue with using a physical device is that it detracts adoption if there is no other alternative. a browser extension or built-in helps adoption and adoption probably increases the number of people using physical devices.
Blockchain isn't the only "ready to use" way to use cryptographic signatures for authentication. One reason people often are dismissive is because people who are pro crypto say things which aren't true, like this.
Various authentication schemes have used digital signatures...on the web... for decades at this point.
All of these decentralization arguments make me think of early git:
>Every Git clone is a full-fledged repository with complete history and full revision tracking capabilities, not dependent on network access or a central server...
Is that a bad thing? Web3 is ultimately about building hierarchies(DAO). I would like to see a diversity of new digital hierarchies, new federated systems with unique properties. Not just a purely decentralized system. Decentralized vs. Centralized is a false dichotomy IMO.
not just Git. Email. Money (used to be issued by individual banks). Internet infrastructure. The web. Everything goes centralized.... because... it's easier. And humans seem to show over and over again, easier wins.
As other comments have pointed out, there are other technical solutions to decentralized identity. The blockchain doesn't solve this problem any better than private keys or Persona or whatever. The article acknowledges this. The problem with existing solutions is not the technical problem, it's the social problem: making the new solution easy to use, fixing bugs and covering edge cases, and getting it deployed widely. The author claims that the social problem is what Web3 solves; that Web3 is the social solution counterpart to the blockchain technical solution.
Web3 is indeed a social solution to this social problem, but the real problem with Web3 is that it's a terrible social solution. Web3 (aka blockchain enthusiasts, aka cryptobros) is a community comprised of on one end by true believers who believe they're smarter than anyone else in the room and that anyone who brings up complaints are only mad because they didn't get in when the cryptocoin was cheap, and on the other end by grifters and scammers who fully acknowledge that they're only in it for a quick buck off the back of unsuspecting rubes.
This is the core problem with most crypto projects. Most blockchain projects have technical problems [0], but even for the few things that blockchain uniquely solves [1] the general scummyness of everyone involved means that anyone advertising they're solving problems with a blockchain is not someone to trust your money with [2].
Of course, the blockchain isn't the only technology to suffer this problem. Blockchain's at the top of the hype cycle right now so of course it's filled with scammers. But even though Pets.com may not have the most competent business, the technology behind ecommerce was generally sound. Blockchain on the other hand has so few useful niches that the only thing left are the hype-men.
[0] Eg you could use NFTs to prove ownership of IRL property, but why? You're just storing a deed in a different place. It used to be in a SQL server somewhere, now it's on a blockchain instead.
[1] That is, decentralized databases where you don't trust all parties not to modify the data. But uh, with whom do you need to share data that you don't trust, and how do you guarantee they're not just feeding false data into it in the first place?
[2] I'm not implying all blockchain enthusiasts are pretentious and/or scammers. Just that there's a much higher proportion of them in the Web3 community than elsewhere.
Correct me if I'm wrong, but the only new idea here is to use a ledger to hold public keys associated with an identity. You could add keys by signing a new key with one of the previously globally accepted ones proving you are that entity and the same would go for removing a lost one, by signing a new message with all the remaining keys.
Having a key copied without your knowledge would be a major disaster, however.
Apart from that, this is not very different from using keys in SSH and providing a challenge/response login form would be very simple.
A lot of these "this is not very different from X, you could do Y" replies remind me of the original Dropbox news.yc thread.
What everyone seems to be missing is that the web3 apps and UI conventions already have broad adoption among millions of only mildly techy users. They don't know what SSH is but they do know how to sign things with their in-browser wallet app. Of course, they also seem to not always know that giving away your private keys is quite bad...
But any "solution" that requires e.g. using the terminal is not really competing in the same space.
Dropbox was “just rsync“ but WAY easier to use for normal people. The iPod was JUST a normal MP3 player with a very easy interface everyone could understand.
Ease of use is EVERYTHING.
At no point does anything described about how web3 works or solves problems sound easier to use than the current system. Logging in with email and a password is easy. Using a Google to sign in is even easier. Apple’s sign in system is ridiculously simple and frictionless.
“Start by finding a chain you like and creating a wallet” is not easy. Do you have to buy coins on the chain? I’ve been seeing a lot of these web3 articles and I truly don’t know. Buying coins is another huge hassle.
“Oh but they’ll already have a wallet.” How? At some point they have to create them. Even if it was easier once they’ve created it (which I dispute), how is that supposed to happen?
If you have an iPhone, you have an Apple account, can do sign in with Apple trivially. If you have an android phone, you have a Google account, you can do sign in with Google trivially. Either way you have an email address, that’s quite easy.
How can you EVER make something simpler than those? I think best case scenario you would be able to match them.
But then you’re back to the problem of why I should switch to the new thing when the current thing works just as well.
I just have a very hard time seeing normal users ever buy into any of this.
Do they really? Or did they follow some guide somewhere hoping to cash in on a gold rush?
If a huge number of people were using cryptocurrency to pay for things every day, I would agree with you. But I think a huge number of people just make one purchase and then sit. What percent of them could actually make a purchase without having to go look up how to do it?
It's not about using a ledger to hold public keys. The keys exist regardless of the ledger. The idea is to use the ledger to indisputably prove ownership or control over resources. Could be money, could be access to certain services, could be files, anything.
Nobody can claim to have your private key, but they can sure as hell claim to be you.
We won't know who the real numtel ever is without some real-world proof and verification. This is where a lot of this crypto-based stuff starts to crumble: sure the mathematics of the cryptography works well on chain, but there is a very limited set of things that exist 100% purely on the blockchain - as soon as you need to go off of the blockchain for anything (e.g. proving human identity, proving ownership of a physical asset like a house etc) then you're back to the same old problems we've always had of having to prove identity/ownership/whatever, and you cant use a cryptographic hash to prove that I own the apple I am eating right now ... perhaps you can prove that I own an apple, but can you prove I own this apple?
Keys are identities. Someone claiming to be you doesn't matter. Always defer to keys.
A non public ledger would be something agreed upon by participants only. So you and I and 5 other people for example could run some type of organization using some private way to keep track of state. You choose to trust it, if you don't, then don't use it.
It doesn't have to be a blockchain. All these people selling "blockchain" are selling hype, the only reason you need a blockchain is if you're in an adversarial, permissionless environment and need consensus on state, and possibly need a record of historical state.
In a private system, you just need consensus among participants, potentially in an adversarial environment, but decidedly not a permissionless environment. As long as state can be kept, depending on the constraints of the system any sort of consensus and canonical state keeping mechanism would work. Could be a blockchain or something resembling one, could just be a document and it's hash kept by all participants and updated when the participants agree to a change. How complex you make consensus in a permissioned system depends on the goals and constraints of the system.
Same as Argent.
Elect 4 trusted people, if they all ok it’s really you, the custodian (a company that stores your private keys, like LastPass), releases it to you.
He isn't describing the true state of the world. Banks, brokerages, mortgage providers, and medical entities mostly don't use oauth2 and won't use this stuff either.
The world is still old school.
Grandpa dies and I go find the paper will.
I get an affidavit from a lawyer and a death certificate with a seal from the state.
I go into the bank with a bunch of papers and they figure out what to do.
There isn't a chain of trust that the state uploads a PK signed death certificate to, which in conjunction with a PK signed 'will and trust' then triggers a preexisting blockchain contract to effect the asset transfer.
This is 20 or 30 years off. Maybe 10 or 15 in China.
It's forever off because it's the wrong solution to a problem that no one is invested in even fully identifying let alone working at.
My hot-take parallel argument is that full self driving is a smart road problem with 'dumber' cars and not a dumb road and smart cars problem. But there's no scope to VC of profit your way into smart road infrastructure so we do it the wrong way round and hope we can throw resources at it till its fixed.
You are correct. I would be plenty happy with 80% self-driving and lots of safety features, but the VCs want the robot trucks and taxis for their trillion dollar win. No way full self-driving can do the last mile or work in all conditions. For example, human eyes have pretty decent dynamic range in dark, snowy conditions. We basically make intuitive decisions about which patch of white stuff in the dark of night is the best one to smash through to get our driveways, and I don't think the computer vision is yet discerning enough to facilitate that.
This is kind of funny to read, since in Norway basically every interaction with the government (paying taxes, filing for divorce, accessing our health records etc.) is done through an oauth2 system, the same one we use to log in to our bank accounts/get loans through. Most people haven't interacted with the government via paper in years.
Some very few non-digital government services remain, unfortunately, and it seems like the storage of wills is one of them. Asset transfer is still going to remain a manual process though, even when digital wills are here, thankfully.
America's federalism would make this idea a mess here: Each state has their own system for everything and 50%+ of the lower-level governments/agencies (county or municipal level) don't have any digital footprint at all, even a website. For example, there are plenty of elections across the country whose official results can't be accessed online at all. You have to call in, go in person, or request mail/fax. There's basically a minimum of 50 different systems for even the most basic of government services (such as renewing a driver's license). And then you need to multiply that by all the different agencies and services. The federal government couldn't force one system for everything (there are certain things that are constitutionally up to the states), so it would be basically dead in the water since the problem is getting all 50 states (each with their own internal politics) to agree to implement the same system.
Not a problem web3 can solve either. Social Security Numbers aren't secure, but we keep using them everywhere because the political will to implement a better solution doesn't exist.
>>>America's federalism would make this idea a mess here: Each state has their own system for everything and 50%+ of the lower-level governments/agencies (county or municipal level) don't have any digital footprint at all, even a website.
Additional example: I need to pay property taxes on my mother's house in New Jersey. I'm physically on the other side of the planet. While the town has a website, it's pretty much just a phone directory. I have to call them every 3 months, usually when it's 2-3am in my timezone, ask them what the property taxes are assuming I pay them by {$date}, and then mail them checks. I can't even do something as simple as enter the property lot number in a search field on their site, have it look up the outstanding taxes, and then just pay with a VISA card.
The Federal government SHOULD be able to force certain things in the name of "regulating interstate commerce". I would think that data standards and APIs would have efficiencies at scale that would reduce friction in inter-state transactions.
> Banks, brokerages, mortgage providers, and medical entities mostly don't use oauth2 and won't use this stuff either. The world is still old school.
I work for a bank and it has nothing to do with being old school. We use exactly the same technologies as any modern startup would e.g. Serverless, Kubernetes, Cloud etc and deploy into Production with blue/green releases every week.
It's just that the user experience of our entire customer base comes first. And whilst everyone "gets" usernames, passwords, PINs, TouchID, FaceID etc they really don't understand OAuth and other federated identity approaches. Like what Google or Amazon has to do with my finances and why I have to visit their site to reset my password.
People thinking that Web3 is going to solve this problem really don't understand that it isn't a problem that needs solving.
318 comments
[ 4.3 ms ] story [ 144 ms ] threadThis definitely has me thinking more about the extent to which the strength of a particular identity representation is determined by our willingness to bind artifacts of value to it.
With social Web 2.0 login, I can be fairly sure the person logging in has a valid email address, a name, etc, and it is a single click for the user vs filling in all the info all over again.
With a Web3 login, it is basically the same. Except I'm not really given any personal info like name or email, so I need ask them for that anyway. I guess you can tie that into your wallet somehow?
But I don't see this as a 10x solution. Do people really not trust FB/Google/Twitter that much? Why does currency and money need to get involved?
But in another world, isn't this the problem Keybase was trying to solve? Of course, they got mixed up in their own cryptocurrency as well (XLM) which had so many issues with bots trying to get into the airdrop. So idk.
I know some people (especially us techies) like to control the whole stack but who do you think the majority of normal users would prefer?
Apple has a closed platform mindset, I hope users will see the benefits in a decentralized open protocol.
See I think this here is the biggest issue. I feel like we have 30+ years of proof that normal users LIKE centralization for the convenience and ease it provides.
Email is basically the last man standing when it comes to distributed implementations and 1) it had reached mass adoption early enough to survive and 2) we’ve centralized it to a large degree anyway with Gmail and outlook.com
People in general or HN audience?
> Why does currency and money need to get involved?
It doesn't. You only need a blockchain to keep public data. You can sign a message and login with that, no need to send a transaction, can be done with balance 0
why do you twist "owning your identity" to mean putting everything about you "somewhere public" (like a blockchain)
In the real world I might have a physical key (or some other interesting object) - there is exactly one of it and it exists in exactly one place (though of course I can create copies - but they are new objects).
In the virtual world this is a bit harder to construct and enforce - information is entirely ephemeral, and has no concrete existence or place. Maybe blockchain can provide that (in the context of the chain only of course).
Technically "independent" SSO providers and similar existed, but non made it mainstream because there was no reason for App's to support them, but there was cost to support them.
There is even less reason IMHO for most App's to support Web3 login (more complexity).
Furthermore even if they do the web3 login would probably still list Google etc. as the web2 login still lists email.
It's questionable that more than one maybe two blockchains will be supported.
It's likely that often only a small number of wallets will be supported, it's also likely that "bigtech" companies like google will provide web3 logins if it becomes successful.
So, it might happen. But I don't see it tbh.
There is just no reason to go the extra length to support web3 login for most Apps/Companies.
EDIT: Also trust of the general public into anything containing the word "crypto" or "blockchain" is constantly undermined by an endless slew of scams, and money grabbing schemes. Which can hurt adoption of web3 login.
You don't really need a blockchain unless you need to keep data on a blockchain. To login and identify a user you can simply sign a message. I consider the address as the user "identity". Any blockchain data related to that address is mean to be public (some people register <some-name>.eth on the ENS for example)
If it’s just cryptographically signing things we’ve had that ability since PGP came out.
The reason is the UX/UI flow, complexity for integrating them and users which already have it.
So if all people have a wallet at some point which they also can use for SSO that might get adoption.
Through for investment into crypto, instead of "daily using it" you probably don't want a hot walled on your phone.
So as long as "daily/frequent/casual crypto usage" doesn't become a supper common thing for large parts of the society (in the "western" world) it's hard for it to gain wide spread adoption I think.
It failed to gain traction, and Mozilla eventually pulled the plug.
Persona had many advantages over the Web3 vision described in this article. It was painless for a new user to create an account, because Mozilla provided a default identity server. It was easy for a website owner to set up, because Mozilla provided a JavaScript shim that worked on any browser. And it didn't rely on a wasteful and slow distributed ledger.
Despite these advantages, Persona failed. I don't see how a blockchain-based approach, with so many disadvantages compared to Persona, could possibly succeed outside of the blockchain enthusiast community. And, on a technical level, a federated approach seems innumerably simpler and less wasteful than a blockchain-based approach.
Seems to be the selling point of most web3 and blockchain solutions once you brush the buzzwords off the copy.
WeWork might not have a a 'tech' company, but it behaved like one after juicing on all that Softbank money. Turns out they had nothing Regus or other 'boring' companies couldn't provide. But they bought a lot prestige properties and advertised constantly, so they became the household name for co-working.
My worry with the blockchain is that now it has VCs that are going to pump so much funds in it to keep it spinning and force everybody to use it because you need that service, and now (in the future) it's only provided through the blockchain (because the alternative off-chain company cannot raise funds so it doesn't exist, it fails, or it's a worse experience).
Looking back, I now see that not volunteering myself for the challenge was one of the biggest mistakes I've made in my career. It was one of those rare opportunities to make a difference.
I also wonder why nobody has tried it since. It's a simple approach, but you'd need a good security team backed by a trusted organization to make an implementation credible.
For what it's worth, the vision does live on and people are working on developing web standards that get us closer towards it. One example is the W3C's "Credential Management Level 1" from 2019, which specifically references[0] Mozilla's work:
"The API defined here does the bare minimum to expose user agent’s credential managers to the web, and allows the web to help those credential managers understand when federated identity providers are in use. The next logical step will be along the lines sketched in documents like [WEB-LOGIN] (and, to some extent, Mozilla’s BrowserID [BROWSERID])."
More recently, in fact, today, I see there is a "Federated Credential Management API" draft published,[1] which has the goal of:
"enabling a website to request a users [sic] federated credentials from a user agent, and to help the user agent store the users [sic] federated credentials for future use."
[0] https://www.w3.org/TR/credential-management-1/#teh-futur
[1] https://wicg.github.io/FedCM/
I would never use these services unless it was completely open, free and privacy centric though.
Apple comes a bit of the way but they tend to make stuff work only on their own hardware wish won't work for me. Persona would have been a good option. Especially because it could be self hosted. That would be amazing. It was just a bit too early.
Google / FB login still would have probably won
Sometimes it's all about being in the right place, at the right time, with the right amount of hype. Inferior technologies win out all the time.
That being said, if (major if) auth through web3 did take off, I wouldn't be surprised if over time it slowly creeped back toward a solution that doesn't use blockchain since a non-blockchain solution would probably be simpler, cheaper, and faster.
Even if the technological ideal comes to fruition in a few years (sharded modular proof-of-stake consensus blockchains with zero-knowledge rollups and dedicated data availability layers), it will still eternally remain enmeshed with speculation and scamming. I think there's a narrow time and place for the speculative assets but wouldn't want that interwoven throughout the fabric of everything online.
An idea will come along that enough of us can get behind, that idea will attract money and solve real problems for a while and when they're no longer problematic enough to warrant spending money on the system will collapse back into speculation hell until the next idea-that-we-can-get-behind comes along.
I don't think you necessarily need blockchain. Can't you just prove that you are who you say by signing something and sending it to the service? You can just use the protocol.
Login/verification doesn't require a transaction though, so is relatively quick. Blockchain in this context can be thought of as a collection of (public) keys.
It's important to remember that blockchains are just public-key cryptography where you have a private key that can sign things and, importantly, everyone knows everyone else's verified public keys. That's it. It solves the key distribution and verification problem that PGP and TLS etc have and this enables a lot of use cases such as universal private communication channels and authentication.
Signing the message is key for this yes but knowing that a certain key is connected to a specific user and that user having the ability to use it to sign verified messages everyone in the world can trust is the real utility here and what makes this universal SSO system work well.
On HN I am Sargos. You know this because I am replying to you and only I can do that with this account. I can also tell you that I'm @JamesCarnley on Twitter but there's no way for you to verify that. If I were using my public key to log into HN and Twitter you would know those are both my accounts and thus my persona is verified across multiple applications. If I were to link my public key to my government's identity database then you'd also be able to verify I am really James in real life as well.
Ethereum provides a robust, secure, and increasingly usable key storage and usage system to everyone which makes "just signing a message" a simple task and not a 10 step process probably involving a CLI. It's worth considering the utility of this and the possibilities everyone having a person public/private key pair allows. My fellow software developers among us likely have their mouths watering at the use cases this unlocks. Here's a pretty good thread about the implications: https://twitter.com/BrantlyMillegan/status/13892701158840975...
You can improve the UX of key management tools without a global network of redundant computers.
I never said this.
>You can improve the UX of key management tools without a global network of redundant computers
Yet nobody has ever done it until now.
Unless you were to upload each and every chat to a blockchain - which is prohibitively expensive - I don’t see the killer advantage over the previous alternatives. Also, many people here are also programmers, developers, and - surprise - hackers, so I am sure we would be interested in the mouth-watering use cases you’re thinking of (I looked at the Tweet thread you linked but it was just an explanation of public key cryptography in general.)
[^1]: Apple also refused to backdoor a terrorist’s iPhone at the demand of the FBI. OpenSea intervened when someone stole assets from a collector (https://blockzeit.com/opensea-nft-marketplace-stops-hacker-f...)
Keybase.io is a quite elegant solution and didn't "fail" due to any fault of its own (the team was acquired by Zoom).
I as a person have accounts on lots of apps but no real way to prove I own all of them. When you use a public key as your identifier then everyone can verify that the entity that owns Sargos on HN also owns Blah on Reddit if I want them to. Essentially you can trust that the digital entity you are interacting with is the digital entity you knew and trusted on the rest of the web in the past.
If you are using a web3 app and see vitalik.eth then you know for a fact that it's Vitalik Buterin. Unfortunately we only know this for sure because he said that is his address in public but there are many identity protocols trying to solve this problem and if you were to tie your public key to your government's identity database then you would be able to prove real world provenance.
2. Your possession of the private key “verifies” your public key, if someone takes it they are now you.
3. Depends on the consensus mechanism but in the best case, “everyone” and in the worst case “coinbase.”
4. You don’t trust them, the system is supposed to be trustworthy with untrustworthy participants, and when that’s not true you will just have to trust the architects of the hard fork.
5. Magical off-chain oracle!
Also GPG doesn’t have a key distribution problem. You can spin up a keyserver or use a popular existing one.
What’s in it for the user to sign up for persona? Nothing
What’s in it for the user to get a crypto wallet? Money
There’s your answer.
No idea as to why you didn't get any payments, but I do know that you don't have to click on the ads.
https://support.brave.com/hc/en-us/articles/360026361072-Bra...
"Users are rewarded for viewing ad notifications as they appear in Brave. Users are not rewarded for clicking on ads."
Money will never be a good enough reason to do things. Especially not the infinitesimal fractions of garbage coins that web3 will pay.
Those are two major advantages.
I suspect that this will be a major issue in the long-run. Once these sort of crypto-based logins become synonymous with CP and terrorism, they're going to be shunned by the average person on the street.
Yes yes yes, people use email and whatsapp for the same, but at least there is the option for Google and Facebook to censor or block/ban those users (and it feels like there is increasing legal/legislational tension to try and compel the tech giants to actually do something in this area). You cannot say the same about an indelible blockchain.
Anybody looking to build a tech ecosystem is looking to build vendor lock-in. There is no advantage to planning for decentralization, and no laws to force companies to adopt a decentralized approach.
It's a bit sad because it never started out as something intended for "make money fast" kind of investors. Bitcoin started as a way to free users from the centralised banks and regulation.
And if they cant do what banks already provide, what sort of "freedom" do they offer ? The ability not to have a retail account, the low hanging fruit of banking ?
This BS kneejerk 2008 crisis reaction Satoshi pretend to have had at the time, made him both one of the richest financial force in the world and the biggest financial risk (if he sells for some random reason just one btc from a genesis wallet of 1M BTC, what do you think will happen?). He became Maddoff...
Persona failed because it was fighting against a head-wind of an already established trend of using Google/FB OAuth2, without giving the service provider any new benefits. There was no incentive for a website to actually implement Persona, since it was just another auth provider and users weren't using it. Users didn't use it because no one implemented it. Chicken and egg.
Websites that integrate web3 wallet login do get something new: built-in, straightforward payment rails.
Is this really any better than Apple/Google pay? Those are already set up, trustworthy, I don't need to convert my fiat into a cryptocurrency than can swing in value wildly, and it's super easy to set up with stripe or any of the other platforms that the website is probably already using.
Clicking the "Connect My Wallet" button is kind of fun. But I feel like I've gained nothing over just using my credit card -- in fact my credit card provides me (as the consumer) tons more benefit than using ETH -- and don't get me started on gas fees!
One can imagine a world in which this is completely transparent to the end user.
High ETH gas fees are also being solved by Layer 2 solutions which get fees down to cents by either batching transactions or doing the work off the main chain and posting only the proofs to the main ETH chain. Checkout zero knowledge rollups, aka zk-rollups.
https://www.nytimes.com/2020/12/10/business/visa-mastercard-...
https://edition.cnn.com/2021/08/20/tech/onlyfans-explicit-co...
I'm not convinced it's that a large benefit.
For the foreseeable future, any website that aspires to be anything more than a niche web3 player will need to support web2 auth and web2 payments. So web3 is just adding layers, not removing them. Until web3 becomes powerful enough that you're losing customers because you aren't supporting it, there's no incentive to support it. (Exactly the same predicament Persona was in.)
Additionally, cryptocurrency is not practical as a currency right now because of high transaction fees and slow settlement. This situation won't change until layer 2 networks come of age, which seem to have been "just around the corner" for the past five years.
That's because you're not a merchant that has to deal with the monopoly of Visa/Mastercard which inflict high fees on your business and who at a moments notice can bankrupt your business by blocking all payments.
Companies that are built around "SIN" such as weed and porn have basically been strong-armed by this financial monopoly, to the point that Crypto is a welcome addition and which they offer big discounts to users who pay with it.
Additionally, cryptocurrency is not practical as a currency right now because of high transaction fees and slow settlement. This situation won't change until layer 2 networks come of age
There are plenty of L1 solutions like Solana and Avalanche which offer low txn fees and high TPS. L2 networks such as Polygon have already launched and are being used.
Visa and MasterCard don't have a duopoly on payment. They have a duopoly on “instant credit-card-based payment with charge back”, and Blockchain "tech" isn't competing in any of these features. If you don't need this and don't care about subpar UX, you can use bank transfers and still have a better solution than a blockchain-based one.
> high fees on your business
You think Visa fees are high? Blockchain transaction fees must look giagantic to you then…
Yeah. Crappy ones with high latency and high fees.
With super high fees, transfers that take litteral minutes to complete, no charge back and the ability to lose all the money yoy have if you ever get hacked. How exciting! Even bank transfer as a mean of payment is way better UX.
it has none now ;)
Everyone would be better off with better identity management, but it's not worth anyone's time to be one of the first users of a system with no sites supporting it or one of the first site supporting a system with no users. The web3 version of this will be something where if it takes off the first adopters get super rich at the expense of late adopters, and that makes it take off.
Similarly, conventional profit models incentivize the creators of a technology to make it as centralized and locked in as possible, so that they can profit off it over time. The pyramid scheme business model incentivizes the creators to make a decentralized and open system, so that they don't have to do any work over time once it takes off.
Is this the special kind of stupidity that only really smart people can aspire to, or the special kind of genius that only really stupid people can? Time will tell, I guess.
[1] ok most sites limit it to 2-3 options, but which 2-3 is up in the air.
But I don't use oAuth; while I was writing the code, I understood it, but I don't any more. An auth system needs to be understandable and transparent to a normal user, and oAuth is not such a system. Like, I couldn't explain it to my non-tech relatives, even if I swotted up on it first.
Explaining blockchain-based auth to a non-tech user is a problem of a much greater magnitude.
fwiw I agreee, but first to market is often first to fail.
My issue with the article is that it uses a lot of words to try to explain why web3 and blockchain may be the future. But for what point? If an important technology comes around which happens to use web3 or blockchain, i’ll see it’s important from its description and i’ll adopt it. I don’t need to support “web3” as a concept, because web3 basically means nothing. And i don’t think that web3 or blockchain is intrinsically bad, i just haven’t seen anything particularly useful with those technologies yet.
Web 1.0: Great
Web 2.0: Ugh, ok
Web 3.0: You're serious with this?
Do you know what site that was? I don’t. I can’t remember. I think the password may be in my password manager, but I’m not sure. I’d have to go digging.
But I am SURE I’ll remember which of the 1200 common block chains I use for my credentials.
The solution is that there should only be one or two chains that everyone uses. Then there’s only one or two little icons you need.
The people who run the trains could make sure they keep running by having tens of thousands of computers. Of course that cost money. Luckily they get money out of the block chain because they can spend coins.
Of course users don’t really like buying things. Maybe it wouldn’t be too hard to put an ad or two in there to pay for things.
The easiest thing to get users on board is to use brands they trust. No normal person is going to trust everything they have two the Kakarot blockchain with an anime superhero for a logo.
Do you know who people trust? Facebook and Google. If they were to…
Oops. I invented today. Only with much more energy use.
To then attach all kinds of good qualities to it that are not shown, nor proven, and often demonstrable incorrect just finishes it off.
As you say, a lot of the bigger ideas claimed to be part of this "new" web3 thing aren't new, and are interesting ideas that should be further explored, it would be much better without the ponzi sauce.
(Just like IPv5 never got anywhere ??)
We might as well also try the HTML approach, attach some letters (DWeb, XWeb) then once we all regain our sanity continue with web 4.0
.... or it ends up that everyone just logs in using an ethereum wallet and you're back to centralisation.
That "Web 3.0 login" portion of the slide only makes that problem worse. Decentralization and a variety of choices absolutely fall apart when they meet non-tech users who have no idea what icon means what.
I already have this problem with Matrix/Element all the time. Not only do I forget my username and/or password on networks I've been logged into for months, I also forget homeserver addresses and all these other settings I had to set up at some point. Every time I get logged out of something, it takes a day or two to figure out how to get back in.
For better or worse, there are a large (and ever growing) number of Metamask users these days...
The point still is that logging in with public-key cryptography is not exclusively a technology supported by cryptowallets.
I would argue that the biggest successes of crypto are selling GPUs and facilitating malware ransom payments.
GPUs have sold like crazy and you are lucky to get a high end one with the current demand. Everybody and their pets are running mining rigs. Good luck getting a nice GPU for machine learning or graphics rendering.
Previously malware authors had to rely on gift cards or similar means to get paid. Now they have variety of cryptocurrencies to choose from and they can even trade cryptocurrencies to launder the paid ransom funds.
Is it? U2F is actually rolling out to more and more websites but I've never seen any website offer to log in with a dropdown for cryptocurrencies
It’s literally titled “ Real Problems That Web3 Solves, Part 1”
One of the great things about usernames/passwords is it didn't demand that vulnerability - you could come up with whatever and it was your responsibility to keep up with your shit. Systems that mimic real world systems on average feel less prone to this silliness.
me < To Ty's app + whatever they can get away with.
me + apple > To Ty's app.
If my email account is phished or hacked, it's bad, but there's a level between my cash and my email account. If I make a mistake here, potential losses are higher. In which case I'd probably have a 2nd wallet for auth and another I actually use, which then becomes more of a pain. I don't trust my parents or less technical relatives to use this flow safely.
If not, then it seems to be a superior method and experience. You don't have to deal with usernames/email/password, and it offers more functionality with currency.
The only way anyone can gain control of your wallet is if you give them your private key (or the seed to the privk) or if your PC is compromised (but you have bigger issues then)
This is progress?
It's absurd how HN users in general are so dismissive of anything cryptocurrency
It's absurd how HN users in general are so dismissive of anything cryptocurrency.
It's quite reasonable actually, given the prevalence of not just hype, but frequently delusional / just plain rambling and incoherent hype surrounding it -- not to mention blatant fraud and manipulation aimed specifically at unsophisticated users.
And the skivviness of many people involved in it.
That said, the OP presents one of the more thoughtful proposals I've read recently, and may belong to the 5 percent or so of blockchain applications that just might have a useful application. With emphasis on "just might".
We'll see.
I agree with you on this. For the purpose of login in with a private key, i would prefer some browser extension (or built in the browser) that generates a key from a seed (like a crypto wallet) and only does that. This doesn't exist at this point.
> ... not to mention blatant fraud and manipulation aimed specifically and unsophisticated users
Also agree, but probably for different reasons. Many people on twitter have the tendency to be mean, twitter doesn't make people mean, but it amplifies it. There is so many scams and manipulation because scammers and con artists always existed and people's greed for that 100x token and so does the scamming
The speed of communication that the internet gave us also serves as an amplifier of the ugliness of human nature
What about https://www.yubico.com/products/yubikey-5-overview/ or https://cloud.google.com/titan-security-key/ or https://krypt.co/ (before it was acquired, I still use it though) or any of it's equivalents?
my issue with using a physical device is that it detracts adoption if there is no other alternative. a browser extension or built-in helps adoption and adoption probably increases the number of people using physical devices.
[1] https://www.ledger.com/fido-u2f
Various authentication schemes have used digital signatures...on the web... for decades at this point.
>Every Git clone is a full-fledged repository with complete history and full revision tracking capabilities, not dependent on network access or a central server...
http://web.archive.org/web/20080821113906/http://git-scm.com...
Sure git can be used without the need to have have a central server, but everything became so much simpler with github and other code repositories.
Decentralized systems are hard to navigate and humans will choose the easy thing every time.
Web3 is indeed a social solution to this social problem, but the real problem with Web3 is that it's a terrible social solution. Web3 (aka blockchain enthusiasts, aka cryptobros) is a community comprised of on one end by true believers who believe they're smarter than anyone else in the room and that anyone who brings up complaints are only mad because they didn't get in when the cryptocoin was cheap, and on the other end by grifters and scammers who fully acknowledge that they're only in it for a quick buck off the back of unsuspecting rubes.
This is the core problem with most crypto projects. Most blockchain projects have technical problems [0], but even for the few things that blockchain uniquely solves [1] the general scummyness of everyone involved means that anyone advertising they're solving problems with a blockchain is not someone to trust your money with [2].
Of course, the blockchain isn't the only technology to suffer this problem. Blockchain's at the top of the hype cycle right now so of course it's filled with scammers. But even though Pets.com may not have the most competent business, the technology behind ecommerce was generally sound. Blockchain on the other hand has so few useful niches that the only thing left are the hype-men.
[0] Eg you could use NFTs to prove ownership of IRL property, but why? You're just storing a deed in a different place. It used to be in a SQL server somewhere, now it's on a blockchain instead.
[1] That is, decentralized databases where you don't trust all parties not to modify the data. But uh, with whom do you need to share data that you don't trust, and how do you guarantee they're not just feeding false data into it in the first place?
[2] I'm not implying all blockchain enthusiasts are pretentious and/or scammers. Just that there's a much higher proportion of them in the Web3 community than elsewhere.
Correct me if I'm wrong, but the only new idea here is to use a ledger to hold public keys associated with an identity. You could add keys by signing a new key with one of the previously globally accepted ones proving you are that entity and the same would go for removing a lost one, by signing a new message with all the remaining keys.
Having a key copied without your knowledge would be a major disaster, however.
Apart from that, this is not very different from using keys in SSH and providing a challenge/response login form would be very simple.
What everyone seems to be missing is that the web3 apps and UI conventions already have broad adoption among millions of only mildly techy users. They don't know what SSH is but they do know how to sign things with their in-browser wallet app. Of course, they also seem to not always know that giving away your private keys is quite bad...
But any "solution" that requires e.g. using the terminal is not really competing in the same space.
The UI required for that is something that can be done in a couple minutes. The heavy lifting is done by libraries provided with the OS.
Yet, crypto wallets remain the only cryptographic signature UI that normal people interact with.
Ease of use is EVERYTHING.
At no point does anything described about how web3 works or solves problems sound easier to use than the current system. Logging in with email and a password is easy. Using a Google to sign in is even easier. Apple’s sign in system is ridiculously simple and frictionless.
“Start by finding a chain you like and creating a wallet” is not easy. Do you have to buy coins on the chain? I’ve been seeing a lot of these web3 articles and I truly don’t know. Buying coins is another huge hassle.
“Oh but they’ll already have a wallet.” How? At some point they have to create them. Even if it was easier once they’ve created it (which I dispute), how is that supposed to happen?
If you have an iPhone, you have an Apple account, can do sign in with Apple trivially. If you have an android phone, you have a Google account, you can do sign in with Google trivially. Either way you have an email address, that’s quite easy.
How can you EVER make something simpler than those? I think best case scenario you would be able to match them.
But then you’re back to the problem of why I should switch to the new thing when the current thing works just as well.
I just have a very hard time seeing normal users ever buy into any of this.
If a huge number of people were using cryptocurrency to pay for things every day, I would agree with you. But I think a huge number of people just make one purchase and then sit. What percent of them could actually make a purchase without having to go look up how to do it?
Also, the ledger doesn't have to be public.
This is how JWTs and many other protocols ensure message authenticity.
Nobody can claim to have your private key, but they can sure as hell claim to be you.
We won't know who the real numtel ever is without some real-world proof and verification. This is where a lot of this crypto-based stuff starts to crumble: sure the mathematics of the cryptography works well on chain, but there is a very limited set of things that exist 100% purely on the blockchain - as soon as you need to go off of the blockchain for anything (e.g. proving human identity, proving ownership of a physical asset like a house etc) then you're back to the same old problems we've always had of having to prove identity/ownership/whatever, and you cant use a cryptographic hash to prove that I own the apple I am eating right now ... perhaps you can prove that I own an apple, but can you prove I own this apple?
A non public ledger would be something agreed upon by participants only. So you and I and 5 other people for example could run some type of organization using some private way to keep track of state. You choose to trust it, if you don't, then don't use it.
In a private system, you just need consensus among participants, potentially in an adversarial environment, but decidedly not a permissionless environment. As long as state can be kept, depending on the constraints of the system any sort of consensus and canonical state keeping mechanism would work. Could be a blockchain or something resembling one, could just be a document and it's hash kept by all participants and updated when the participants agree to a change. How complex you make consensus in a permissioned system depends on the goals and constraints of the system.
The world is still old school.
Grandpa dies and I go find the paper will.
I get an affidavit from a lawyer and a death certificate with a seal from the state.
I go into the bank with a bunch of papers and they figure out what to do.
There isn't a chain of trust that the state uploads a PK signed death certificate to, which in conjunction with a PK signed 'will and trust' then triggers a preexisting blockchain contract to effect the asset transfer.
This is 20 or 30 years off. Maybe 10 or 15 in China.
My hot-take parallel argument is that full self driving is a smart road problem with 'dumber' cars and not a dumb road and smart cars problem. But there's no scope to VC of profit your way into smart road infrastructure so we do it the wrong way round and hope we can throw resources at it till its fixed.
https://docs.digdir.no/idporten_overordnet.html
https://www.altinn.no/hjelp/innlogging/id-portenminidbankid/
Some very few non-digital government services remain, unfortunately, and it seems like the storage of wills is one of them. Asset transfer is still going to remain a manual process though, even when digital wills are here, thankfully.
Not a problem web3 can solve either. Social Security Numbers aren't secure, but we keep using them everywhere because the political will to implement a better solution doesn't exist.
Additional example: I need to pay property taxes on my mother's house in New Jersey. I'm physically on the other side of the planet. While the town has a website, it's pretty much just a phone directory. I have to call them every 3 months, usually when it's 2-3am in my timezone, ask them what the property taxes are assuming I pay them by {$date}, and then mail them checks. I can't even do something as simple as enter the property lot number in a search field on their site, have it look up the outstanding taxes, and then just pay with a VISA card.
The Federal government SHOULD be able to force certain things in the name of "regulating interstate commerce". I would think that data standards and APIs would have efficiencies at scale that would reduce friction in inter-state transactions.
I work for a bank and it has nothing to do with being old school. We use exactly the same technologies as any modern startup would e.g. Serverless, Kubernetes, Cloud etc and deploy into Production with blue/green releases every week.
It's just that the user experience of our entire customer base comes first. And whilst everyone "gets" usernames, passwords, PINs, TouchID, FaceID etc they really don't understand OAuth and other federated identity approaches. Like what Google or Amazon has to do with my finances and why I have to visit their site to reset my password.
People thinking that Web3 is going to solve this problem really don't understand that it isn't a problem that needs solving.