Several years ago, Mozilla/Firefox created "Persona," which was an open-source federated identity system that provided all the benefits described here. The idea was that it would eventually be built into browsers. I used it on a commercial site myself for many years.
It failed to gain traction, and Mozilla eventually pulled the plug.
Persona had many advantages over the Web3 vision described in this article. It was painless for a new user to create an account, because Mozilla provided a default identity server. It was easy for a website owner to set up, because Mozilla provided a JavaScript shim that worked on any browser. And it didn't rely on a wasteful and slow distributed ledger.
Despite these advantages, Persona failed. I don't see how a blockchain-based approach, with so many disadvantages compared to Persona, could possibly succeed outside of the blockchain enthusiast community. And, on a technical level, a federated approach seems innumerably simpler and less wasteful than a blockchain-based approach.
> Despite these advantages, Persona failed. I don't see how a blockchain-based approach, with so many disadvantages compared to Persona, could possibly succeed outside of the blockchain enthusiast community. And, on a technical level, a federated approach seems innumerably simpler and less wasteful than a blockchain-based approach.
Sometimes it's all about being in the right place, at the right time, with the right amount of hype. Inferior technologies win out all the time.
That being said, if (major if) auth through web3 did take off, I wouldn't be surprised if over time it slowly creeped back toward a solution that doesn't use blockchain since a non-blockchain solution would probably be simpler, cheaper, and faster.
> That being said, if (major if) auth through web3 did take off, I wouldn't be surprised if over time it slowly creeped back toward a solution that doesn't use blockchain since a non-blockchain solution would probably be simpler, cheaper, and faster.
I don't think you necessarily need blockchain. Can't you just prove that you are who you say by signing something and sending it to the service? You can just use the protocol.
> I don't think you necessarily need blockchain. Can't you just prove that you are who you say by signing something and sending it to the service?
It's important to remember that blockchains are just public-key cryptography where you have a private key that can sign things and, importantly, everyone knows everyone else's verified public keys. That's it. It solves the key distribution and verification problem that PGP and TLS etc have and this enables a lot of use cases such as universal private communication channels and authentication.
Signing the message is key for this yes but knowing that a certain key is connected to a specific user and that user having the ability to use it to sign verified messages everyone in the world can trust is the real utility here and what makes this universal SSO system work well.
But it doesn't solve that at all since there's no way to tie something on the block chain to the real world. All the same problems of knowing whether some particular PGP key belongs to the person you want apply the same to a wallet address.
I probably should have worded it differently to avoid that connotation. There are a lot of identity protocols but that's not what I was focusing on.
On HN I am Sargos. You know this because I am replying to you and only I can do that with this account. I can also tell you that I'm @JamesCarnley on Twitter but there's no way for you to verify that. If I were using my public key to log into HN and Twitter you would know those are both my accounts and thus my persona is verified across multiple applications. If I were to link my public key to my government's identity database then you'd also be able to verify I am really James in real life as well.
It feels like you're trying really hard to not get web3 any credit here. Try making something like this in the traditional web. People have tried and failed.
Ethereum provides a robust, secure, and increasingly usable key storage and usage system to everyone which makes "just signing a message" a simple task and not a 10 step process probably involving a CLI. It's worth considering the utility of this and the possibilities everyone having a person public/private key pair allows. My fellow software developers among us likely have their mouths watering at the use cases this unlocks. Here's a pretty good thread about the implications: https://twitter.com/BrantlyMillegan/status/13892701158840975...
I’m not sure what utility signing a message has inherently. You do this already behind the scenes on apps like iMessage or Signal with end to end encryption.[1] Or if you want to do it more directly but without the command line, there is Keybase: https://keybase.io/sign
Unless you were to upload each and every chat to a blockchain - which is prohibitively expensive - I don’t see the killer advantage over the previous alternatives. Also, many people here are also programmers, developers, and - surprise - hackers, so I am sure we would be interested in the mouth-watering use cases you’re thinking of (I looked at the Tweet thread you linked but it was just an explanation of public key cryptography in general.)
How does everyone know everyone's verified public keys? How are they verified? Who does the verification? How do you trust the verifiers? How do you know that person x in the real world has pubkey x?
Verified probably isn't the right word here. Authentic would probably work better.
I as a person have accounts on lots of apps but no real way to prove I own all of them. When you use a public key as your identifier then everyone can verify that the entity that owns Sargos on HN also owns Blah on Reddit if I want them to. Essentially you can trust that the digital entity you are interacting with is the digital entity you knew and trusted on the rest of the web in the past.
If you are using a web3 app and see vitalik.eth then you know for a fact that it's Vitalik Buterin. Unfortunately we only know this for sure because he said that is his address in public but there are many identity protocols trying to solve this problem and if you were to tie your public key to your government's identity database then you would be able to prove real world provenance.
1. They can (theoretically) examine the whole ledger.
2. Your possession of the private key “verifies” your public key, if someone takes it they are now you.
3. Depends on the consensus mechanism but in the best case, “everyone” and in the worst case “coinbase.”
4. You don’t trust them, the system is supposed to be trustworthy with untrustworthy participants, and when that’s not true you will just have to trust the architects of the hard fork.
As far as the technology goes, you could have the user GPG sign something and upload that attestation. Something about the UX of that leads me to believe that'll be a non-starter though.
Login/verification doesn't require a transaction though, so is relatively quick. Blockchain in this context can be thought of as a collection of (public) keys.
For all of its flaws, I find the web3 space fun...but I'm also hoping that some of the non-financialized use cases move to other kinds of distributed algorithms, like Hypercore (https://hypercore-protocol.org/).
Even if the technological ideal comes to fruition in a few years (sharded modular proof-of-stake consensus blockchains with zero-knowledge rollups and dedicated data availability layers), it will still eternally remain enmeshed with speculation and scamming. I think there's a narrow time and place for the speculative assets but wouldn't want that interwoven throughout the fabric of everything online.
I see the speculation-everywhere mode that web3 is currently in as a something that the future web will occasionally devolve into.
An idea will come along that enough of us can get behind, that idea will attract money and solve real problems for a while and when they're no longer problematic enough to warrant spending money on the system will collapse back into speculation hell until the next idea-that-we-can-get-behind comes along.
The Persona team approached the company I was working for, asking us to add Persona login alongside our other login options. Mozilla came to us because we had a huge web presence at the time (about the size of Wordpress, let's say). We discussed it internally and ultimately rejected their request. We were going through a re-org and just didn't have anyone to spare. We were also rewriting the component where the login would live, and this would have been out of scope.
Looking back, I now see that not volunteering myself for the challenge was one of the biggest mistakes I've made in my career. It was one of those rare opportunities to make a difference.
I also wonder why nobody has tried it since. It's a simple approach, but you'd need a good security team backed by a trusted organization to make an implementation credible.
For what it's worth, the vision does live on and people are working on developing web standards that get us closer towards it. One example is the W3C's "Credential Management Level 1" from 2019, which specifically references[0] Mozilla's work:
"The API defined here does the bare minimum to expose user agent’s credential managers to the web, and allows the web to help those credential managers understand when federated identity providers are in use. The next logical step will be along the lines sketched in documents like [WEB-LOGIN] (and, to some extent, Mozilla’s BrowserID [BROWSERID])."
More recently, in fact, today, I see there is a "Federated Credential Management API" draft published,[1] which has the goal of:
"enabling a website to request a users [sic] federated credentials from a user agent, and to help the user agent store the users [sic] federated credentials for future use."
Didn't Apple try it 2 years ago? Log in with Apple...
I would never use these services unless it was completely open, free and privacy centric though.
Apple comes a bit of the way but they tend to make stuff work only on their own hardware wish won't work for me. Persona would have been a good option. Especially because it could be self hosted. That would be amazing. It was just a bit too early.
I joined the team at Mozilla that developed Persona as an intern, just as they closed it down.
Persona failed because it was fighting against a head-wind of an already established trend of using Google/FB OAuth2, without giving the service provider any new benefits. There was no incentive for a website to actually implement Persona, since it was just another auth provider and users weren't using it. Users didn't use it because no one implemented it. Chicken and egg.
Websites that integrate web3 wallet login do get something new: built-in, straightforward payment rails.
> Websites that integrate web3 wallet login do get something new: built-in, straightforward payment rails.
I'm not convinced it's that a large benefit.
For the foreseeable future, any website that aspires to be anything more than a niche web3 player will need to support web2 auth and web2 payments. So web3 is just adding layers, not removing them. Until web3 becomes powerful enough that you're losing customers because you aren't supporting it, there's no incentive to support it. (Exactly the same predicament Persona was in.)
Additionally, cryptocurrency is not practical as a currency right now because of high transaction fees and slow settlement. This situation won't change until layer 2 networks come of age, which seem to have been "just around the corner" for the past five years.
That's because you're not a merchant that has to deal with the monopoly of Visa/Mastercard which inflict high fees on your business and who at a moments notice can bankrupt your business by blocking all payments.
Companies that are built around "SIN" such as weed and porn have basically been strong-armed by this financial monopoly, to the point that Crypto is a welcome addition and which they offer big discounts to users who pay with it.
Additionally, cryptocurrency is not practical as a currency right now because of high transaction fees and slow settlement. This situation won't change until layer 2 networks come of age
There are plenty of L1 solutions like Solana and Avalanche which offer low txn fees and high TPS. L2 networks such as Polygon have already launched and are being used.
> That's because you're not a merchant that has to deal with the monopoly of Visa/Mastercard
Visa and MasterCard don't have a duopoly on payment. They have a duopoly on “instant credit-card-based payment with charge back”, and Blockchain "tech" isn't competing in any of these features. If you don't need this and don't care about subpar UX, you can use bank transfers and still have a better solution than a blockchain-based one.
> high fees on your business
You think Visa fees are high? Blockchain transaction fees must look giagantic to you then…
> Websites that integrate web3 wallet login do get something new: built-in, straightforward payment rails.
Is this really any better than Apple/Google pay? Those are already set up, trustworthy, I don't need to convert my fiat into a cryptocurrency than can swing in value wildly, and it's super easy to set up with stripe or any of the other platforms that the website is probably already using.
I'm not very knowledgeable about Web3, but what you point out, I also find confusing. Why do I need to use ETH to buy an NFT -- my credit card should just do fine -- shouldn't it?
Clicking the "Connect My Wallet" button is kind of fun. But I feel like I've gained nothing over just using my credit card -- in fact my credit card provides me (as the consumer) tons more benefit than using ETH -- and don't get me started on gas fees!
There's work happening now to make this a reality by partnering with on-ramps and off-ramps to go from fiat to crypto.
One can imagine a world in which this is completely transparent to the end user.
High ETH gas fees are also being solved by Layer 2 solutions which get fees down to cents by either batching transactions or doing the work off the main chain and posting only the proofs to the main ETH chain. Checkout zero knowledge rollups, aka zk-rollups.
What happens if Visa/Mastercard decides to block the merchant you want to use? Or you yourself are a merchant that gets hit with high fees simply because you're in a business that is deemed "high-risk"
I seem to remember pornhub being hit by this, which is why they removed unverified content. Perhaps it's also why OnlyFans decided to ban explicit content a few months back (before backpedaling).
> Websites that integrate web3 wallet login do get something new: built-in, straightforward payment rails.
With super high fees, transfers that take litteral minutes to complete, no charge back and the ability to lose all the money yoy have if you ever get hacked. How exciting! Even bank transfer as a mean of payment is way better UX.
Agreed. This comes down to lack of power to push a system onto it's potential users, mozilla didn't have a userbase large enough nor could incentivize 3rd parties to force onto their users. You could argue if the ux was good it would have just succeeded, but I think that's bs. Funds are the number one predictor of success of anything.
My worry with the blockchain is that now it has VCs that are going to pump so much funds in it to keep it spinning and force everybody to use it because you need that service, and now (in the future) it's only provided through the blockchain (because the alternative off-chain company cannot raise funds so it doesn't exist, it fails, or it's a worse experience).
The new hot take (I heard it from Matt Levine, I think, but I doubt it's original to him) is that pyramid schemes solve the adoption problem for technologies with network effects.
Everyone would be better off with better identity management, but it's not worth anyone's time to be one of the first users of a system with no sites supporting it or one of the first site supporting a system with no users. The web3 version of this will be something where if it takes off the first adopters get super rich at the expense of late adopters, and that makes it take off.
Similarly, conventional profit models incentivize the creators of a technology to make it as centralized and locked in as possible, so that they can profit off it over time. The pyramid scheme business model incentivizes the creators to make a decentralized and open system, so that they don't have to do any work over time once it takes off.
Is this the special kind of stupidity that only really smart people can aspire to, or the special kind of genius that only really stupid people can? Time will tell, I guess.
I like Mozilla and Firefox is my default browser, but clearly that was doomed. Google is never going to be OK with Mozilla owning the identity system. Neither would Facebook, or Apple or anyone else. They all have their system for “just use us as the login to every service!” And the only result is that there are 50[1] different “universal” login options for every site.
[1] ok most sites limit it to 2-3 options, but which 2-3 is up in the air.
> I don't see how a blockchain-based approach, with so many disadvantages compared to Persona, could possibly succeed outside of the blockchain enthusiast community
What’s in it for the user to sign up for persona? Nothing
What’s in it for the user to get a crypto wallet? Money
The major problem with crypto-bros is that they think "money" is a good enough answer. Money is an extrinsic motivator, and extrinsic motivators extinguish intrinsic motivation.
Money will never be a good enough reason to do things. Especially not the infinitesimal fractions of garbage coins that web3 will pay.
Really? BAT was pretty profitable. Showing me a few ads as desktop notifications paid for a lot of my transaction costs in the early days. I just looked, BAT is up 754% over all time.
Twice, on different devices, I tried Brave as my default browser for month with ads turned on, and both times after a month of clicking on ads, the browser still said I had 0.0 BAT.
I don't know about that. I feel like oAuth and other forms of authentication are overly complex to implement. If they build a super simple implementation API then I could see it taking off.
I had a go at writing oAuth from scratch, to understand it. I made a working solution.
But I don't use oAuth; while I was writing the code, I understood it, but I don't any more. An auth system needs to be understandable and transparent to a normal user, and oAuth is not such a system. Like, I couldn't explain it to my non-tech relatives, even if I swotted up on it first.
Explaining blockchain-based auth to a non-tech user is a problem of a much greater magnitude.
I suspect that this will be a major issue in the long-run. Once these sort of crypto-based logins become synonymous with CP and terrorism, they're going to be shunned by the average person on the street.
Yes yes yes, people use email and whatsapp for the same, but at least there is the option for Google and Facebook to censor or block/ban those users (and it feels like there is increasing legal/legislational tension to try and compel the tech giants to actually do something in this area). You cannot say the same about an indelible blockchain.
That's not true if it's a smart contract. People are still using the uniswap v2 smart-contract even though the uniswap website has completely moved on to v3.
In that case you're running a traditional centralised web2 service. If your service runs as a set of smart contracts, anyone willing to pay the fees can always use it. Forever.
Yeah the economic incentive is the problem also. People just get into it for the money, not because they believe in it. This is the whole issue with crypto currency and web 3.0 too.
It's a bit sad because it never started out as something intended for "make money fast" kind of investors. Bitcoin started as a way to free users from the centralised banks and regulation.
Freeing users from regulated banks and taxes is a way to make money fast. It s never been the goal of bitcoin to provide any utility to businesses (insured loans, public offering, leverage financing, future contracts, merger consulting, asset management, wealth optimization).
And if they cant do what banks already provide, what sort of "freedom" do they offer ? The ability not to have a retail account, the low hanging fruit of banking ?
This BS kneejerk 2008 crisis reaction Satoshi pretend to have had at the time, made him both one of the richest financial force in the world and the biggest financial risk (if he sells for some random reason just one btc from a genesis wallet of 1M BTC, what do you think will happen?). He became Maddoff...
"Ecosystem" in tech means usually means vertical integration, which is not what it means in nature.
Anybody looking to build a tech ecosystem is looking to build vendor lock-in. There is no advantage to planning for decentralization, and no laws to force companies to adopt a decentralized approach.
Yea, but that's kind of my point. Actually decentralized software is just out there and you can use it if you find a use case for yourself, there is no one that would shut it down if it isn't popular enough.
One possible advantage web3 has over Persona is that it is not under the control of Mozilla or whatever foundation Mozilla set up to address those very predictable concerns. Being distributed might help it gain early adopter mindshare which could lead to future UX improvements. (Not saying I believe this will definitely happen, just that Persona failing isn't a guarantee of failure here.)
If it only were Persona the thing that failed... But I've seen quite a lot of attempts at federated identity and turns out people don't care too much about that. People just want to login to whatever site to do things. Login with Twitter/FB/whatever is offered to reduce login friction, not because people think of them as identity providers. Offering "another identity provider" is solving the part of the problem most users really don't care for.
Persona wasn't under the control of Mozilla, either. You could still use it today, if you were willing to set up your own identity server, and if you could find any websites that supported it.
The best product doesn't win, the 'sexiest' ones do because they can drum up the press coverage and mainstream recognition necessary to become a household name.
WeWork might not have a a 'tech' company, but it behaved like one after juicing on all that Softbank money. Turns out they had nothing Regus or other 'boring' companies couldn't provide. But they bought a lot prestige properties and advertised constantly, so they became the household name for co-working.
This doesn't explain why Persona didn't work. Unless we understand why it didn't work and show how web3 alleviates the problem, how is anyone to believe a web3 login system will work? You could also ask what has changed since Persona tried and failed? In other words, why now?
> We need some way of saying “who we are” on the internet in a consistent manner. That way we can communicate with others in a verified way and associate with digital data that we own. We also often need that data to be interoperable between different web properties.
Do we really need this? Do we really want to permanently tie identity across websites like this? I find this initial "need"/justification/requirement questionable.
I have a login on HN that is totally unique to e.g. Twitter and Instagram and <shudder> LinkedIn. Same with work vs personal. This is deliberate. I do not want to have the same identity here as I do elsewhere. There are many hopefully obvious reasons for this - mostly privacy (both in terms of immediate "in the moment" privacy, but also temporal privacy in the sense that I might not want some potentially ill-advised comments I made on some website 15 years ago to come back and bite me), but also it offers protections against "cancel culture" and general cyber-stalking and doxxing etc as that would become a whole lot easier if you can just run some query on a blockchain and find every single website I've ever used and dredge up my comments/content/etc. Being able to do that sounds very dystopian to me - why don't we just tattoo a barcode on our necks and be done with it?
So the thing about this is that there is no need to permanently tie identity across all sites and services you used (and provide), rather, the ability to do so when and where you need to do it.
There's nothing requiring a user to use the same identity across every service they interact with, but the option should be there. I wouldn't want my matrix username(s) and my fediverse account(s) tied to my HN username(s), but I might want a github/gitlab/codeberg account tied to a social/messaging account while having different "personas" for different applications. Overall it's a useful tool to have in your belt, so long as it doesn't limit you in other ways.
So if you are not going to go whole-hog and have one true identity for everything, why bother using anything apart from an email address?
The argument seems to be that consistency allows you to prove ownership and re-use all of your content etc across the web by tying everything back to one verified identity. If you are having different identities on different sites then that benefit disappears, and I fail to see how it is then any better than using email addresses? You end up with different wallet IDs each with their own island of content, just like you have with email addresses.
Sure you could chose to "move" content with one of your many identities by just logging in with the ID (presumably losing all of your existing content), but we have copy-paste for that already (and I am only half-joking saying that...)
Well I thought I explained it effectively, but there are numerous scenarios where you'd want to use the same identity across multiple services, cross sharing of data, provable rights, etc. But that doesn't mean you're limited to one, or that you want to use it for every service you use. The benefit doesn't disappear, the benefit only applies when you want it. It isn't all or nothing.
> still forces you to rely on a single central provider as your "root"
So what ? I am still struggling to understand what immediate and painful need users have with trusting Apple, Facebook, Google etc with their identity.
If people had some issue with this then users would simply not use OAuth and default to creating an account for each service they use.
> I am still struggling to understand what immediate and painful need users have with trusting Apple, Facebook, Google etc with their identity.
It's not so immediate until you get banned, but they've all been gradually stepping up their politicised banwaves. And there's always the concern about what happens when one of them goes the way of Yahoo.
> If people had some issue with this then users would simply not use OAuth and default to creating an account for each service they use.
Which has huge practical headaches, to the point that OAuth being the least-bad option doesn't say a lot.
Defaults and ease for site operators matter. Google could publish a blacklist but it would be opt-in, and if one blacklist starts being unreasonable then site operators can easily switch to another.
> If people had some issue with this then users would simply not use OAuth and default to creating an account for each service they use.
Do you really believe this? Plenty of people use services they don't particularly like because it's better than the alternative or they have an immediate need. I know lots of people who didn't want to use zoom but needed to, have a Facebook account to keep up with family even though they'd rather not, etc.
Plenty of people would love an option that works as easy as oauth but doesn't lock them to a FAANG provider. Just because they use it when there's not another option doesn't mean they wouldn't use another option if it existed.
Email addresses aren't really good for this. It's really easy to sign up for a service with someone else's email address, for example. Sure, if that person ever finds out they can potentially claim ownership of the account through a password reset, but it doesn't erase the fact that you have been using their "identity" for some time.
Is this still a thing though? Pretty much everything I've used in the past 10-15 years has required email validation before allowing you to do anything meaningful.
Either way though, I don't see how an account claiming to be "wan23" would be any more trustworthy to me as created off of the back of an email account or off of a wallet ID - I still have no idea (nor do I care) who you are.
It is still a thing. Hell, even AWS let someone create an account with my email address without validation. Stupid system kept spamming me to alert me that the instance of whatever they spun up was stopped because there was no money in the account.
> Email addresses aren't really good for this. It's really easy to sign up for a service with someone else's email address, for example. Sure, if that person ever finds out they can potentially claim ownership of the account through a password reset, but it doesn't erase the fact that you have been using their "identity" for some time.
This is also true of a private key, in fact it's literally the same scenario...
For one thing, I don’t have to deal with every new website’s crappy signup and email confirmation flows, broken password reset flows, login forms that deliberately break password managers, etc. Obviously Web3 has nothing directly to do with these things, but a consistent auth system becoming ubiquitous could be inherently nice.
Your wallet is your identity, and so can directly be tied to web3. It could be implemented in alternate ways as well, but that's one situation that web3 can already handle. (Sort of. Password (private key) resets aren't a thing, yet.
It doesn't give you that ability though. The reason we use Google and Facebook OAuth is because Google and Facebook did their due diligence with the account. We would just accept any OAuth provider if we didn't care about that validation.
And again, with these web3 identities, centralized services would still be providing the authorization even if they did not provide the authentication. I don't see what web3 identities provide.
Yeah I think it is mostly businesses that think this is a huge problem to solve to have identities matched across everything seamlessly.
Mostly what I care about is logins and payments which are addressed by password managers and form filling for credit cards. I just want a friction free experience for setting up an account, logging back into it, and maybe purchasing something.
And ideally I'd like to self-host, maybe with a service that looked like a NAS appliance hanging off a guest network on my router with a forwarded port through the firewall and some method for tracking my IP address (dyndns or similarish).
And ideally payments happen by a handshake between the service I run, the processor and the merchant in a way that my actual credit card details are never used. And for recurring payments I have the ability to just switch them off. Bringing all the control back to me and not leaking out reusable PII everywhere.
Of course corporations would aggressively hate that since it would destroy their business models of recurring payments for services the user is no longer using and the requirement of calling up the business and having to convince some phone operator that you really want to cancel.
> Yeah I think it is mostly businesses that think this is a huge problem to solve to have identities matched across everything seamlessly.
Your comment just gave me a thought - just imagine the online advertisers using this for tracking purposes!
At the risk of spreading FUD, it would not surprise me to learn that perhaps this web3 thing is being fuelled/funded by the existing crop of online advertising networks or their close associates? (or at the very least they are watching this situation develop with an incredibly close level of detail)
Who needs cookies if you have a 100% reliable & long-lived (potentially immortal?) ID that the user takes with them everywhere they go online (and is the same on every site they visit) and for every purchase they make (using that wallet) online and offline?
This would be advertising networks' absolute dream situation if it becomes widespread - users voluntarily creating their own unique tracking fingerprint and using it on all the sites they visit, as well as helpfully logging all of their purchases they make with that ID on a public ledger that anyone can mine the data from.
It really does not get much better for the online advertising industry than that.
If you want a cynical take on web3 and are looking for your next billion dollar startup idea, then web3 ad tracking & targeting might be your best bet :)
It's much like the Shadowrun SIN system. Anyone who was SIN-less basically didn't exist in the Shadowrun world. It meant you couldn't get housing, reliable work, food, or medicine. Basically, you were a nobody and everyone made sure you knew it. Similarly, mailing addresses have had similar effects in society and now not having a permanent digital presence will become another barrier to block people who found themselves not able to setup such a presence in the past or can't even afford to get online with a cheap phone. All because the corps demand a means to uniformly know who you are beyond your name.
> At the risk of spreading FUD, it would not surprise me to learn that perhaps this web3 thing is being fuelled/funded by the existing crop of online advertising networks or their close associates?
Hardly FUD, of course these companies are watching. They have more cash than they know what to do with. They will acquire anything that even remotely takes off (even by the low standards of crypto).
Google acquired their way into all of their major businesses. None of the following were built by them:
- Google Ads (DoubleClick, acquired 2005)
- Google Analytics (Urchin, 2004)
- Youtube (acquired 2005)
- Android (also 2005)
The dates are off the top of my head, so I could be off by a year or two.
I seem to remember Google having native ads prior to the DoubleClick acquisition, but that was many years ago. But I agree with your point that they bought their competition and then bought entire business models.
I agree that we don't need unique identities across everything, but even if that is a real problem it is also solved by public key cryptography without a requirement of a blockchain.
Sure but the blockchain env like Ethereum gives you that for free along with a few slick chrome extensions like Metamask and a JS library (web3.js) that make all of this super easy to build on.
You don't need to make any transactions or whatever, but you're inheriting all these tools for free.
Private keys are cheap to make. There's no reason you couldn't have a different one for every site. Of course, then it's on you to keep track of them, but it's already on you to keep track of the credentials you're using now. At least this way, the default of "use the same creds everywhere" is secure, if not more private.
This is already solved by existing crypto wallet tooling too, you can create an infinite number of keys all derived from a single root key (usually a 12-20 word phrase in modern wallets). A service with access to a single child public or even private key can't tie them to the sibling keys.
So what happens when you get phished with Web3? If the value of all crypto goes down 10% YoY why would you use it?
The author makes a bunch of silly assumptions:
> We need some way of saying “who we are” on the internet in a consistent manner. That way we can communicate with others in a verified way and associate with digital data that we own. We also often need that data to be interoperable between different web properties.
No, this is not true. That's why most people on this site are not logging in through Google. Sites will store their own data, and if you trust them to store that data there’s really no reason to just trust them to store a link to your identity.
The author advocates third parties like Metamask and using a Chrome extension, which is ridiculous. If you're going to trust that, why not trust Microsoft, or Amazon, or Google?
> With social recovery, instead of having to trust Google, you can choose who you trust, and instead trust a given set of friends, family, and services
Yes, because Google is not a service.
Ultimately the author makes up a problem and says blockchain is the solution.
Even if we suppose it's a solution there's no discussion around phishing, stolen identities, or any failure mode really. Of course there isn't though - in general recourse requires an authority. Blockchain has none.
> No, this is not true. That's why most people on this site are not logging in through Google. Sites will store their own data, and if you trust them to store that data there’s really no reason to just trust them to store a link to your identity.
You're missing the point. Yes, we don't need oAuth to log into HN. But HN is a site that is over 15 years old, and reflects the technology of its time. Instead, look at the companies YC funds and ask yourself how many of them DON'T have oAuth/SSO of some kind. Reddit is roughly HN's age, and you can see that with the introduction of VC money and profit goals, they've shifted towards discouraging anonymous logins. My 10-year old Reddit account doesn't even have an email associated with it; I doubt that's allowed now.
The old web made by hobbyists having fun and not trying to sell anything is long gone. Even sites like HN are disappearing, and everything IS being monetized, whether we like it or not.
Even if HN used oAuth - even if they required oAuth - ultimately oAuth, oAuth as implemented on most sites is just a thin layer over email so you don't have to make another account.
The problem doesn't require blockchain as a solution. What would the website administrator gain from accepting a blockchain login? People would create accounts but you have no way of contacting them since you have no email. Clearly the kinds of sites you're describing wouldn't accept that.
OK so you associate an email with your blockchain login - so now it's the same as the status quo. What's the point?
> Reddit is roughly HN's age, and you can see that with the introduction of VC money and profit goals, they've shifted towards discouraging anonymous logins.
And what, you think they'll be okay with anonymous users if those users log in with web3?
If they log in with a crypto wallet, that massively reduces the friction of making payments, which is all that investors want.
Reddit wants users to be somewhat identifiable in order to play to advertisers. However if people start buying and selling goods on Reddit itself (e.g. subscriptions to private subreddits), the company wouldn't have to rely as heavily on advertising.
Actually, I wish all of the internet had the simplicity and no-bullshit approach to information consumption that HN offers. RSS, simple login, text based - it's ideal.
Identities on Microsoft, Amazon, and Google are not portable. They can permanently ban you and you lose access to every single service you used them to authenticate to.
What you’re saying is also true with web3. A bad actor’s key could be banned and a list of bad actors could be shared among sites resulting in the same thing.
In fact, if you believe in privacy at all you’d want to reject this idea for that alone.
Sure, multiple independent sites could individually ban you. That's a fundamentally different problem, and much much less likely.
An antidote to that would be using a different key on each site you authenticate to. You still only need to store a single key, all other keys are derived from that yet cannot be associated with their sibling keys.
> What you’re saying is also trust with web3.
Not quite sure what you mean here, web3 is a pretty overloaded term. If you mean the very concept of web3..that's pretty fundamentally different from trusting a company that can unilaterally ban you, alter your data etc. There is no such parallel in web3. If you mean the JS library, that's also fundamentally different, and it's not the only game in town.
You have to trust MetaMask to some extent, like any software you run locally, but MetaMask never gains control of your keys or identities, it's just a tool for using them (obviously 99.9% of users aren't auditing the code or building from source, but that's a totally different threat model). If MetaMask stops working for you, you can use a different tool with the same keys. If Google stops working for you you cannot transfer your account to Microsoft or Facebook.
> If we are talking about likelihood it’s unlike you’d be banned from Microsoft/Facebook/Google for no reason too.
I've seen posts on this forum about it. It happens and there's not much you can do if it does.
> you could also create a new Google account per website or simply use an email address.
> Furthermore as the administrator how you stop bad actors?
Apologies if I'm missing something, if it's easy to spin up unique identities on both what's the difference here? It seems like it would be one or the other.
And yes you can create a new Google account per website, but you are still at Google's mercy to authenticate. My 1Password has ~250 logins, I'd be seriously worried about a ban from Google if I made 250 accounts.
> Apologies if I'm missing something, if it's easy to spin up unique identities on both what's the difference here? It seems like it would be one or the other.
Yes except for a centralized entity the admin would have recourse. How does a web server admin deal with it in the case of blockchain?
> I've seen posts on this forum about it. It happens and there's not much you can do if it does.
If we are talking about anecdotes I’ve seen people lose their private keys to phishing and consequently all of their money, so…
> You have to trust MetaMask to some extent, like any software you run locally, but MetaMask never gains control of your keys or identities, it's just a tool for using them (obviously 99.9% of users aren't auditing the code or building from source, but that's a totally different threat model). If MetaMask stops working for you, you can use a different tool with the same keys. If Google stops working for you you cannot transfer your account to Microsoft or Facebook.
This is not true, depending on implementation. Even if we accept what you’re saying as true you can run your own oauth server.
Basically it seems the entirety of your argument rests upon trusting a centralized service. However the scenarios posited by the author are ones where blockchain is used to login to a centralized service to begin with so I don’t understand the criticism. Furthermore, unless one is to accept the infinite possibility and quantity of accounts, inevitably just like most other identity services, blacklists will be created.
If that is not effective then blockchain will simply not be an option for most sites.
Ultimately this convoluted web3 is no better than using an email address forwarder and a regular email and password.
> Yes except for a centralized entity the admin would have recourse.
Can you be more specific? How is it easier to sniff out a user using multiple emails vs multiple keys?
> If we are talking about anecdotes I’ve seen people lose their private keys to phishing and consequently all of their money, so…
Losing your keys is a huge problem that needs to be solved. I think social recovery is super promising in that respect but you're right that we aren't there yet. Phishing exists in both worlds, although I'd argue for logins specifically it's less of an issue in the MetaMask world, as you do not need to expose your private keys for that. You need to expose your password to log into Google.
> This is not true, depending on implementation. Even if we accept what you’re saying as true you can run your own oauth server.
Which part isn't true?
There is..some difficulty gap between a browser extension and running your own authentication infra..
> Can you be more specific? How is it easier to sniff out a user using multiple emails vs multiple keys?
If someone made 2109@gmail.com 238@gmail.com 2398@gmail.com you could contact Google, send them the information and potentially block all of them collectively and/or find the person responsible. This would be important if your application has to do with financial activity. How would you do this if someone kept making random private keys?
> I'd argue for logins specifically it's less of an issue in the MetaMask world, as you do not need to expose your private keys for that. You need to expose your password to log into Google.
I'm not understanding you. If you're someone who won't use Google, or a centralized service, then you are capable of hosting your own web server. If you're capable of that an email address + password is superior to blockchain and gives you more control.
If you're not capable of that and are using centralized services for things like email then you lose no more control using their oauth server.
You and author have yet to address failure modes, or the superiority of this compared to email and password.
> If someone made 2109@gmail.com 238@gmail.com 2398@gmail.com you could contact Google, send them the information and potentially block all of them collectively and/or find the person responsible.
Citation needed, I very much doubt Google would comply without a search warrant. For financial activity, it depends whether the application requires authentication, or simply funds. For authentication see things like DECO, where you could prove some personal information about yourself without actually revealing that information (SSN for example). Obviously that is piggy backing off of a legacy system; it's up to the application to say what data they need.
> I'm not understanding you. If you're someone who won't use Google, or a centralized service, then you are capable of hosting your own web server. If you're capable of that an email address + password is superior to blockchain and gives you more control.
You are completely wrong that everyone currently using MetaMask is capable of hosting their own web server. Securely hosting a web server is orders of magnitude harder than securely using MetaMask.
I think I did address both failure modes and the benefits. I agree with you that it's not ready to replace email and password, but I don't think the issues are insurmountable either.
> Citation needed, I very much doubt Google would comply without a search warrant. For financial activity, it depends whether the application requires authentication, or simply funds. For authentication see things like DECO, where you could prove some personal information about yourself without actually revealing that information (SSN for example). Obviously that is piggy backing off of a legacy system; it's up to the application to say what data they need.
Again, you're not answering the question. What does the web administrator do if someone is creating fake accounts using a private key? If you're going to use third party systems you don't need blockchain to begin with.
> You are completely wrong that everyone currently using MetaMask is capable of hosting their own web server. Securely hosting a web server is orders of magnitude harder than securely using MetaMask.
You're addressing a claim I didn't make. I'm not sayin everyone using metamask can host their own server, I'm saying someone who isn't using a centralized entity anywhere can do it, by definition. Hosting a web server is trivial in 2022. You can literally setup a server by going to digitalocean.com right now, paying $5, and spinning up a one-click machine. Administrating it at scale is obviously more difficult, but it's trivial to setup a little oAuth server if you want.
You are completely moving the goalposts, I thought we were talking about internet services trying to prevent spam..not government snooping and subpoenas. Are you claiming the government's ability to collect data about you from Google is a good thing? I'm pretty confused.
> Again, you're not answering the question. What does the web administrator do if someone is creating fake accounts using a private key? If you're going to use third party systems you don't need blockchain to begin with.
You are not answering the question either, is this web administrator the government? Are they going to serve Google with a subpoena?
> I'm not sayin everyone using metamask can host their own server, I'm saying someone who isn't using a centralized entity anywhere can do it, by definition.
Ok fair enough, I'm not saying anybody will be using "no centralized entity anywhere", not totally sure what your point is. Using a centralized entity for A is equivalent to using it for A+B?
you don't really make any sense. sorry. I already addressed your points. the government point is not really relevant. the point is that a web admin has recourse with Google and/or government depending on the nature of the activity.
I just don't see how "ask Google / the government to tell me the identities of its customers" could be seen as a positive of the current system for 99% of cases. Especially given that Google likely won't even have the information, especially for an account created to commit serious crimes warranting NSA snooping or legal intervention. Just like creating a private key, you don't need a SSN or a passport to create a Google account, or most other email providers.
I feel like you are intentionally ignoring the dangers of SSO tied to a company that can unilaterally delete your account, and has little incentive to unlock it or even let you plead your case.
> I feel like you are intentionally ignoring the dangers of SSO tied to a company that can unilaterally delete your account, and has little incentive to unlock it or even let you plead your case.
I feel like you are intentionally ignoring the dangers of crossing a road where there is a higher probability of dying than a FAANGM deleting your account.
Not sure I understand the argument, everything with a lower probability than dying is not worth fixing? If you are in higher risk groups (journalist, critical of Google, using virtual phone numbers etc) is the probability still low?
Account deletion is not the only risk, it's also privacy (Google knows what you sign into and when) and a myriad other advantages (native payments being the obvious one).
Anecdotal but I've been using gmail for ~15 years and I've never heard of anyone (that I personally know) being banned by Google. Seems like a far-fetched scenario for the average person.
> Sure, multiple independent sites could individually ban you. That's a fundamentally different problem, and much much less likely.
Wouldn't there be a common, shared list of malicious wallets that can be automatically blocked?
Ublock Origin doesn't update its ad domains list itself, it relies on a number of lists that other people have created. I've never had to lift a finger ever since I installed UBO.
There could be, but nobody is forced to follow it. If you use my website with Google SSO and Google deletes your account, you cannot sign into my site even if I do not want to follow the banlist.
I'm open to the idea that there are real problems that are best solved by PoW/PoS blockchains and smart contracts, so I was hoping this article would reveal one. It doesn't. As mentioned elsewhere, Persona was already a perfectly good technical solution to this, years ago. It failed for various reasons, none of which would be addressed by blockchains/smart contracts. Likewise, the problem of "conveniently and securely log in everywhere" is well solved by Webauthn.
Arguing that "web3" will help because it will improve UX is ludicrous. "web3" provides nothing directly to boost UX. "web3 hype means there's lots of money sloshing around which can be used to improve UX" is an admission of defeat; all the money being sucked into the crypto space could be better deployed to solve these problems directly.
If this is the best shot at "real problems web3 solves", then there really is nothing there :-(.
Have you actually used a web3 website? Once you have your wallet setup it's the most seamless login experience I've ever had.
Also, I find it funny whenever someone says something like "web3 doesn't actually solve anything that hasn't been solved by other technologies like X". Then why isn't anyone using X? Why is nobody using Persona or Webauthn despite being "superior"?
I haven't used a Web3 site. How is it more seamless than Webauthn's "go to the site and have it verify my identity without me doing anything (using my plugged-in Yubikey plus the browser-stored user credentials)"?
Persona failed for various reasons. Big companies didn't want to offer Persona logins because they wanted to control the user relationship, especially the barrier to getting an account, and were unwilling to delegate that to arbitrary third parties. There was also a chicken-and-egg problem: not many sites accepted Persona logins, so not many people bothered to sign up to Persona, so not many sites bothered to accept Persona logins. This latter problem could have perhaps been solved if Mozilla had worked harder to integrate Persona into Firefox, but mistakes were made.
For Webauthn, AFAIK it's mainly an implementation issue on the server side. Maybe not enough people have the required secure tokens, on some platforms.
Obviously, blockchains and smart contracts don't help with any of the above issues.
Yeah, it's actually almost the exact same UX to what you described down to the hardware key and browser-extension only there are also a lot of fun hexadecimal numbers, network selectors, and it's tied to a real money wallet (this part could really make payments UX better so it's too bad the IRS classifies every purchase from the wallet as a securities trade).
Have you actually used a web2 website with a Mac ?
For every website I can just press TouchID once, it will auto complete my credentials and click the login button for me. I can't see how web3 could possibly be faster.
Plus I can still access that website on any device e.g. public or work computer without needing to worry if I can install a Chrome plugin.
Lots of people use and used X, for various X. Various auth only companies exist, like Okta. They don't care for your "data", they are just trying to log you in. Same for Ping, Oracle Identity (or whatever they are called these days), Amazon etc. Then there are services where you use a physical card for auth (many federal government jobs require people to auth using a card which basically just holds keys). There are many auth services with waaaaay more users than any web3 wallet.
The statement that web3 doesn't solve anything which hasn't already been solved wrt authentication... is about as close to a true statement as one can make.
> Also, I find it funny whenever someone says something like "web3 doesn't actually solve anything that hasn't been solved by other technologies like X". Then why isn't anyone using X? Why is nobody using Persona or Webauthn despite being "superior"?
I find it funny that you do not detect the irony in what you just said.
> Have you actually used a web3 website? Once you have your wallet setup it's the most seamless login experience I've ever had.
So much of the web3 discourse involves the same two tropes:
1) "If you ignore the hard parts and only focus on the easy parts, then it looks much easier"
2) Ignoring the fact that regular old solutions are actually even more streamlined. It's not like web3 invented the concept of storing credentials and auto-filling forms. These are basic features used by hundreds of millions of end-users on a daily basis. It takes mountains of effort to get web3 just to almost reach UX parity with what we already have.
The only way web3 can feel like a better UX is if you haven't bothered to try any recent UX advancements in regular, non-web3 technologies.
>Why is nobody using Persona or Webauthn despite being "superior"?
Because the use case itself is flawed and niche? I don't really want my entire digital life and spending history linked and especially not on a public ledger.
He isn't describing the true state of the world. Banks, brokerages, mortgage providers, and medical entities mostly don't use oauth2 and won't use this stuff either.
The world is still old school.
Grandpa dies and I go find the paper will.
I get an affidavit from a lawyer and a death certificate with a seal from the state.
I go into the bank with a bunch of papers and they figure out what to do.
There isn't a chain of trust that the state uploads a PK signed death certificate to, which in conjunction with a PK signed 'will and trust' then triggers a preexisting blockchain contract to effect the asset transfer.
This is 20 or 30 years off. Maybe 10 or 15 in China.
It's forever off because it's the wrong solution to a problem that no one is invested in even fully identifying let alone working at.
My hot-take parallel argument is that full self driving is a smart road problem with 'dumber' cars and not a dumb road and smart cars problem. But there's no scope to VC of profit your way into smart road infrastructure so we do it the wrong way round and hope we can throw resources at it till its fixed.
You are correct. I would be plenty happy with 80% self-driving and lots of safety features, but the VCs want the robot trucks and taxis for their trillion dollar win. No way full self-driving can do the last mile or work in all conditions. For example, human eyes have pretty decent dynamic range in dark, snowy conditions. We basically make intuitive decisions about which patch of white stuff in the dark of night is the best one to smash through to get our driveways, and I don't think the computer vision is yet discerning enough to facilitate that.
This is kind of funny to read, since in Norway basically every interaction with the government (paying taxes, filing for divorce, accessing our health records etc.) is done through an oauth2 system, the same one we use to log in to our bank accounts/get loans through. Most people haven't interacted with the government via paper in years.
Some very few non-digital government services remain, unfortunately, and it seems like the storage of wills is one of them. Asset transfer is still going to remain a manual process though, even when digital wills are here, thankfully.
America's federalism would make this idea a mess here: Each state has their own system for everything and 50%+ of the lower-level governments/agencies (county or municipal level) don't have any digital footprint at all, even a website. For example, there are plenty of elections across the country whose official results can't be accessed online at all. You have to call in, go in person, or request mail/fax. There's basically a minimum of 50 different systems for even the most basic of government services (such as renewing a driver's license). And then you need to multiply that by all the different agencies and services. The federal government couldn't force one system for everything (there are certain things that are constitutionally up to the states), so it would be basically dead in the water since the problem is getting all 50 states (each with their own internal politics) to agree to implement the same system.
Not a problem web3 can solve either. Social Security Numbers aren't secure, but we keep using them everywhere because the political will to implement a better solution doesn't exist.
>>>America's federalism would make this idea a mess here: Each state has their own system for everything and 50%+ of the lower-level governments/agencies (county or municipal level) don't have any digital footprint at all, even a website.
Additional example: I need to pay property taxes on my mother's house in New Jersey. I'm physically on the other side of the planet. While the town has a website, it's pretty much just a phone directory. I have to call them every 3 months, usually when it's 2-3am in my timezone, ask them what the property taxes are assuming I pay them by {$date}, and then mail them checks. I can't even do something as simple as enter the property lot number in a search field on their site, have it look up the outstanding taxes, and then just pay with a VISA card.
The Federal government SHOULD be able to force certain things in the name of "regulating interstate commerce". I would think that data standards and APIs would have efficiencies at scale that would reduce friction in inter-state transactions.
> Banks, brokerages, mortgage providers, and medical entities mostly don't use oauth2 and won't use this stuff either. The world is still old school.
I work for a bank and it has nothing to do with being old school. We use exactly the same technologies as any modern startup would e.g. Serverless, Kubernetes, Cloud etc and deploy into Production with blue/green releases every week.
It's just that the user experience of our entire customer base comes first. And whilst everyone "gets" usernames, passwords, PINs, TouchID, FaceID etc they really don't understand OAuth and other federated identity approaches. Like what Google or Amazon has to do with my finances and why I have to visit their site to reset my password.
People thinking that Web3 is going to solve this problem really don't understand that it isn't a problem that needs solving.
I'm reading this with an open mind, but I have questions:
> Problem #1: Owning Your Own Digital Identity & Fixing Authentication
My very technical friends who are security minded are on keybase.io. Multiple usernames and passwords across the internet is solved in various ways without blockchain. There are a lot of good password managers (I use and encrypted text file.) I don't feel Google owns my identity because I use their authentication system, so unless I'm missing something, I don't see a problem.
> enables advanced features like social recovery, which lets you recover your account if you lose your key via a smart contract that takes votes from guardians (friends or paid services).
> The idea here is that you could give keys to your friends and family, or to some sort of business service, then if you lose your key, use your friends to “vouch” for you and move the account to a new key.
This doesn't seem very workable in a practical sense. It seems like this could be spoofed fairly easily or the business service gets hacked
Alone the audacity to think a single point of failure without any chance of recovery is a good idea for persona management in the real world is insane.
This is one of those things that has been an absolutely terrible thing for Apple over the years. People would forget their passwords on their phones or their iCloud account and lose access to everything. And there was nothing Apple could do to help them. So the poor people at the Apple Store just had to tell someone that the last pictures of their dead mom are gone forever.
Apple finally implemented a solution in iOS 15 (15.1?). You can designate people you trust to be able to help recover your account. Like your spouse or a sibling. If they don’t have full access, they can just help recover it.
You are 100% right. A single point of failure without any chance of recovery is a complete disaster for normal users.
> The idea here is that you could give keys to your friends and family, or to some sort of business service, then if you lose your key, use your friends to “vouch” for you and move the account to a new key.
Facebook already has this functionality and it's an absolutely massive pain if you're somehow not on their happy path. With no real way to figure out what the issue is and get it fixed or on the happy path.
Social recovery wallets usually use an m of n system where you don't need all keys to recover your wallet but a subset. For example, 9 total keys and any 5 needed to recover your wallet.
Let's say you give a key to a business and that business gets hacked. That's fine because a single key can't steal your wallet and you have 8 keys left. You can even invalidate the keys and generate 9 new ones.
> This doesn't seem very workable in a practical sense. It seems like this could be spoofed fairly easily or the business service gets hacked
You could give keys to two businesses / people and require them both to agree before they can "unlock" the account. You could also add a timelock, so you have time to respond if they get hacked or collude against you.
These aren't really new ideas and exist in existing, non-crypto social recovery schemes.
It's not Web 3.0, that was the semantic web, which also aimed in some sense to be decentralized data but wasn't about turning the internet itself into a vehicle for ridicules investment ponzi-schemes. The "new" one is Web3
This is what bugs me most about this whole web3 situation, if people want to dump their money into these ponzi-scheme pump and dump bs be my guest, but then naming it web3 isn't very nice.
To then attach all kinds of good qualities to it that are not shown, nor proven, and often demonstrable incorrect just finishes it off.
As you say, a lot of the bigger ideas claimed to be part of this "new" web3 thing aren't new, and are interesting ideas that should be further explored, it would be much better without the ponzi sauce.
Agreed - the UX mock up there looks awful. If you go look at coinmarketcap.com there are already hundreds of coins out there. Are users going to have to find their wallet from hundreds/thousands on the lists? Or are maybe not all sites going to support every wallet, so therefore you're going to need to have multiple wallets to support multiple sites ... suddenly that "consistent identity" fails as you are actually juggling 20-30+ wallets for logging into different sites.
.... or it ends up that everyone just logs in using an ethereum wallet and you're back to centralisation.
The image amplifies what we already know is a fundamental problem with OAuth; people, instead of forgetting their username/password combo, now are forgetting which provider they use to sign into a service.
That "Web 3.0 login" portion of the slide only makes that problem worse. Decentralization and a variety of choices absolutely fall apart when they meet non-tech users who have no idea what icon means what.
>The image amplifies what we already know is a fundamental problem with OAuth; people, instead of forgetting their username/password combo, now are forgetting which provider they use to sign into a service.
I already have this problem with Matrix/Element all the time. Not only do I forget my username and/or password on networks I've been logged into for months, I also forget homeserver addresses and all these other settings I had to set up at some point. Every time I get logged out of something, it takes a day or two to figure out how to get back in.
I had the same thought. Imagine listing all blockchains in tiny icons you scroll sideways. I suppose that can be done a lot better, but still, who decides which blockchains are included and which are not?
Precisely. Or what if you're some random grandma that has a wallet (since we're living in a make believe world where this is easy to create). Imagine you've forgotten which blockchain your wallet is on. Will there be a search box to find my wallet in this mess of combinatorics that is a login page?
I mined a teeny tiny bit of Dogecoin years ago. One of the times it spiked in price, I decided to convert my teeny tiny bit into Etherium. So I used a wallet on a cryptocurrency trading site.
Do you know what site that was? I don’t. I can’t remember. I think the password may be in my password manager, but I’m not sure. I’d have to go digging.
But I am SURE I’ll remember which of the 1200 common block chains I use for my credentials.
Because that’s insane. Normal users couldn’t deal with that. Highly technical users can’t deal with that. It’s too much of a pain in the ass.
The solution is that there should only be one or two chains that everyone uses. Then there’s only one or two little icons you need.
The people who run the trains could make sure they keep running by having tens of thousands of computers. Of course that cost money. Luckily they get money out of the block chain because they can spend coins.
Of course users don’t really like buying things. Maybe it wouldn’t be too hard to put an ad or two in there to pay for things.
The easiest thing to get users on board is to use brands they trust. No normal person is going to trust everything they have two the Kakarot blockchain with an anime superhero for a logo.
Do you know who people trust? Facebook and Google. If they were to…
Oops. I invented today. Only with much more energy use.
As other comments have pointed out, there are other technical solutions to decentralized identity. The blockchain doesn't solve this problem any better than private keys or Persona or whatever. The article acknowledges this. The problem with existing solutions is not the technical problem, it's the social problem: making the new solution easy to use, fixing bugs and covering edge cases, and getting it deployed widely. The author claims that the social problem is what Web3 solves; that Web3 is the social solution counterpart to the blockchain technical solution.
Web3 is indeed a social solution to this social problem, but the real problem with Web3 is that it's a terrible social solution. Web3 (aka blockchain enthusiasts, aka cryptobros) is a community comprised of on one end by true believers who believe they're smarter than anyone else in the room and that anyone who brings up complaints are only mad because they didn't get in when the cryptocoin was cheap, and on the other end by grifters and scammers who fully acknowledge that they're only in it for a quick buck off the back of unsuspecting rubes.
This is the core problem with most crypto projects. Most blockchain projects have technical problems [0], but even for the few things that blockchain uniquely solves [1] the general scummyness of everyone involved means that anyone advertising they're solving problems with a blockchain is not someone to trust your money with [2].
Of course, the blockchain isn't the only technology to suffer this problem. Blockchain's at the top of the hype cycle right now so of course it's filled with scammers. But even though Pets.com may not have the most competent business, the technology behind ecommerce was generally sound. Blockchain on the other hand has so few useful niches that the only thing left are the hype-men.
[0] Eg you could use NFTs to prove ownership of IRL property, but why? You're just storing a deed in a different place. It used to be in a SQL server somewhere, now it's on a blockchain instead.
[1] That is, decentralized databases where you don't trust all parties not to modify the data. But uh, with whom do you need to share data that you don't trust, and how do you guarantee they're not just feeding false data into it in the first place?
[2] I'm not implying all blockchain enthusiasts are pretentious and/or scammers. Just that there's a much higher proportion of them in the Web3 community than elsewhere.
Most web2 apps supports a smaller number of SSO providers.
Technically "independent" SSO providers and similar existed, but non made it mainstream because there was no reason for App's to support them, but there was cost to support them.
There is even less reason IMHO for most App's to support Web3 login (more complexity).
Furthermore even if they do the web3 login would probably still list Google etc. as the web2 login still lists email.
It's questionable that more than one maybe two blockchains will be supported.
It's likely that often only a small number of wallets will be supported, it's also likely that "bigtech" companies like google will provide web3 logins if it becomes successful.
So, it might happen. But I don't see it tbh.
There is just no reason to go the extra length to support web3 login for most Apps/Companies.
EDIT:
Also trust of the general public into anything containing the word "crypto" or "blockchain" is constantly undermined by an endless slew of scams, and money grabbing schemes. Which can hurt adoption of web3 login.
> It's questionable that more than one maybe two blockchains will be supported
You don't really need a blockchain unless you need to keep data on a blockchain. To login and identify a user you can simply sign a message. I consider the address as the user "identity". Any blockchain data related to that address is mean to be public (some people register <some-name>.eth on the ENS for example)
And we had "independent" SSO schemes based on it, non of which gained widespread adoption (in the "independent" form).
The reason is the UX/UI flow, complexity for integrating them and users which already have it.
So if all people have a wallet at some point which they also can use for SSO that might get adoption.
Through for investment into crypto, instead of "daily using it" you probably don't want a hot walled on your phone.
So as long as "daily/frequent/casual crypto usage" doesn't become a supper common thing for large parts of the society (in the "western" world) it's hard for it to gain wide spread adoption I think.
My big question with using a Web3 login is what advantages it gives the website owner.
With social Web 2.0 login, I can be fairly sure the person logging in has a valid email address, a name, etc, and it is a single click for the user vs filling in all the info all over again.
With a Web3 login, it is basically the same. Except I'm not really given any personal info like name or email, so I need ask them for that anyway. I guess you can tie that into your wallet somehow?
But I don't see this as a 10x solution. Do people really not trust FB/Google/Twitter that much? Why does currency and money need to get involved?
But in another world, isn't this the problem Keybase was trying to solve? Of course, they got mixed up in their own cryptocurrency as well (XLM) which had so many issues with bots trying to get into the airdrop. So idk.
People already use ENS do register a <some-name>.eth name to the respective ethereum address. It's also easy to write a smart contract that keeps meta-info on an address. This data would be public.
> Why does currency and money need to get involved?
It doesn't. You only need a blockchain to keep public data. You can sign a message and login with that, no need to send a transaction, can be done with balance 0
Buy I thought the whole point was "owning your identity"... and know you're suggesting that we should put or personal data on a blockchain so everybody can see it?
Bitcoin doesn't support web3. Ethereum is moving to proof-of-stake, so the resources issue is gonna become a thing of the past. Also using web3 for authentication doesn't broadcast any transaction. So zero resources are used at that point.
Apple has a closed platform mindset, I hope users will see the benefits in a decentralized open protocol.
> I hope users will see the benefits in a decentralized open protocol.
See I think this here is the biggest issue. I feel like we have 30+ years of proof that normal users LIKE centralization for the convenience and ease it provides.
Email is basically the last man standing when it comes to distributed implementations and 1) it had reached mass adoption early enough to survive and 2) we’ve centralized it to a large degree anyway with Gmail and outlook.com
I have a hunch that many services they will probably want to collect the emails anyway. It provides websites a convenient excuse to ask people to join their marketing spam list. In most cases privacy isn't a profitable business proposition.
Correct me if I'm wrong, but the only new idea here is to use a ledger to hold public keys associated with an identity. You could add keys by signing a new key with one of the previously globally accepted ones proving you are that entity and the same would go for removing a lost one, by signing a new message with all the remaining keys.
Having a key copied without your knowledge would be a major disaster, however.
Apart from that, this is not very different from using keys in SSH and providing a challenge/response login form would be very simple.
It's not about using a ledger to hold public keys. The keys exist regardless of the ledger. The idea is to use the ledger to indisputably prove ownership or control over resources. Could be money, could be access to certain services, could be files, anything.
Keys are identities. Someone claiming to be you doesn't matter. Always defer to keys.
A non public ledger would be something agreed upon by participants only. So you and I and 5 other people for example could run some type of organization using some private way to keep track of state. You choose to trust it, if you don't, then don't use it.
It doesn't have to be a blockchain. All these people selling "blockchain" are selling hype, the only reason you need a blockchain is if you're in an adversarial, permissionless environment and need consensus on state, and possibly need a record of historical state.
In a private system, you just need consensus among participants, potentially in an adversarial environment, but decidedly not a permissionless environment. As long as state can be kept, depending on the constraints of the system any sort of consensus and canonical state keeping mechanism would work. Could be a blockchain or something resembling one, could just be a document and it's hash kept by all participants and updated when the participants agree to a change. How complex you make consensus in a permissioned system depends on the goals and constraints of the system.
Nobody can claim to have your private key, but they can sure as hell claim to be you.
We won't know who the real numtel ever is without some real-world proof and verification. This is where a lot of this crypto-based stuff starts to crumble: sure the mathematics of the cryptography works well on chain, but there is a very limited set of things that exist 100% purely on the blockchain - as soon as you need to go off of the blockchain for anything (e.g. proving human identity, proving ownership of a physical asset like a house etc) then you're back to the same old problems we've always had of having to prove identity/ownership/whatever, and you cant use a cryptographic hash to prove that I own the apple I am eating right now ... perhaps you can prove that I own an apple, but can you prove I own this apple?
A lot of these "this is not very different from X, you could do Y" replies remind me of the original Dropbox news.yc thread.
What everyone seems to be missing is that the web3 apps and UI conventions already have broad adoption among millions of only mildly techy users. They don't know what SSH is but they do know how to sign things with their in-browser wallet app. Of course, they also seem to not always know that giving away your private keys is quite bad...
But any "solution" that requires e.g. using the terminal is not really competing in the same space.
Do they really? Or did they follow some guide somewhere hoping to cash in on a gold rush?
If a huge number of people were using cryptocurrency to pay for things every day, I would agree with you. But I think a huge number of people just make one purchase and then sit. What percent of them could actually make a purchase without having to go look up how to do it?
Dropbox was “just rsync“ but WAY easier to use for normal people. The iPod was JUST a normal MP3 player with a very easy interface everyone could understand.
Ease of use is EVERYTHING.
At no point does anything described about how web3 works or solves problems sound easier to use than the current system. Logging in with email and a password is easy. Using a Google to sign in is even easier. Apple’s sign in system is ridiculously simple and frictionless.
“Start by finding a chain you like and creating a wallet” is not easy. Do you have to buy coins on the chain? I’ve been seeing a lot of these web3 articles and I truly don’t know. Buying coins is another huge hassle.
“Oh but they’ll already have a wallet.” How? At some point they have to create them. Even if it was easier once they’ve created it (which I dispute), how is that supposed to happen?
If you have an iPhone, you have an Apple account, can do sign in with Apple trivially. If you have an android phone, you have a Google account, you can do sign in with Google trivially. Either way you have an email address, that’s quite easy.
How can you EVER make something simpler than those? I think best case scenario you would be able to match them.
But then you’re back to the problem of why I should switch to the new thing when the current thing works just as well.
I just have a very hard time seeing normal users ever buy into any of this.
All of these decentralization arguments make me think of early git:
>Every Git clone is a full-fledged repository with complete history and full revision tracking capabilities, not dependent on network access or a central server...
not just Git. Email. Money (used to be issued by individual banks). Internet infrastructure. The web. Everything goes centralized.... because... it's easier. And humans seem to show over and over again, easier wins.
Is that a bad thing? Web3 is ultimately about building hierarchies(DAO). I would like to see a diversity of new digital hierarchies, new federated systems with unique properties. Not just a purely decentralized system. Decentralized vs. Centralized is a false dichotomy IMO.
The real issue for me is that I would rather have Apple sitting between me and To Ty's app than a public blockchain with no owners. There are just too many edge cases and circumstances where I would rather have a trillion dollar company defending me, a paying customer, against To Ty if the app turns on me or doesn't meet my expectations.
me < To Ty's app + whatever they can get away with.
Nothing in this article requires or benefits from a blockchain. Social recovery of your account is a feature on Facebook and has been for years... There's nothing novel or particularly interesting here.
The only thing blockchain would add is a gas fee whenever I would log in somewhere, and would keep the same UX problems I'd have with login anywhere else.
Keep in mind the most successful project EVER in managing identity was let's encrypt. A centralized non-profit that got the internet to use https everywhere by signing ssl certificates and vouching for everyone's server for free, and as far as I can tell without collecting any personal data about anyone. Web3 is going to solve "this" (whatever this is)... Riiight.
Article: web3 solves decentralized auth, and you are now in control!
Also article: to use it, you need to trust a centralized entity like Metamask that develops your Chrome extension and some unknown programmers that code some "smart contracts" aka unverifiable code in esoteric programming languages.
I'm glad someone took the time to write this. I think it's quite interesting that the prime example picked here is UI issue. The author freely admits that the "web3" solution is basically just private keys with better UI. I'm not all that up to date on web3 stuff, but... it's not UI.
The quote from Vitalik is great though - the goal of crypto is to let people make all the same mistakes and find out single central authorities actually have been established for a reason.
I do think a lot of these things go round the circle then end up on the same solutions we had before.
Coinbase is a nice example; turns out it's quite nice if some sort of company protects your money, makes sure you don't loose access to it, provides you with insurance in case something goes wrong, and lets you easily send, trade, and convert money. Such a revolutionary idea, right?
Federated/Decentralised identity/authentication is a solved problem.
For example, this is essentially OpenID.
Unfortunately this entire concept failed to gain traction.
Ok that’s one try. And there were… literally zero reasons in the article for actually using blockchains or cryptocurrency.
I believe this guy is being intellectually honest (which is a feeling I don’t get often in this space) but I don’t think he’s capable of asking the right questions.
The question that should be asked is what is a problem we (humans) have that is not only solved by this new tech, but can’t in any way even by bending over backwards be solved with some other technology?
The proposal is strictly inferior to SQRL[1] plus emailing your friends shares of your secret[2]. You get private keys, no third parties at all, social recovery, but with no Blockchain costs. Bonus point: you automatically get a pseudonym for each app.
The point about financial incentives aligning more easily in web3 is good, but I understood that even the poster child Metamask is not complete as it's missing good social recovery UX.
You are missing the point. The article is about login methods. Username/password vs message signed with a private key. The blockchain part is there because is the only ready-to-use way to do it in an browser.
It's absurd how HN users in general are so dismissive of anything cryptocurrency
My point was usability. And being (effectively) forced to join / legitimize their hive to get anything done.
It's absurd how HN users in general are so dismissive of anything cryptocurrency.
It's quite reasonable actually, given the prevalence of not just hype, but frequently delusional / just plain rambling and incoherent hype surrounding it -- not to mention blatant fraud and manipulation aimed specifically at unsophisticated users.
And the skivviness of many people involved in it.
That said, the OP presents one of the more thoughtful proposals I've read recently, and may belong to the 5 percent or so of blockchain applications that just might have a useful application. With emphasis on "just might".
> My point was usability. And being (effectively) forced to join / legitimize their hive to get anything done
I agree with you on this. For the purpose of login in with a private key, i would prefer some browser extension (or built in the browser) that generates a key from a seed (like a crypto wallet) and only does that. This doesn't exist at this point.
> ... not to mention blatant fraud and manipulation aimed specifically and unsophisticated users
Also agree, but probably for different reasons. Many people on twitter have the tendency to be mean, twitter doesn't make people mean, but it amplifies it. There is so many scams and manipulation because scammers and con artists always existed and people's greed for that 100x token and so does the scamming
The speed of communication that the internet gave us also serves as an amplifier of the ugliness of human nature
> For the purpose of login in with a private key, i would prefer some browser extension (or built in the browser) that generates a key from a seed (like a crypto wallet) and only does that. This doesn't exist at this point.
i'm familiar with those (yubikey and titan, didn't knew about krypt). Don't own any of those but always install the FIDO U2F [1] app on my ledger hardware wallets (which is a nice extra).
my issue with using a physical device is that it detracts adoption if there is no other alternative. a browser extension or built-in helps adoption and adoption probably increases the number of people using physical devices.
Blockchain isn't the only "ready to use" way to use cryptographic signatures for authentication. One reason people often are dismissive is because people who are pro crypto say things which aren't true, like this.
Various authentication schemes have used digital signatures...on the web... for decades at this point.
>The idea here is that you could give keys to your friends and family, or to some sort of business service, then if you lose your key, use your friends to “vouch” for you and move the account to a new key.
>You can also do this to require approval from your friends before a certain amount of money moves out of your account, making theft significantly harder.
Okay, what if your relationship with those people changes? If you've lost your key or its destroyed (maybe as a result of those relationships changing before you've had a chance to do anything), presumably you can't remove the trust relationship with your former friends. You then can't withdraw unless your new enemies say so, and you can't change that trust relationship.
Plus what are the rules around removing the withdrawal limit? If I can just remove it at any time, how's that going to prevent theft, as I can just remove the limit before the theft?
This is now yet another security consideration for regular users. In addition to ensuring your key is backed up, you have to think about contingencies for if/when these trust relationships change.
But flip this feature on its head and give your bank this trust, and at least you have the same resiliency as your current bank account. Ironically, you likely want to trust a large entity with vast resources (presumably too big to fail) instead of friends and family if you're looking to be secure against loss of your private key.
unless you're running your own servers, you don't own nothing ... you still going to be tied to a 3rd party that does that for you. This is what the web3 crowd don't want to understand, they will keep telling you : big tech ruined the internet bla bla bla switch to us because we are decentralized and you own your own data, ok ... but if anyone wants to use it or access it they need to go through us
Same as Argent.
Elect 4 trusted people, if they all ok it’s really you, the custodian (a company that stores your private keys, like LastPass), releases it to you.
I sincerely don't follow the logic on how Web3 "solves" the problem posited in the "But what if someone loses their private key?" section:
"Some of you might already be familiar with multisig, which is a similar concept... The idea here is that you could give keys to your friends and family, or to some sort of business service, then if you lose your key, use your friends to “vouch” for you and move the account to a new key.
...
With social recovery, instead of having to trust Google, you can choose who you trust, and instead trust a given set of friends, family, and services. If you ever lose access to your private key, there is a smart contract encoded on the blockchain that syas that if some number of your guardians all agree (you pick the number) then you can move your account to a new private key."
I didn't see anything about Google being a requirement for multisig, so I'll skip the author's aside and ask, "How are these two things different?" Multisig lets friends "vouch" for us to move our account to a new key and social recovery lets friends "agree" to let us move our account to a new key.
These sound exactly the same to me?
The original writeup says something about "multisig moves the burden down to the user to issue keys" etc., but setting up smart contracts would still require someone to do some kind of setup work. Those contracts aren't just going to magically appear out of nothing; at the very least you'll have to select your friends, get their agreement, and a contract would have to be issued and signed.
I dunno, I still fail to "get it" (this is not an invitation to try and help me "get it", as helping people "get it" is kind of the point of the original blog post)
WebAuthn is exactly what I thought of too... and hardly anyone is supporting it. In fact the only place I've seen it was Best Buy's website, oddly enough! Having yet another way to do this sort of authentication isn't going to magically make people start using it.
Absolutely, but let’s not pretend this is some magic technology that only cryptocurrency can solve. Nor is it clear cut that we’ll see adoption of wallet logins outside of crypto circles.
There’s a trade off there though. There are also other standards. People should probably want their cryptowallets to be better secured than they are. But crypto is facing the same UX challenge which leads to a worse model with the same attendant risks as phishing passwords.
The point still is that logging in with public-key cryptography is not exclusively a technology supported by cryptowallets.
>> The biggest success of crypto has been putting public/private key pairs in the hands of 10s of millions of people.
I would argue that the biggest successes of crypto are selling GPUs and facilitating malware ransom payments.
GPUs have sold like crazy and you are lucky to get a high end one with the current demand. Everybody and their pets are running mining rigs. Good luck getting a nice GPU for machine learning or graphics rendering.
Previously malware authors had to rely on gift cards or similar means to get paid. Now they have variety of cryptocurrencies to choose from and they can even trade cryptocurrencies to launder the paid ransom funds.
It can. It just happens that the easiest way to achieve this is using web3, even if there is no blockchains involved. The article is about login methods, not cryptos or web3
I like the starting focus on identity. Imagine if emails to you were authenticated by a token that you authorized by logging in, and could revoke at any time. In a Web2 world, features like this get created by Google, Apple or whomever inventing a permissions system that works on their platform -- and serves their product goals. In a Web3 world where you issue identity tokens, you can revoke them arbitrarily, so if your identity is shared you can trace and revoke at the root. Services move from worrying about how to game Apple's privacy model to how to avoid a ban that remains strictly in your control.
...and in a Web 1 beta II world this was already done by PGP in 1991. Granted, it never achieved mainstream adoption because it's somewhat cumbersome and solves a problem people do not actually experience. Sort-of like everything blockchain, one might say.
I like the "social wallet" idea, though no blockchain is needed for that. But there's a real danger that if enough of your friends get compromised, you can get compromised as well, and that can snowball. And most people would not be secure enough. So you'd want to have someone more secure as part of your "social set" - a large organization that actually does serious security. But then you're again depending on some large organization. You could require at least one of several large organizations, but that in turn reduces security.
What’s even the difference between «owning your digital identity» with email/password vs any other authentication method? Why does it even matter [0]? You don’t own any data connected to that digital identity [1]. I might be a bit on a radical side here, but to me it’s either you own everything or you own nothing. There’s no in-between.
[0] Except for OAuth since OAuth provider could ban you at any time.
[1] Until it's encrypted with your own public key and isn't stored anywhere in plaintext. Which can't be 100% guaranteed with any proprietary 3rd party service.
This definitely has me thinking more about the extent to which the strength of a particular identity representation is determined by our willingness to bind artifacts of value to it.
... why would I want to share my wallet to something I trust less than a strange dog? Or part of my identity? No thanks.
One of the great things about usernames/passwords is it didn't demand that vulnerability - you could come up with whatever and it was your responsibility to keep up with your shit. Systems that mimic real world systems on average feel less prone to this silliness.
email/password is terrible UX for vast majority of user. it's forgettable, it's not secure, and it exists only because it have existed since dawn of computers.
This is probably the first blockchain use case that I've found compelling, outside of using its obvious use as a speculative asset of course. I hope the author elaborates more on this in the next part because there are still lingering questions - like how much would CRUD operations on your digital identity cost? After all, most blockchain technologies have associated "gas" or other transaction fees.
I still don't see how this is solving any problems. What if I just want to consume the content on the open web as is without logging in? It's one of the reasons why I have to use archiving sites to read the news because half the time NYT or WaPo whine about me not being logged in (as if being able to spam me with ads wasn't enough). I think all the noise about fixing identity and the like is just another way to force end users to give up privacy so content creators can just data mine more and sell it all off to ad companies. Like even to pay for something via crypto currency doesn't need much of a fixed identity other than an wallet address to send/receive coins from/to. Outside of that, why do they need to know I am X person rather than just X wallet/address?
Are there any security risks with signing onto a site with Metamask? Is there any way for them to drain your wallet without prompting you?
If not, then it seems to be a superior method and experience. You don't have to deal with usernames/email/password, and it offers more functionality with currency.
When you sign in with web3 you are signing a message with your private key, and the website is verifying the it was in fact you that signed the message by checking the messages signature with your public key.
The only way anyone can gain control of your wallet is if you give them your private key (or the seed to the privk) or if your PC is compromised (but you have bigger issues then)
The major issue with the article is that the source of the described problems are due to business agenda and not technology. Everybody can run an OAuth2 authority but of course of only tech giants have the marketing to lure everybody into their nest.
All these “web 2” companies are going to create their own “web 3” services that will only work on their own product, and we have overly complicated solutions to an issue which didn’t really need solving.
Can’t wait for my reddit or meta tokens which have a zero value.
My question with any blockchain application is always what does it solve that a centralized trusted database doesn't solve faster and with less waste? You can implement social recovery in a centralized database with less waste.
I suppose blockchain can be a mechanism for the reification of pure information. So turning something that only has a value, into something that has a unique identity that can be 'pointed to'.
In the real world I might have a physical key (or some other interesting object) - there is exactly one of it and it exists in exactly one place (though of course I can create copies - but they are new objects).
In the virtual world this is a bit harder to construct and enforce - information is entirely ephemeral, and has no concrete existence or place. Maybe blockchain can provide that (in the context of the chain only of course).
I don't see any advantage in the proposed system over oauth-based solutions. Currently, you trust one of some set of big companies to verify your identity, but these big companies might misbehave. The web3 solutions mean that you trust that some blockchain-based approach will be programmed correctly and not have bugs that render it useless; requiring N different people to recover an account will impose unacceptable delays in emergencies.
Better to give one or more nonprofits the job, have them manage identities and do nothing else. No energy-sucking blockchain needed.
I believe the key issue of debate is that people ignored the context: "Many people, including myself, believe that the individual should be able to own their own identity."
The cryptocurrency and decentralization are possible because some people believe and live on those ideas. For those who don't care, bitcoin is $0 or worse: a Ponzi scheme. For those who believe in it, the goal is to own one's id, data and money, and collaborate without a big company or a central government.
I'm curious. The main thing he's pitching seems to be logging in with Metamask or similar with I guess the 'username' equivalent being a public key and you verify it with a private key. This tech has been around a while, since 2017 at least. I still have Metamask and keys in my browser from speculating on tokens back in the day.
Do any mainstream sites let you log in that way? Any plans for Metamask login on HN?
So now I have to manage not only my own key, but they keys of any of my friends who want me to vouch for them every time they lose their phone? No thank you.
The contract would likely be constructed to use any address (public key) you prefer, so it could be the public address your favorite private key. Or not. The choice is yours.
Digital signatures have already solved the identity problem for anybody too paranoid to trust Google and OAuth. It doesn't require a blockchain either.
I’m open to web3 being a new and exciting phase of the Internet. I’m just wondering when it will come to me. You’d think if it were such a huge revolution it would start appearing organically in my every day web experience, but I don’t own any crypto, and to the best of my knowledge I have not yet organically stumbled into a new experience built on web3 innovations.
A question that isn't really delved into here, given a social recovery scheme, this iiuc must run on chain, so there are gas fees associated with account recovery. What's the cost to recover an account if I lose it today? Is there any way to reduce that cost, or will there always be some (potentially hundreds-of-dollars) fee associated with account recovery?
> One common refrain is that “blockchain is a solution in search of a problem.”
After reading this article it seems that the most useful thing someone has thought to use the blockchain for is [checks notes] a form of social media popularity contest to recover the key to your blockchain wallet.
There is a group of users here on HN that REALLY like cryptocurrency‘s and blockchains and such. Web3 seems to be the latest on that hype-train.
There is a different group here on HM that REALLY hates it all. It was interesting technologically but then it started producing more CO2 and using more energy than reasonably sized countries. It also seems to be the method du jour for scammers to take money from people. It’s almost single handedly enabled the ransomware industry.
And people like to shit on the current hot thing, deservedly or not.
A lot of HN users were aware of bitcoin when it was worth pennies. Seeing it sitting at 50,000 dollars after trashing it created bitterness and cognitive dissonance.
I visit other sites where I can honestly say their users are honestly ignorant, given their lack of technical understanding. But here? This is sad to watch. If crypto/blockchain/web3 continues the current trajectory (or bitcoin goes to 100K), it will be worse, because the proud/bitter HN user will never admit to themselves that others can "get it" even though "I didn't get it".
That’s not totally wrong but I’d put it differently. This site is home to a lot of people who work hard to try to do something useful. It inspires resentment to see people get rich by just holding a token. Makes you feel like a fool for trying to do useful work.
I think the almost religious zeal makes it much worse. People win the lottery but they don’t claim to be geniuses or representatives of a shining new utopia for it. They just say they won the lottery.
I understand, but people get rich all the time holding stock like AAPL or TSLA. HN doesn't seem to have a problem with that. Some people see the future, do the research and risk it all on a stock or a cryptocurrency, some people take their last ten dollars blindly gamble on a lotto ticket or a cryptocurrency. How they earned the money they risk should be of no concern.
Are there security/UX risks with users getting used to using their wallet for auth ? It's difficult to know a safe vs. potentially unsafe site when it comes to crypto. Reading the docs, it appears to be relatively limited permissions, but either by giving more permissions than desired or phishing? Or can they combine the authentication with additional information to become a more effective spearphishing target?
If my email account is phished or hacked, it's bad, but there's a level between my cash and my email account. If I make a mistake here, potential losses are higher. In which case I'd probably have a 2nd wallet for auth and another I actually use, which then becomes more of a pain. I don't trust my parents or less technical relatives to use this flow safely.
This article doesn't add up the points to anything that solves for the given problem. Owning identity isn't solved by saying "don't trust ${third party}! Come trust ${my preferred third party}, it's better!" Any blockchain is still a third party that all parties involved with need to place trust in. It isn't somehow more or less trustworthy just because it exists.
> Many people, including myself, believe that the individual should be able to own their own identity.
Yes, this is nice wishful thinking, but on a global scale it's not really possible or feasible.
> OAuth2 should be used for what it was intended to, which is for a web service to provide another web service with a user’s data given that user’s consent. It should not be used as a global digital identifier because that’s too important to be owned by anyone but the individual themselves.
So, instead of OAuth being in the hands of FAANG[1] it's in the hands of ${blockchain-of-the-year}? How does moving the trust from a centralized company to a centralized blockchain change MY ownership? If I move everything away from FAANG to someone's blockchain, I have no assurance that chain will continue existing. If there's a flaw found in it and everyone moves to another chain, now what? Sure, we can make the same claim about FAANG not continuing to exist, but the point is there's no inherent advantage here, they're equal. FAANG are supported by millions of individuals and companies that are all, together invested in their success. There's no unilateral agreement on blockchains and I doubt there ever will be.
>With social recovery, instead of having to trust Google, you can choose who you trust, and instead trust a given set of friends, family, and services.
Again with the trust this and not that. All of my friends, family and other services need to then agree that they're all going to trust ${chain} instead of FAANG. It doesn't fix the problem. "the blockchain" isn't just one thing. Who's chain do we all shift trust to and from and based on what security? At least with Google I can rely on their security because if they end up with a breach of trust it's going to have a massive, real impact on share prices and consumer trust around the globe. That's incentive enough for me to rely on it day-to-day.
This article has some interesting tidbits but overall seems like just a baseless rally against FAANG by someone who knows very little about complex authentication or trust and security in the real world.
A properly decentralized blockchain isn't a third party in the traditional sense, a human or organization that is bound to follow its agreements until it doesn't feel like it anymore. It's an algorithm incarnated.
That said, its initial and continued existence is dependent on economics. Who will market a service that they don't stand to profit from? Who will drive large organizations to invest in infrastructure that doesn't improve their profits? Either no one will, or it will be adulterated in the process. Sadly the community spirit that drove a lot of early internet development seems to be lost.
tldr; this article describes one problem that a blockchain solves better than existing non-blockchain solutions (identity).
My issue with the article is that it uses a lot of words to try to explain why web3 and blockchain may be the future. But for what point? If an important technology comes around which happens to use web3 or blockchain, i’ll see it’s important from its description and i’ll adopt it. I don’t need to support “web3” as a concept, because web3 basically means nothing. And i don’t think that web3 or blockchain is intrinsically bad, i just haven’t seen anything particularly useful with those technologies yet.
It failed to gain traction, and Mozilla eventually pulled the plug.
Persona had many advantages over the Web3 vision described in this article. It was painless for a new user to create an account, because Mozilla provided a default identity server. It was easy for a website owner to set up, because Mozilla provided a JavaScript shim that worked on any browser. And it didn't rely on a wasteful and slow distributed ledger.
Despite these advantages, Persona failed. I don't see how a blockchain-based approach, with so many disadvantages compared to Persona, could possibly succeed outside of the blockchain enthusiast community. And, on a technical level, a federated approach seems innumerably simpler and less wasteful than a blockchain-based approach.