In this week’s deep-dive, we’re going to talk about identity and authentication. We’ll look at how the space has developed, where it is now and what Web3 may be able to improve.
A brief history of authentication
In 1960, MIT had a computer that all students shared. A student names Fernando Corbato noticed that students had access to every other student’s files. To overcome this, he came up with a system where every user had a specific key, i.e. passwords. The passwords were saved on a text file on the machine, so any user could gain access with some digging.
The focus of the 60’s and 70’s was encryption. Everyone has a public key that they are free to share. Everyone also has a private key that should not be shared with anyone. The private and public key are required to authenticate the user. In a simplified sense, our email address is the public key and the password we use is the private key.
By the 1980’s, we had moved to physical devices for authentication. As computers became more powerful, hackers could write programs to guess passwords faster. The devices below provided an additional security layer because the number changed every 60 seconds.
The 90’s saw the world wide web take off. Protocols like TLS were developed and authentication was standardised.
The 2000’s saw an explosion in the number of applications and websites. It become difficult for users (and still is) to operate a username and password for every application. Simultaneously, the number of malicious attacks also increased. Single sign-on and multi factor authentication (where you provide a code received via SMS, email or an application) gained traction.
The 2010’s saw the advent of biometric identity. Phones were smart enough to recognise your thumb print and your face. Biometric identity was useful in two ways. First, to act as the authentication mechanism directly. Second, to serve as a channel for multi-factor authentication (where you log in via email and password, and then confirm via your Face ID).
Though the tools look very different, the problems to be solved with authentication haven’t changed much:
Every individual needs a unique key.
This key needs to be accessible on a variety of devices to authenticate the user.
If a malicious actor were to find this key, it shouldn’t be usable.
Attacks are a ticking time bomb: i.e. as computers get smarter, the probability of a hacker being able to figure out your key will increase.
Where are we today?
Today, most applications and websites continue to use email and password logins. If they care enough about security, they require multi-factor authentication (MFA) via an authenticator app, or a one-time password.
We have tools at our disposal to prevent most attacks. For example, in 2019, Microsoft reported that setting up MFA prevents 99.9% of attacks.
Today, the tradeoff is between security and user experience. The graph below shows different MFA methods by user friction and strength. WebAuthn (platform) refers to FaceID. WebAuthn (roaming) refers to authenticating with a physical device like the RSA secure ID. Other than these two and push notifications, all other MFA methods that exist today have a high degree of user friction.
The user experience problem is multiplicative. The more apps I have, the more friction there is. The nature of an MFA login for every single platform means that I need to look for a code either via SMS or an authenticator app.
Signing in with an oAuth provider like Google solves this problem with three caveats:
The application needs to offer the provider as a sign in method.
The user needs to have access to the provider.
The user needs to be comfortable with the provider (e.g. Google) using their data for targeted advertising.
Why is Auth with Web3 a big deal?
Web3 has the potential to build on our history of identity and authentication by improving the user experience.
Security improvements in Web3 won’t be unique; any security improvements we see in Web3 will manifest in Web2 as well. Web3 can improve identity with a better user experience, and adding functionality we’ve never had before. We’re still very early though, so treat the below as under construction rather than ready for use.
A single identity that I control.
Use a single login for every application.
Users can pick up a handle using a protocol like ENS domains. For example, my handle is ntkris.eth. This serves as the universal login for every application. Why is this different from authenticating with Google? Because I’m not trading away data or privacy for convenience. Do most users care about this? Time will tell, but read on as there are other advantages.
Easily revoke access
Review every application you’ve logged into, and revoke access if you wish to.
Web3 gives users the ability to control permission either entirely or on a piece-meal basis. For example, I want to use my handle to sign in to Opentable.com. I grant access for Opentable to use my unique ID, but nothing else. Websites like revoke.cash allow you to do this already (though the user experience isn’t great). This is something you can also do with oAuth providers like Google. The difference with Web3 though is that revoking access is guaranteed whenever you sign in.
Authenticate and Pay
Pay for goods and services with your identity.
This is the biggest advantage of Web3 for me. Because you authenticate with your wallet, you can also transact. Imagine logging into an e-commerce website with 2 clicks (one for login and another for MFA), and then being able to pay for goods directly. Apple Pay offers the latter on our phones, and it’s a much better shopping experience.
Grant access to my information
If a user chose to, they could provide access to the information stored in their wallet. This could be your shipping address, or proof that you are part of a community (e.g. via a token). This is also unique to Web3. We’re not used to our email addresses holding assets.
Solving the UX challenges in Web3
We’re far away from realising the above because the user experience is not there yet. We need to solve the following:
It’s expensive to transact on some chains. Chains like Ethereum have high transaction costs. Layer 2 chains like Polygon and Layer 1 chains like Solana are solving this.
The user experience of wallets is bad, but improving. People want products that are easy to use. Most of them don’t care about decentralisation or self-custody.
If the biggest advantage of Web3 and identity is paying for goods, we need a stable form of payment. We need a stable coin that people believe in and transact in.
Users will want a separation of concerns. Wallets are a blessing and a curse. I don’t want every application I log into to have access to all my assets. This is easily solved with multiple wallets, but the user journey needs to be thought through.
There are a bunch of protocols and companies building in this area:
Stytch
An authentication startup that is bridging Web2 and Web3. It allows you to seamlessly integrate Web3 logins into your existing Web2 app. They raised $90 million at a $1 billion valuation in November 2021.
Web3Auth
A startup that’s tackling the poor user experience of using private keys in Web3. Their goal is to give users control over their keys and offer a better experience. They improve the UX by splitting your private key and storing it in 3 different places using the Torus network.
Polygon
A layer 2 chain on Ethereum, announced that it’s working on identity protocol. It is private, provides on-chain verification and permissionless attestation. On-chain verification means that your information is stored on the blockchain. This is important because no one owns your data other than you. Permissionless attestation means the protocol can confirm something without sharing it. For example, if an app wants to know that you live where you say you live, it can confirm this without getting your actual address.
To close
I’m excited about the prospect of Web3 changing how we think about authentication and identity. We’re a long way away but there are many folks working on solving this problem. I’d love a world where I can have a single log in, remain in control of my data and pay for goods.