Several years ago, Mozilla/Firefox created "Persona," which was an open-source federated identity system that provided all the benefits described here. The idea was that it would eventually be built into browsers. I used it on a commercial site myself for many years.
It failed to gain traction, and Mozilla eventually pulled the plug.
Persona had many advantages over the Web3 vision described in this article. It was painless for a new user to create an account, because Mozilla provided a default identity server. It was easy for a website owner to set up, because Mozilla provided a JavaScript shim that worked on any browser. And it didn't rely on a wasteful and slow distributed ledger.
Despite these advantages, Persona failed. I don't see how a blockchain-based approach, with so many disadvantages compared to Persona, could possibly succeed outside of the blockchain enthusiast community. And, on a technical level, a federated approach seems innumerably simpler and less wasteful than a blockchain-based approach.
> Despite these advantages, Persona failed. I don't see how a blockchain-based approach, with so many disadvantages compared to Persona, could possibly succeed outside of the blockchain enthusiast community. And, on a technical level, a federated approach seems innumerably simpler and less wasteful than a blockchain-based approach.
Sometimes it's all about being in the right place, at the right time, with the right amount of hype. Inferior technologies win out all the time.
That being said, if (major if) auth through web3 did take off, I wouldn't be surprised if over time it slowly creeped back toward a solution that doesn't use blockchain since a non-blockchain solution would probably be simpler, cheaper, and faster.
The Persona team approached the company I was working for, asking us to add Persona login alongside our other login options. Mozilla came to us because we had a huge web presence at the time (about the size of Wordpress, let's say). We discussed it internally and ultimately rejected their request. We were going through a re-org and just didn't have anyone to spare. We were also rewriting the component where the login would live, and this would have been out of scope.
Looking back, I now see that not volunteering myself for the challenge was one of the biggest mistakes I've made in my career. It was one of those rare opportunities to make a difference.
I also wonder why nobody has tried it since. It's a simple approach, but you'd need a good security team backed by a trusted organization to make an implementation credible.
I joined the team at Mozilla that developed Persona as an intern, just as they closed it down.
Persona failed because it was fighting against a head-wind of an already established trend of using Google/FB OAuth2, without giving the service provider any new benefits. There was no incentive for a website to actually implement Persona, since it was just another auth provider and users weren't using it. Users didn't use it because no one implemented it. Chicken and egg.
Websites that integrate web3 wallet login do get something new: built-in, straightforward payment rails.
Agreed. This comes down to lack of power to push a system onto it's potential users, mozilla didn't have a userbase large enough nor could incentivize 3rd parties to force onto their users. You could argue if the ux was good it would have just succeeded, but I think that's bs. Funds are the number one predictor of success of anything.
My worry with the blockchain is that now it has VCs that are going to pump so much funds in it to keep it spinning and force everybody to use it because you need that service, and now (in the future) it's only provided through the blockchain (because the alternative off-chain company cannot raise funds so it doesn't exist, it fails, or it's a worse experience).
The new hot take (I heard it from Matt Levine, I think, but I doubt it's original to him) is that pyramid schemes solve the adoption problem for technologies with network effects.
Everyone would be better off with better identity management, but it's not worth anyone's time to be one of the first users of a system with no sites supporting it or one of the first site supporting a system with no users. The web3 version of this will be something where if it takes off the first adopters get super rich at the expense of late adopters, and that makes it take off.
Similarly, conventional profit models incentivize the creators of a technology to make it as centralized and locked in as possible, so that they can profit off it over time. The pyramid scheme business model incentivizes the creators to make a decentralized and open system, so that they don't have to do any work over time once it takes off.
Is this the special kind of stupidity that only really smart people can aspire to, or the special kind of genius that only really stupid people can? Time will tell, I guess.
I like Mozilla and Firefox is my default browser, but clearly that was doomed. Google is never going to be OK with Mozilla owning the identity system. Neither would Facebook, or Apple or anyone else. They all have their system for “just use us as the login to every service!” And the only result is that there are 50[1] different “universal” login options for every site.
[1] ok most sites limit it to 2-3 options, but which 2-3 is up in the air.
> I don't see how a blockchain-based approach, with so many disadvantages compared to Persona, could possibly succeed outside of the blockchain enthusiast community
What’s in it for the user to sign up for persona? Nothing
What’s in it for the user to get a crypto wallet? Money
I don't know about that. I feel like oAuth and other forms of authentication are overly complex to implement. If they build a super simple implementation API then I could see it taking off.
One possible advantage web3 has over Persona is that it is not under the control of Mozilla or whatever foundation Mozilla set up to address those very predictable concerns. Being distributed might help it gain early adopter mindshare which could lead to future UX improvements. (Not saying I believe this will definitely happen, just that Persona failing isn't a guarantee of failure here.)
> We need some way of saying “who we are” on the internet in a consistent manner. That way we can communicate with others in a verified way and associate with digital data that we own. We also often need that data to be interoperable between different web properties.
Do we really need this? Do we really want to permanently tie identity across websites like this? I find this initial "need"/justification/requirement questionable.
I have a login on HN that is totally unique to e.g. Twitter and Instagram and <shudder> LinkedIn. Same with work vs personal. This is deliberate. I do not want to have the same identity here as I do elsewhere. There are many hopefully obvious reasons for this - mostly privacy (both in terms of immediate "in the moment" privacy, but also temporal privacy in the sense that I might not want some potentially ill-advised comments I made on some website 15 years ago to come back and bite me), but also it offers protections against "cancel culture" and general cyber-stalking and doxxing etc as that would become a whole lot easier if you can just run some query on a blockchain and find every single website I've ever used and dredge up my comments/content/etc. Being able to do that sounds very dystopian to me - why don't we just tattoo a barcode on our necks and be done with it?
So the thing about this is that there is no need to permanently tie identity across all sites and services you used (and provide), rather, the ability to do so when and where you need to do it.
There's nothing requiring a user to use the same identity across every service they interact with, but the option should be there. I wouldn't want my matrix username(s) and my fediverse account(s) tied to my HN username(s), but I might want a github/gitlab/codeberg account tied to a social/messaging account while having different "personas" for different applications. Overall it's a useful tool to have in your belt, so long as it doesn't limit you in other ways.
Yeah I think it is mostly businesses that think this is a huge problem to solve to have identities matched across everything seamlessly.
Mostly what I care about is logins and payments which are addressed by password managers and form filling for credit cards. I just want a friction free experience for setting up an account, logging back into it, and maybe purchasing something.
And ideally I'd like to self-host, maybe with a service that looked like a NAS appliance hanging off a guest network on my router with a forwarded port through the firewall and some method for tracking my IP address (dyndns or similarish).
And ideally payments happen by a handshake between the service I run, the processor and the merchant in a way that my actual credit card details are never used. And for recurring payments I have the ability to just switch them off. Bringing all the control back to me and not leaking out reusable PII everywhere.
Of course corporations would aggressively hate that since it would destroy their business models of recurring payments for services the user is no longer using and the requirement of calling up the business and having to convince some phone operator that you really want to cancel.
I agree that we don't need unique identities across everything, but even if that is a real problem it is also solved by public key cryptography without a requirement of a blockchain.
Private keys are cheap to make. There's no reason you couldn't have a different one for every site. Of course, then it's on you to keep track of them, but it's already on you to keep track of the credentials you're using now. At least this way, the default of "use the same creds everywhere" is secure, if not more private.
So what happens when you get phished with Web3? If the value of all crypto goes down 10% YoY why would you use it?
The author makes a bunch of silly assumptions:
> We need some way of saying “who we are” on the internet in a consistent manner. That way we can communicate with others in a verified way and associate with digital data that we own. We also often need that data to be interoperable between different web properties.
No, this is not true. That's why most people on this site are not logging in through Google. Sites will store their own data, and if you trust them to store that data there’s really no reason to just trust them to store a link to your identity.
The author advocates third parties like Metamask and using a Chrome extension, which is ridiculous. If you're going to trust that, why not trust Microsoft, or Amazon, or Google?
> With social recovery, instead of having to trust Google, you can choose who you trust, and instead trust a given set of friends, family, and services
Yes, because Google is not a service.
Ultimately the author makes up a problem and says blockchain is the solution.
Even if we suppose it's a solution there's no discussion around phishing, stolen identities, or any failure mode really. Of course there isn't though - in general recourse requires an authority. Blockchain has none.
> No, this is not true. That's why most people on this site are not logging in through Google. Sites will store their own data, and if you trust them to store that data there’s really no reason to just trust them to store a link to your identity.
You're missing the point. Yes, we don't need oAuth to log into HN. But HN is a site that is over 15 years old, and reflects the technology of its time. Instead, look at the companies YC funds and ask yourself how many of them DON'T have oAuth/SSO of some kind. Reddit is roughly HN's age, and you can see that with the introduction of VC money and profit goals, they've shifted towards discouraging anonymous logins. My 10-year old Reddit account doesn't even have an email associated with it; I doubt that's allowed now.
The old web made by hobbyists having fun and not trying to sell anything is long gone. Even sites like HN are disappearing, and everything IS being monetized, whether we like it or not.
Identities on Microsoft, Amazon, and Google are not portable. They can permanently ban you and you lose access to every single service you used them to authenticate to.
I'm open to the idea that there are real problems that are best solved by PoW/PoS blockchains and smart contracts, so I was hoping this article would reveal one. It doesn't. As mentioned elsewhere, Persona was already a perfectly good technical solution to this, years ago. It failed for various reasons, none of which would be addressed by blockchains/smart contracts. Likewise, the problem of "conveniently and securely log in everywhere" is well solved by Webauthn.
Arguing that "web3" will help because it will improve UX is ludicrous. "web3" provides nothing directly to boost UX. "web3 hype means there's lots of money sloshing around which can be used to improve UX" is an admission of defeat; all the money being sucked into the crypto space could be better deployed to solve these problems directly.
If this is the best shot at "real problems web3 solves", then there really is nothing there :-(.
Have you actually used a web3 website? Once you have your wallet setup it's the most seamless login experience I've ever had.
Also, I find it funny whenever someone says something like "web3 doesn't actually solve anything that hasn't been solved by other technologies like X". Then why isn't anyone using X? Why is nobody using Persona or Webauthn despite being "superior"?
He isn't describing the true state of the world. Banks, brokerages, mortgage providers, and medical entities mostly don't use oauth2 and won't use this stuff either.
The world is still old school.
Grandpa dies and I go find the paper will.
I get an affidavit from a lawyer and a death certificate with a seal from the state.
I go into the bank with a bunch of papers and they figure out what to do.
There isn't a chain of trust that the state uploads a PK signed death certificate to, which in conjunction with a PK signed 'will and trust' then triggers a preexisting blockchain contract to effect the asset transfer.
This is 20 or 30 years off. Maybe 10 or 15 in China.
I'm reading this with an open mind, but I have questions:
> Problem #1: Owning Your Own Digital Identity & Fixing Authentication
My very technical friends who are security minded are on keybase.io. Multiple usernames and passwords across the internet is solved in various ways without blockchain. There are a lot of good password managers (I use and encrypted text file.) I don't feel Google owns my identity because I use their authentication system, so unless I'm missing something, I don't see a problem.
> enables advanced features like social recovery, which lets you recover your account if you lose your key via a smart contract that takes votes from guardians (friends or paid services).
> The idea here is that you could give keys to your friends and family, or to some sort of business service, then if you lose your key, use your friends to “vouch” for you and move the account to a new key.
This doesn't seem very workable in a practical sense. It seems like this could be spoofed fairly easily or the business service gets hacked
Alone the audacity to think a single point of failure without any chance of recovery is a good idea for persona management in the real world is insane.
> The idea here is that you could give keys to your friends and family, or to some sort of business service, then if you lose your key, use your friends to “vouch” for you and move the account to a new key.
Facebook already has this functionality and it's an absolutely massive pain if you're somehow not on their happy path. With no real way to figure out what the issue is and get it fixed or on the happy path.
Social recovery wallets usually use an m of n system where you don't need all keys to recover your wallet but a subset. For example, 9 total keys and any 5 needed to recover your wallet.
Let's say you give a key to a business and that business gets hacked. That's fine because a single key can't steal your wallet and you have 8 keys left. You can even invalidate the keys and generate 9 new ones.
> This doesn't seem very workable in a practical sense. It seems like this could be spoofed fairly easily or the business service gets hacked
You could give keys to two businesses / people and require them both to agree before they can "unlock" the account. You could also add a timelock, so you have time to respond if they get hacked or collude against you.
These aren't really new ideas and exist in existing, non-crypto social recovery schemes.
As other comments have pointed out, there are other technical solutions to decentralized identity. The blockchain doesn't solve this problem any better than private keys or Persona or whatever. The article acknowledges this. The problem with existing solutions is not the technical problem, it's the social problem: making the new solution easy to use, fixing bugs and covering edge cases, and getting it deployed widely. The author claims that the social problem is what Web3 solves; that Web3 is the social solution counterpart to the blockchain technical solution.
Web3 is indeed a social solution to this social problem, but the real problem with Web3 is that it's a terrible social solution. Web3 (aka blockchain enthusiasts, aka cryptobros) is a community comprised of on one end by true believers who believe they're smarter than anyone else in the room and that anyone who brings up complaints are only mad because they didn't get in when the cryptocoin was cheap, and on the other end by grifters and scammers who fully acknowledge that they're only in it for a quick buck off the back of unsuspecting rubes.
This is the core problem with most crypto projects. Most blockchain projects have technical problems [0], but even for the few things that blockchain uniquely solves [1] the general scummyness of everyone involved means that anyone advertising they're solving problems with a blockchain is not someone to trust your money with [2].
Of course, the blockchain isn't the only technology to suffer this problem. Blockchain's at the top of the hype cycle right now so of course it's filled with scammers. But even though Pets.com may not have the most competent business, the technology behind ecommerce was generally sound. Blockchain on the other hand has so few useful niches that the only thing left are the hype-men.
[0] Eg you could use NFTs to prove ownership of IRL property, but why? You're just storing a deed in a different place. It used to be in a SQL server somewhere, now it's on a blockchain instead.
[1] That is, decentralized databases where you don't trust all parties not to modify the data. But uh, with whom do you need to share data that you don't trust, and how do you guarantee they're not just feeding false data into it in the first place?
[2] I'm not implying all blockchain enthusiasts are pretentious and/or scammers. Just that there's a much higher proportion of them in the Web3 community than elsewhere.
Most web2 apps supports a smaller number of SSO providers.
Technically "independent" SSO providers and similar existed, but non made it mainstream because there was no reason for App's to support them, but there was cost to support them.
There is even less reason IMHO for most App's to support Web3 login (more complexity).
Furthermore even if they do the web3 login would probably still list Google etc. as the web2 login still lists email.
It's questionable that more than one maybe two blockchains will be supported.
It's likely that often only a small number of wallets will be supported, it's also likely that "bigtech" companies like google will provide web3 logins if it becomes successful.
So, it might happen. But I don't see it tbh.
There is just no reason to go the extra length to support web3 login for most Apps/Companies.
EDIT:
Also trust of the general public into anything containing the word "crypto" or "blockchain" is constantly undermined by an endless slew of scams, and money grabbing schemes. Which can hurt adoption of web3 login.
My big question with using a Web3 login is what advantages it gives the website owner.
With social Web 2.0 login, I can be fairly sure the person logging in has a valid email address, a name, etc, and it is a single click for the user vs filling in all the info all over again.
With a Web3 login, it is basically the same. Except I'm not really given any personal info like name or email, so I need ask them for that anyway. I guess you can tie that into your wallet somehow?
But I don't see this as a 10x solution. Do people really not trust FB/Google/Twitter that much? Why does currency and money need to get involved?
But in another world, isn't this the problem Keybase was trying to solve? Of course, they got mixed up in their own cryptocurrency as well (XLM) which had so many issues with bots trying to get into the airdrop. So idk.
Correct me if I'm wrong, but the only new idea here is to use a ledger to hold public keys associated with an identity. You could add keys by signing a new key with one of the previously globally accepted ones proving you are that entity and the same would go for removing a lost one, by signing a new message with all the remaining keys.
Having a key copied without your knowledge would be a major disaster, however.
Apart from that, this is not very different from using keys in SSH and providing a challenge/response login form would be very simple.
All of these decentralization arguments make me think of early git:
>Every Git clone is a full-fledged repository with complete history and full revision tracking capabilities, not dependent on network access or a central server...
not just Git. Email. Money (used to be issued by individual banks). Internet infrastructure. The web. Everything goes centralized.... because... it's easier. And humans seem to show over and over again, easier wins.
Is that a bad thing? Web3 is ultimately about building hierarchies(DAO). I would like to see a diversity of new digital hierarchies, new federated systems with unique properties. Not just a purely decentralized system. Decentralized vs. Centralized is a false dichotomy IMO.
The real issue for me is that I would rather have Apple sitting between me and To Ty's app than a public blockchain with no owners. There are just too many edge cases and circumstances where I would rather have a trillion dollar company defending me, a paying customer, against To Ty if the app turns on me or doesn't meet my expectations.
me < To Ty's app + whatever they can get away with.
Nothing in this article requires or benefits from a blockchain. Social recovery of your account is a feature on Facebook and has been for years... There's nothing novel or particularly interesting here.
The only thing blockchain would add is a gas fee whenever I would log in somewhere, and would keep the same UX problems I'd have with login anywhere else.
Keep in mind the most successful project EVER in managing identity was let's encrypt. A centralized non-profit that got the internet to use https everywhere by signing ssl certificates and vouching for everyone's server for free, and as far as I can tell without collecting any personal data about anyone. Web3 is going to solve "this" (whatever this is)... Riiight.
Article: web3 solves decentralized auth, and you are now in control!
Also article: to use it, you need to trust a centralized entity like Metamask that develops your Chrome extension and some unknown programmers that code some "smart contracts" aka unverifiable code in esoteric programming languages.
I'm glad someone took the time to write this. I think it's quite interesting that the prime example picked here is UI issue. The author freely admits that the "web3" solution is basically just private keys with better UI. I'm not all that up to date on web3 stuff, but... it's not UI.
The quote from Vitalik is great though - the goal of crypto is to let people make all the same mistakes and find out single central authorities actually have been established for a reason.
Federated/Decentralised identity/authentication is a solved problem.
For example, this is essentially OpenID.
Unfortunately this entire concept failed to gain traction.
Ok that’s one try. And there were… literally zero reasons in the article for actually using blockchains or cryptocurrency.
I believe this guy is being intellectually honest (which is a feeling I don’t get often in this space) but I don’t think he’s capable of asking the right questions.
The question that should be asked is what is a problem we (humans) have that is not only solved by this new tech, but can’t in any way even by bending over backwards be solved with some other technology?
The proposal is strictly inferior to SQRL[1] plus emailing your friends shares of your secret[2]. You get private keys, no third parties at all, social recovery, but with no Blockchain costs. Bonus point: you automatically get a pseudonym for each app.
The point about financial incentives aligning more easily in web3 is good, but I understood that even the poster child Metamask is not complete as it's missing good social recovery UX.
[+] [-] jdlshore|4 years ago|reply
It failed to gain traction, and Mozilla eventually pulled the plug.
Persona had many advantages over the Web3 vision described in this article. It was painless for a new user to create an account, because Mozilla provided a default identity server. It was easy for a website owner to set up, because Mozilla provided a JavaScript shim that worked on any browser. And it didn't rely on a wasteful and slow distributed ledger.
Despite these advantages, Persona failed. I don't see how a blockchain-based approach, with so many disadvantages compared to Persona, could possibly succeed outside of the blockchain enthusiast community. And, on a technical level, a federated approach seems innumerably simpler and less wasteful than a blockchain-based approach.
[+] [-] superfrank|4 years ago|reply
Sometimes it's all about being in the right place, at the right time, with the right amount of hype. Inferior technologies win out all the time.
That being said, if (major if) auth through web3 did take off, I wouldn't be surprised if over time it slowly creeped back toward a solution that doesn't use blockchain since a non-blockchain solution would probably be simpler, cheaper, and faster.
[+] [-] throwaway92873|4 years ago|reply
Looking back, I now see that not volunteering myself for the challenge was one of the biggest mistakes I've made in my career. It was one of those rare opportunities to make a difference.
I also wonder why nobody has tried it since. It's a simple approach, but you'd need a good security team backed by a trusted organization to make an implementation credible.
[+] [-] carlosdp|4 years ago|reply
Persona failed because it was fighting against a head-wind of an already established trend of using Google/FB OAuth2, without giving the service provider any new benefits. There was no incentive for a website to actually implement Persona, since it was just another auth provider and users weren't using it. Users didn't use it because no one implemented it. Chicken and egg.
Websites that integrate web3 wallet login do get something new: built-in, straightforward payment rails.
[+] [-] scotu|4 years ago|reply
My worry with the blockchain is that now it has VCs that are going to pump so much funds in it to keep it spinning and force everybody to use it because you need that service, and now (in the future) it's only provided through the blockchain (because the alternative off-chain company cannot raise funds so it doesn't exist, it fails, or it's a worse experience).
[+] [-] voidmain|4 years ago|reply
Everyone would be better off with better identity management, but it's not worth anyone's time to be one of the first users of a system with no sites supporting it or one of the first site supporting a system with no users. The web3 version of this will be something where if it takes off the first adopters get super rich at the expense of late adopters, and that makes it take off.
Similarly, conventional profit models incentivize the creators of a technology to make it as centralized and locked in as possible, so that they can profit off it over time. The pyramid scheme business model incentivizes the creators to make a decentralized and open system, so that they don't have to do any work over time once it takes off.
Is this the special kind of stupidity that only really smart people can aspire to, or the special kind of genius that only really stupid people can? Time will tell, I guess.
[+] [-] imgabe|4 years ago|reply
[1] ok most sites limit it to 2-3 options, but which 2-3 is up in the air.
[+] [-] whywhywhywhy|4 years ago|reply
What’s in it for the user to sign up for persona? Nothing
What’s in it for the user to get a crypto wallet? Money
There’s your answer.
[+] [-] blitzar|4 years ago|reply
fwiw I agreee, but first to market is often first to fail.
[+] [-] cranberryturkey|4 years ago|reply
[+] [-] gillesjacobs|4 years ago|reply
Those are two major advantages.
[+] [-] unknown|4 years ago|reply
[deleted]
[+] [-] nathias|4 years ago|reply
[+] [-] w-j-w|4 years ago|reply
[deleted]
[+] [-] hffft|4 years ago|reply
it has none now ;)
[+] [-] itsdrewmiller|4 years ago|reply
[+] [-] mattlondon|4 years ago|reply
Do we really need this? Do we really want to permanently tie identity across websites like this? I find this initial "need"/justification/requirement questionable.
I have a login on HN that is totally unique to e.g. Twitter and Instagram and <shudder> LinkedIn. Same with work vs personal. This is deliberate. I do not want to have the same identity here as I do elsewhere. There are many hopefully obvious reasons for this - mostly privacy (both in terms of immediate "in the moment" privacy, but also temporal privacy in the sense that I might not want some potentially ill-advised comments I made on some website 15 years ago to come back and bite me), but also it offers protections against "cancel culture" and general cyber-stalking and doxxing etc as that would become a whole lot easier if you can just run some query on a blockchain and find every single website I've ever used and dredge up my comments/content/etc. Being able to do that sounds very dystopian to me - why don't we just tattoo a barcode on our necks and be done with it?
[+] [-] betwixthewires|4 years ago|reply
There's nothing requiring a user to use the same identity across every service they interact with, but the option should be there. I wouldn't want my matrix username(s) and my fediverse account(s) tied to my HN username(s), but I might want a github/gitlab/codeberg account tied to a social/messaging account while having different "personas" for different applications. Overall it's a useful tool to have in your belt, so long as it doesn't limit you in other ways.
[+] [-] lamontcg|4 years ago|reply
Mostly what I care about is logins and payments which are addressed by password managers and form filling for credit cards. I just want a friction free experience for setting up an account, logging back into it, and maybe purchasing something.
And ideally I'd like to self-host, maybe with a service that looked like a NAS appliance hanging off a guest network on my router with a forwarded port through the firewall and some method for tracking my IP address (dyndns or similarish).
And ideally payments happen by a handshake between the service I run, the processor and the merchant in a way that my actual credit card details are never used. And for recurring payments I have the ability to just switch them off. Bringing all the control back to me and not leaking out reusable PII everywhere.
Of course corporations would aggressively hate that since it would destroy their business models of recurring payments for services the user is no longer using and the requirement of calling up the business and having to convince some phone operator that you really want to cancel.
[+] [-] DeepYogurt|4 years ago|reply
[+] [-] pkulak|4 years ago|reply
[+] [-] rizkeyz|4 years ago|reply
[+] [-] endisneigh|4 years ago|reply
The author makes a bunch of silly assumptions:
> We need some way of saying “who we are” on the internet in a consistent manner. That way we can communicate with others in a verified way and associate with digital data that we own. We also often need that data to be interoperable between different web properties.
No, this is not true. That's why most people on this site are not logging in through Google. Sites will store their own data, and if you trust them to store that data there’s really no reason to just trust them to store a link to your identity.
The author advocates third parties like Metamask and using a Chrome extension, which is ridiculous. If you're going to trust that, why not trust Microsoft, or Amazon, or Google?
> With social recovery, instead of having to trust Google, you can choose who you trust, and instead trust a given set of friends, family, and services
Yes, because Google is not a service.
Ultimately the author makes up a problem and says blockchain is the solution.
Even if we suppose it's a solution there's no discussion around phishing, stolen identities, or any failure mode really. Of course there isn't though - in general recourse requires an authority. Blockchain has none.
[+] [-] rchaud|4 years ago|reply
You're missing the point. Yes, we don't need oAuth to log into HN. But HN is a site that is over 15 years old, and reflects the technology of its time. Instead, look at the companies YC funds and ask yourself how many of them DON'T have oAuth/SSO of some kind. Reddit is roughly HN's age, and you can see that with the introduction of VC money and profit goals, they've shifted towards discouraging anonymous logins. My 10-year old Reddit account doesn't even have an email associated with it; I doubt that's allowed now.
The old web made by hobbyists having fun and not trying to sell anything is long gone. Even sites like HN are disappearing, and everything IS being monetized, whether we like it or not.
[+] [-] thebean11|4 years ago|reply
Private keys are portable between wallets.
[+] [-] roca|4 years ago|reply
Arguing that "web3" will help because it will improve UX is ludicrous. "web3" provides nothing directly to boost UX. "web3 hype means there's lots of money sloshing around which can be used to improve UX" is an admission of defeat; all the money being sucked into the crypto space could be better deployed to solve these problems directly.
If this is the best shot at "real problems web3 solves", then there really is nothing there :-(.
[+] [-] serverholic|4 years ago|reply
Also, I find it funny whenever someone says something like "web3 doesn't actually solve anything that hasn't been solved by other technologies like X". Then why isn't anyone using X? Why is nobody using Persona or Webauthn despite being "superior"?
[+] [-] erosenbe0|4 years ago|reply
The world is still old school.
Grandpa dies and I go find the paper will.
I get an affidavit from a lawyer and a death certificate with a seal from the state.
I go into the bank with a bunch of papers and they figure out what to do.
There isn't a chain of trust that the state uploads a PK signed death certificate to, which in conjunction with a PK signed 'will and trust' then triggers a preexisting blockchain contract to effect the asset transfer.
This is 20 or 30 years off. Maybe 10 or 15 in China.
[+] [-] mwattsun|4 years ago|reply
> Problem #1: Owning Your Own Digital Identity & Fixing Authentication
My very technical friends who are security minded are on keybase.io. Multiple usernames and passwords across the internet is solved in various ways without blockchain. There are a lot of good password managers (I use and encrypted text file.) I don't feel Google owns my identity because I use their authentication system, so unless I'm missing something, I don't see a problem.
> enables advanced features like social recovery, which lets you recover your account if you lose your key via a smart contract that takes votes from guardians (friends or paid services).
> The idea here is that you could give keys to your friends and family, or to some sort of business service, then if you lose your key, use your friends to “vouch” for you and move the account to a new key.
This doesn't seem very workable in a practical sense. It seems like this could be spoofed fairly easily or the business service gets hacked
[+] [-] YXNjaGVyZWdlbgo|4 years ago|reply
[+] [-] llbeansandrice|4 years ago|reply
Facebook already has this functionality and it's an absolutely massive pain if you're somehow not on their happy path. With no real way to figure out what the issue is and get it fixed or on the happy path.
[+] [-] serverholic|4 years ago|reply
Let's say you give a key to a business and that business gets hacked. That's fine because a single key can't steal your wallet and you have 8 keys left. You can even invalidate the keys and generate 9 new ones.
[+] [-] thebean11|4 years ago|reply
You could give keys to two businesses / people and require them both to agree before they can "unlock" the account. You could also add a timelock, so you have time to respond if they get hacked or collude against you.
These aren't really new ideas and exist in existing, non-crypto social recovery schemes.
[+] [-] herlitzj|4 years ago|reply
Web 1.0: Great
Web 2.0: Ugh, ok
Web 3.0: You're serious with this?
[+] [-] ranger207|4 years ago|reply
Web3 is indeed a social solution to this social problem, but the real problem with Web3 is that it's a terrible social solution. Web3 (aka blockchain enthusiasts, aka cryptobros) is a community comprised of on one end by true believers who believe they're smarter than anyone else in the room and that anyone who brings up complaints are only mad because they didn't get in when the cryptocoin was cheap, and on the other end by grifters and scammers who fully acknowledge that they're only in it for a quick buck off the back of unsuspecting rubes.
This is the core problem with most crypto projects. Most blockchain projects have technical problems [0], but even for the few things that blockchain uniquely solves [1] the general scummyness of everyone involved means that anyone advertising they're solving problems with a blockchain is not someone to trust your money with [2].
Of course, the blockchain isn't the only technology to suffer this problem. Blockchain's at the top of the hype cycle right now so of course it's filled with scammers. But even though Pets.com may not have the most competent business, the technology behind ecommerce was generally sound. Blockchain on the other hand has so few useful niches that the only thing left are the hype-men.
[0] Eg you could use NFTs to prove ownership of IRL property, but why? You're just storing a deed in a different place. It used to be in a SQL server somewhere, now it's on a blockchain instead.
[1] That is, decentralized databases where you don't trust all parties not to modify the data. But uh, with whom do you need to share data that you don't trust, and how do you guarantee they're not just feeding false data into it in the first place?
[2] I'm not implying all blockchain enthusiasts are pretentious and/or scammers. Just that there's a much higher proportion of them in the Web3 community than elsewhere.
[+] [-] dathinab|4 years ago|reply
Technically "independent" SSO providers and similar existed, but non made it mainstream because there was no reason for App's to support them, but there was cost to support them.
There is even less reason IMHO for most App's to support Web3 login (more complexity).
Furthermore even if they do the web3 login would probably still list Google etc. as the web2 login still lists email.
It's questionable that more than one maybe two blockchains will be supported.
It's likely that often only a small number of wallets will be supported, it's also likely that "bigtech" companies like google will provide web3 logins if it becomes successful.
So, it might happen. But I don't see it tbh.
There is just no reason to go the extra length to support web3 login for most Apps/Companies.
EDIT: Also trust of the general public into anything containing the word "crypto" or "blockchain" is constantly undermined by an endless slew of scams, and money grabbing schemes. Which can hurt adoption of web3 login.
[+] [-] thesandlord|4 years ago|reply
With social Web 2.0 login, I can be fairly sure the person logging in has a valid email address, a name, etc, and it is a single click for the user vs filling in all the info all over again.
With a Web3 login, it is basically the same. Except I'm not really given any personal info like name or email, so I need ask them for that anyway. I guess you can tie that into your wallet somehow?
But I don't see this as a 10x solution. Do people really not trust FB/Google/Twitter that much? Why does currency and money need to get involved?
But in another world, isn't this the problem Keybase was trying to solve? Of course, they got mixed up in their own cryptocurrency as well (XLM) which had so many issues with bots trying to get into the airdrop. So idk.
[+] [-] rbanffy|4 years ago|reply
Correct me if I'm wrong, but the only new idea here is to use a ledger to hold public keys associated with an identity. You could add keys by signing a new key with one of the previously globally accepted ones proving you are that entity and the same would go for removing a lost one, by signing a new message with all the remaining keys.
Having a key copied without your knowledge would be a major disaster, however.
Apart from that, this is not very different from using keys in SSH and providing a challenge/response login form would be very simple.
[+] [-] kiernanmcgowan|4 years ago|reply
>Every Git clone is a full-fledged repository with complete history and full revision tracking capabilities, not dependent on network access or a central server...
http://web.archive.org/web/20080821113906/http://git-scm.com...
Sure git can be used without the need to have have a central server, but everything became so much simpler with github and other code repositories.
Decentralized systems are hard to navigate and humans will choose the easy thing every time.
[+] [-] danielmarkbruce|4 years ago|reply
[+] [-] evv555|4 years ago|reply
[+] [-] IiydAbITMvJkqKf|4 years ago|reply
[+] [-] enos_feedler|4 years ago|reply
me < To Ty's app + whatever they can get away with.
me + apple > To Ty's app.
[+] [-] laserbeam|4 years ago|reply
The only thing blockchain would add is a gas fee whenever I would log in somewhere, and would keep the same UX problems I'd have with login anywhere else.
Keep in mind the most successful project EVER in managing identity was let's encrypt. A centralized non-profit that got the internet to use https everywhere by signing ssl certificates and vouching for everyone's server for free, and as far as I can tell without collecting any personal data about anyone. Web3 is going to solve "this" (whatever this is)... Riiight.
[+] [-] dmitriid|4 years ago|reply
Also article: to use it, you need to trust a centralized entity like Metamask that develops your Chrome extension and some unknown programmers that code some "smart contracts" aka unverifiable code in esoteric programming languages.
Also article: look! a solution! it's better!
[+] [-] codehalo|4 years ago|reply
[+] [-] Traster|4 years ago|reply
The quote from Vitalik is great though - the goal of crypto is to let people make all the same mistakes and find out single central authorities actually have been established for a reason.
[+] [-] nanofortnight|4 years ago|reply
[+] [-] alkonaut|4 years ago|reply
I believe this guy is being intellectually honest (which is a feeling I don’t get often in this space) but I don’t think he’s capable of asking the right questions.
The question that should be asked is what is a problem we (humans) have that is not only solved by this new tech, but can’t in any way even by bending over backwards be solved with some other technology?
[+] [-] BoppreH|4 years ago|reply
The point about financial incentives aligning more easily in web3 is good, but I understood that even the poster child Metamask is not complete as it's missing good social recovery UX.
Please stop trying to sell snake oil.
[1]: https://www.grc.com/sqrl/sqrl.htm
[2]: https://en.m.wikipedia.org/wiki/Secret_sharing