[HN Gopher] Real Problems That Web3 Solves, Part 1
___________________________________________________________________
Real Problems That Web3 Solves, Part 1
Author : waprin
Score : 93 points
Date : 2022-01-04 17:28 UTC (5 hours ago)
(HTM) web link (billprin.com)
(TXT) w3m dump (billprin.com)
| avereveard wrote:
| So, web3 regularly gets updated into the front page, only to be
| utterly trashed in the comments session.
|
| What gives?
| nanofortnight wrote:
| Federated/Decentralised identity/authentication is a solved
| problem. For example, this is essentially OpenID. Unfortunately
| this entire concept failed to gain traction.
| kiernanmcgowan wrote:
| All of these decentralization arguments make me think of early
| git:
|
| >Every Git clone is a full-fledged repository with complete
| history and full revision tracking capabilities, not dependent on
| network access or a central server...
|
| http://web.archive.org/web/20080821113906/http://git-scm.com...
|
| Sure git can be used without the need to have have a central
| server, but everything became so much simpler with github and
| other code repositories.
|
| Decentralized systems are hard to navigate and humans will choose
| the easy thing every time.
| kradeelav wrote:
| ... why would I want to share my wallet to something I trust less
| than a strange dog? Or part of my identity? No thanks.
|
| One of the great things about usernames/passwords is it didn't
| demand that vulnerability - you could come up with whatever and
| it was _your responsibility_ to keep up with your shit. Systems
| that mimic real world systems on average feel less prone to this
| silliness.
| pxue wrote:
| email/password is terrible UX for vast majority of user. it's
| forgettable, it's not secure, and it exists only because it
| have existed since dawn of computers.
| endisneigh wrote:
| I disagree. Email and password is terrible compared to what?
| thesandlord wrote:
| My big question with using a Web3 login is what advantages it
| gives the website owner.
|
| With social Web 2.0 login, I can be fairly sure the person
| logging in has a valid email address, a name, etc, and it is a
| single click for the user vs filling in all the info all over
| again.
|
| With a Web3 login, it is basically the same. Except I'm not
| really given any personal info like name or email, so I need ask
| them for that anyway. I guess you can tie that into your wallet
| somehow?
|
| But I don't see this as a 10x solution. Do people really not
| trust FB/Google/Twitter that much? Why does currency and money
| need to get involved?
|
| But in another world, isn't this the problem Keybase was trying
| to solve? Of course, they got mixed up in their own
| cryptocurrency as well (XLM) which had so many issues with bots
| trying to get into the airdrop. So idk.
| spinny wrote:
| People already use ENS do register a <some-name>.eth name to
| the respective ethereum address. It's also easy to write a
| smart contract that keeps meta-info on an address. This data
| would be public.
|
| > Why does currency and money need to get involved?
|
| It doesn't. You only need a blockchain to keep public data. You
| can sign a message and login with that, no need to send a
| transaction, can be done with balance 0
| lottin wrote:
| Buy I thought the whole point was "owning your identity"...
| and know you're suggesting that we should put or personal
| data on a blockchain so everybody can see it?
| spinny wrote:
| have you ignored the "public data" part on my comment ??
|
| why do you twist "owning your identity" to mean putting
| everything about you "somewhere public" (like a blockchain)
| numtel wrote:
| The identity owned is the private key.
| rafale wrote:
| Web3 emphasizes privacy be default. Emails are no longer needed
| for password management so if u need them for something else
| users should opt-in.
| zingplex wrote:
| I have a hunch that many services they will probably want to
| collect the emails anyway. It provides websites a convenient
| excuse to ask people to join their marketing spam list. In
| most cases privacy isn't a profitable business proposition.
| MBCook wrote:
| Apple already provides something like that that's WAY more
| popular and doesn't require the waste of resources a public
| blockchain would.
|
| I know some people (especially us techies) like to control
| the whole stack but who do you think the majority of normal
| users would prefer?
| rafale wrote:
| Bitcoin doesn't support web3. Ethereum is moving to proof-
| of-stake, so the resources issue is gonna become a thing of
| the past. Also using web3 for authentication doesn't
| broadcast any transaction. So zero resources are used at
| that point.
|
| Apple has a closed platform mindset, I hope users will see
| the benefits in a decentralized open protocol.
| MBCook wrote:
| > I hope users will see the benefits in a decentralized
| open protocol.
|
| See I think this here is the biggest issue. I feel like
| we have 30+ years of proof that normal users LIKE
| centralization for the convenience and ease it provides.
|
| Email is basically the last man standing when it comes to
| distributed implementations and 1) it had reached mass
| adoption early enough to survive and 2) we've centralized
| it to a large degree anyway with Gmail and outlook.com
| tester756 wrote:
| >Do people really not trust FB/Google/Twitter that much?
|
| People in general or HN audience?
| steelstraw wrote:
| Are there any security risks with signing onto a site with
| Metamask? Is there any way for them to drain your wallet without
| prompting you?
|
| If not, then it seems to be a superior method and experience. You
| don't have to deal with usernames/email/password, and it offers
| more functionality with currency.
| TylerE wrote:
| There have already been many many scams perpetrated by things
| CLAIMING to be MM/OpenSea
| dylkil wrote:
| When you sign in with web3 you are signing a message with your
| private key, and the website is verifying the it was in fact
| you that signed the message by checking the messages signature
| with your public key.
|
| The only way anyone can gain control of your wallet is if you
| give them your private key (or the seed to the privk) or if
| your PC is compromised (but you have bigger issues then)
| AlexandrB wrote:
| This is probably the first blockchain use case that I've found
| compelling, outside of using its obvious use as a speculative
| asset of course. I hope the author elaborates more on this in the
| next part because there are still lingering questions - like how
| much would CRUD operations on your digital identity cost? After
| all, most blockchain technologies have associated "gas" or other
| transaction fees.
| endisneigh wrote:
| So what happens when you get phished with Web3? If the value of
| all crypto goes down 10% YoY why would you use it?
|
| The author makes a bunch of silly assumptions:
|
| > We need some way of saying "who we are" on the internet in a
| consistent manner. That way we can communicate with others in a
| verified way and associate with digital data that we own. We also
| often need that data to be interoperable between different web
| properties.
|
| No, this is not true. That's why most people on this site are not
| logging in through Google. Sites will store their own data, and
| if you trust them to store that data there's really no reason to
| just trust them to store a link to your identity.
|
| The author advocates third parties like Metamask and using a
| Chrome extension, which is ridiculous. If you're going to trust
| that, why not trust Microsoft, or Amazon, or Google?
|
| > With social recovery, instead of having to trust Google, you
| can choose who you trust, and instead trust a given set of
| friends, family, and services
|
| Yes, because Google is not a service.
|
| Ultimately the author makes up a problem and says blockchain is
| the solution.
|
| Even if we suppose it's a solution there's no discussion around
| phishing, stolen identities, or any failure mode really. Of
| course there isn't though - in general recourse requires an
| authority. Blockchain has none.
| thebean11 wrote:
| Identities on Microsoft, Amazon, and Google are not portable.
| They can permanently ban you and you lose access to every
| single service you used them to authenticate to.
|
| Private keys are portable between wallets.
| endisneigh wrote:
| What you're saying is also true with web3. A bad actor's key
| could be banned and a list of bad actors could be shared
| among sites resulting in the same thing.
|
| In fact, if you believe in privacy at all you'd want to
| reject this idea for that alone.
| thebean11 wrote:
| Sure, multiple independent sites could individually ban
| you. That's a fundamentally different problem, and much
| much less likely.
|
| An antidote to that would be using a different key on each
| site you authenticate to. You still only need to store a
| single key, all other keys are derived from that yet cannot
| be associated with their sibling keys.
|
| > What you're saying is also trust with web3.
|
| Not quite sure what you mean here, web3 is a pretty
| overloaded term. If you mean the very concept of
| web3..that's pretty fundamentally different from trusting a
| company that can unilaterally ban you, alter your data etc.
| There is no such parallel in web3. If you mean the JS
| library, that's also fundamentally different, and it's not
| the only game in town.
| endisneigh wrote:
| I'm not sure what your point is here - you could also
| create a new Google account per website or simply use an
| email address.
|
| The author advocates using third party services such as
| meta mask, who would need to be trusted.
|
| How do you implement it without any third party site.
|
| If we are talking about likelihood it's unlike you'd be
| banned from Microsoft/Facebook/Google for no reason too.
|
| Furthermore as the administrator how you stop bad actors?
| thebean11 wrote:
| You have to trust MetaMask to some extent, like any
| software you run locally, but MetaMask never gains
| control of your keys or identities, it's just a tool for
| using them (obviously 99.9% of users aren't auditing the
| code or building from source, but that's a totally
| different threat model). If MetaMask stops working for
| you, you can use a different tool with the _same keys_.
| If Google stops working for you you cannot transfer your
| account to Microsoft or Facebook.
|
| > If we are talking about likelihood it's unlike you'd be
| banned from Microsoft/Facebook/Google for no reason too.
|
| I've seen posts on this forum about it. It happens and
| there's not much you can do if it does.
|
| > you could also create a new Google account per website
| or simply use an email address.
|
| > Furthermore as the administrator how you stop bad
| actors?
|
| Apologies if I'm missing something, if it's easy to spin
| up unique identities on both what's the difference here?
| It seems like it would be one or the other.
|
| And yes you can create a new Google account per website,
| but you are still at Google's mercy to authenticate. My
| 1Password has ~250 logins, I'd be seriously worried about
| a ban from Google if I made 250 accounts.
| endisneigh wrote:
| > Apologies if I'm missing something, if it's easy to
| spin up unique identities on both what's the difference
| here? It seems like it would be one or the other.
|
| Yes except for a centralized entity the admin would have
| recourse. How does a web server admin deal with it in the
| case of blockchain?
|
| > I've seen posts on this forum about it. It happens and
| there's not much you can do if it does.
|
| If we are talking about anecdotes I've seen people lose
| their private keys to phishing and consequently all of
| their money, so...
|
| > You have to trust MetaMask to some extent, like any
| software you run locally, but MetaMask never gains
| control of your keys or identities, it's just a tool for
| using them (obviously 99.9% of users aren't auditing the
| code or building from source, but that's a totally
| different threat model). If MetaMask stops working for
| you, you can use a different tool with the same keys. If
| Google stops working for you you cannot transfer your
| account to Microsoft or Facebook.
|
| This is not true, depending on implementation. Even if we
| accept what you're saying as true you can run your own
| oauth server.
|
| Basically it seems the entirety of your argument rests
| upon trusting a centralized service. However the
| scenarios posited by the author are ones where blockchain
| is used to login to a centralized service to begin with
| so I don't understand the criticism. Furthermore, unless
| one is to accept the infinite possibility and quantity of
| accounts, inevitably just like most other identity
| services, blacklists will be created.
|
| If that is not effective then blockchain will simply not
| be an option for most sites.
|
| Ultimately this convoluted web3 is no better than using
| an email address forwarder and a regular email and
| password.
| thebean11 wrote:
| > Yes except for a centralized entity the admin would
| have recourse.
|
| Can you be more specific? How is it easier to sniff out a
| user using multiple emails vs multiple keys?
|
| > If we are talking about anecdotes I've seen people lose
| their private keys to phishing and consequently all of
| their money, so...
|
| Losing your keys is a huge problem that needs to be
| solved. I think social recovery is super promising in
| that respect but you're right that we aren't there yet.
| Phishing exists in both worlds, although I'd argue for
| logins specifically it's less of an issue in the MetaMask
| world, as you do not need to expose your private keys for
| that. You need to expose your password to log into
| Google.
|
| > This is not true, depending on implementation. Even if
| we accept what you're saying as true you can run your own
| oauth server.
|
| Which part isn't true?
|
| There is..some difficulty gap between a browser extension
| and running your own authentication infra..
| endisneigh wrote:
| > Can you be more specific? How is it easier to sniff out
| a user using multiple emails vs multiple keys?
|
| If someone made 2109@gmail.com 238@gmail.com
| 2398@gmail.com you could contact Google, send them the
| information and potentially block all of them
| collectively and/or find the person responsible. This
| would be important if your application has to do with
| financial activity. How would you do this if someone kept
| making random private keys?
|
| > I'd argue for logins specifically it's less of an issue
| in the MetaMask world, as you do not need to expose your
| private keys for that. You need to expose your password
| to log into Google.
|
| I'm not understanding you. If you're someone who won't
| use Google, or a centralized service, then you are
| capable of hosting your own web server. If you're capable
| of that an email address + password is superior to
| blockchain and gives you more control.
|
| If you're not capable of that and are using centralized
| services for things like email then you lose no more
| control using their oauth server.
|
| You and author have yet to address failure modes, or the
| superiority of this compared to email and password.
| thebean11 wrote:
| > If someone made 2109@gmail.com 238@gmail.com
| 2398@gmail.com you could contact Google, send them the
| information and potentially block all of them
| collectively and/or find the person responsible.
|
| Citation needed, I very much doubt Google would comply
| without a search warrant. For financial activity, it
| depends whether the application requires authentication,
| or simply funds. For authentication see things like DECO,
| where you could prove some personal information about
| yourself without actually revealing that information (SSN
| for example). Obviously that is piggy backing off of a
| legacy system; it's up to the application to say what
| data they need.
|
| > I'm not understanding you. If you're someone who won't
| use Google, or a centralized service, then you are
| capable of hosting your own web server. If you're capable
| of that an email address + password is superior to
| blockchain and gives you more control.
|
| You are completely wrong that everyone currently using
| MetaMask is capable of hosting their own web server.
| Securely hosting a web server is orders of magnitude
| harder than securely using MetaMask.
|
| I think I did address both failure modes and the
| benefits. I agree with you that it's not ready to replace
| email and password, but I don't think the issues are
| insurmountable either.
| endisneigh wrote:
| > Citation needed, I very much doubt Google would comply
| without a search warrant. For financial activity, it
| depends whether the application requires authentication,
| or simply funds. For authentication see things like DECO,
| where you could prove some personal information about
| yourself without actually revealing that information (SSN
| for example). Obviously that is piggy backing off of a
| legacy system; it's up to the application to say what
| data they need.
|
| There's plenty of evidence out there for this
| (https://www.jamesmadison.org/the-governments-secret-
| google-s...). Furthermore Google has a contact to
| official subpoena them if you want
| (https://support.google.com/faqs/answer/6151275?hl=en).
| For mild things you could just report abuse and escalate
| - https://support.google.com/mail/contact/abuse?hl=en
|
| Again, you're not answering the question. What does the
| web administrator do if someone is creating fake accounts
| using a private key? If you're going to use third party
| systems you don't need blockchain to begin with.
|
| > You are completely wrong that everyone currently using
| MetaMask is capable of hosting their own web server.
| Securely hosting a web server is orders of magnitude
| harder than securely using MetaMask.
|
| You're addressing a claim I didn't make. I'm not sayin
| everyone using metamask can host their own server, I'm
| saying someone who isn't using a centralized entity
| anywhere can do it, by definition. Hosting a web server
| is trivial in 2022. You can literally setup a server by
| going to digitalocean.com right now, paying $5, and
| spinning up a one-click machine. Administrating it at
| scale is obviously more difficult, but it's trivial to
| setup a little oAuth server if you want.
| thebean11 wrote:
| > There's plenty of evidence out there for this
|
| You are completely moving the goalposts, I thought we
| were talking about internet services trying to prevent
| spam..not government snooping and subpoenas. Are you
| claiming the government's ability to collect data about
| you from Google is a good thing? I'm pretty confused.
|
| > Again, you're not answering the question. What does the
| web administrator do if someone is creating fake accounts
| using a private key? If you're going to use third party
| systems you don't need blockchain to begin with.
|
| You are not answering the question either, is this web
| administrator the government? Are they going to serve
| Google with a subpoena?
|
| > I'm not sayin everyone using metamask can host their
| own server, I'm saying someone who isn't using a
| centralized entity anywhere can do it, by definition.
|
| Ok fair enough, I'm not saying anybody will be using "no
| centralized entity anywhere", not totally sure what your
| point is. Using a centralized entity for A is equivalent
| to using it for A+B?
| endisneigh wrote:
| you don't really make any sense. sorry. I already
| addressed your points. the government point is not really
| relevant. the point is that a web admin has recourse with
| Google and/or government depending on the nature of the
| activity.
|
| good luck
| thebean11 wrote:
| I just don't see how "ask Google / the government to tell
| me the identities of its customers" could be seen as a
| positive of the current system for 99% of cases.
| Especially given that Google likely won't even have the
| information, especially for an account created to commit
| serious crimes warranting NSA snooping or legal
| intervention. Just like creating a private key, you don't
| need a SSN or a passport to create a Google account, or
| most other email providers.
|
| I feel like you are intentionally ignoring the dangers of
| SSO tied to a company that can unilaterally delete your
| account, and has little incentive to unlock it or even
| let you plead your case.
|
| Cheers.
| hdjjhhvvhga wrote:
| I'm not sure about the present tense here; a conditional would
| fit better.
| IiydAbITMvJkqKf wrote:
| This problem is currently being solved by WebAuthn. For social
| recovery, if desired, the private key can be split up using
| Shamir's secret sharing.
| grey-area wrote:
| Yes webauthn is a much better solution to this.
| justinsaccount wrote:
| [deleted]
| ranger207 wrote:
| As other comments have pointed out, there are other technical
| solutions to decentralized identity. The blockchain doesn't solve
| this problem any better than private keys or Persona or whatever.
| The article acknowledges this. The problem with existing
| solutions is not the technical problem, it's the social problem:
| making the new solution easy to use, fixing bugs and covering
| edge cases, and getting it deployed widely. The author claims
| that the social problem is what Web3 solves; that Web3 is the
| social solution counterpart to the blockchain technical solution.
|
| Web3 is indeed a social solution to this social problem, but the
| real problem with Web3 is that it's a terrible social solution.
| Web3 (aka blockchain enthusiasts, aka cryptobros) is a community
| comprised of on one end by true believers who believe they're
| smarter than anyone else in the room and that anyone who brings
| up complaints are only mad because they didn't get in when the
| cryptocoin was cheap, and on the other end by grifters and
| scammers who fully acknowledge that they're only in it for a
| quick buck off the back of unsuspecting rubes.
|
| This is the core problem with most crypto projects. Most
| blockchain projects have technical problems [0], but even for the
| few things that blockchain uniquely solves [1] the general
| scummyness of everyone involved means that anyone advertising
| they're solving problems with a blockchain is not someone to
| trust your money with [2].
|
| Of course, the blockchain isn't the only technology to suffer
| this problem. Blockchain's at the top of the hype cycle right now
| so of course it's filled with scammers. But even though Pets.com
| may not have the most competent business, the technology behind
| ecommerce was generally sound. Blockchain on the other hand has
| so few useful niches that the only thing left are the hype-men.
|
| [0] Eg you could use NFTs to prove ownership of IRL property, but
| why? You're just storing a deed in a different place. It used to
| be in a SQL server somewhere, now it's on a blockchain instead.
|
| [1] That is, decentralized databases where you don't trust all
| parties not to modify the data. But uh, with whom do you need to
| share data that you don't trust, and how do you guarantee they're
| not just feeding false data into it in the first place?
|
| [2] I'm not implying all blockchain enthusiasts are pretentious
| and/or scammers. Just that there's a much higher proportion of
| them in the Web3 community than elsewhere.
| ozim wrote:
| I like how "trustless" falls through the cracks at each and any
| of the Web3 posts I read.
|
| It shows up as a marketing trick because it obviously means
| something very specific for that crowd and it is explained
| somewhere with a fine print.
|
| I will stay with a thought that trust is not something that can
| be solved by technology :)
| JesseObrien wrote:
| This article doesn't add up the points to anything that solves
| for the given problem. Owning identity isn't solved by saying
| "don't trust ${third party}! Come trust ${my preferred third
| party}, it's better!" Any blockchain is still a third party that
| all parties involved with need to place trust in. It isn't
| somehow more or less trustworthy just because it exists.
|
| > Many people, including myself, believe that the individual
| should be able to own their own identity.
|
| Yes, this is nice wishful thinking, but on a global scale it's
| not really possible or feasible.
|
| > OAuth2 should be used for what it was intended to, which is for
| a web service to provide another web service with a user's data
| given that user's consent. It should not be used as a global
| digital identifier because that's too important to be owned by
| anyone but the individual themselves.
|
| So, instead of OAuth being in the hands of FAANG[1] it's in the
| hands of ${blockchain-of-the-year}? How does moving the trust
| from a centralized company to a centralized blockchain change MY
| ownership? If I move everything away from FAANG to someone's
| blockchain, I have no assurance that chain will continue
| existing. If there's a flaw found in it and everyone moves to
| another chain, now what? Sure, we can make the same claim about
| FAANG not continuing to exist, but the point is there's no
| inherent advantage here, they're equal. FAANG are supported by
| millions of individuals and companies that are all, together
| invested in their success. There's no unilateral agreement on
| blockchains and I doubt there ever will be.
|
| >With social recovery, instead of having to trust Google, you can
| choose who you trust, and instead trust a given set of friends,
| family, and services.
|
| Again with the trust this and not that. All of my friends, family
| and other services need to then agree that they're all going to
| trust ${chain} instead of FAANG. It doesn't fix the problem. "the
| blockchain" isn't just one thing. Who's chain do we all shift
| trust to and from and based on what security? At least with
| Google I can rely on their security because if they end up with a
| breach of trust it's going to have a massive, real impact on
| share prices and consumer trust around the globe. That's
| incentive enough for me to rely on it day-to-day.
|
| This article has some interesting tidbits but overall seems like
| just a baseless rally against FAANG by someone who knows very
| little about complex authentication or trust and security in the
| real world.
|
| [1]https://www.investopedia.com/terms/f/faang-stocks.asp
| svachalek wrote:
| A properly decentralized blockchain isn't a third party in the
| traditional sense, a human or organization that is bound to
| follow its agreements until it doesn't feel like it anymore.
| It's an algorithm incarnated.
|
| That said, its initial and continued existence is dependent on
| economics. Who will market a service that they don't stand to
| profit from? Who will drive large organizations to invest in
| infrastructure that doesn't improve their profits? Either no
| one will, or it will be adulterated in the process. Sadly the
| community spirit that drove a lot of early internet development
| seems to be lost.
| enos_feedler wrote:
| The real issue for me is that I would rather have Apple sitting
| between me and To Ty's app than a public blockchain with no
| owners. There are just too many edge cases and circumstances
| where I would rather have a trillion dollar company defending me,
| a paying customer, against To Ty if the app turns on me or
| doesn't meet my expectations.
|
| me < To Ty's app + whatever they can get away with.
|
| me + apple > To Ty's app.
| herlitzj wrote:
| I honestly thought this was going to be a joke post because that
| top image is ridiculous. Maybe I'm just old, but it reads to me
| as
|
| Web 1.0: Great
|
| Web 2.0: Ugh, ok
|
| Web 3.0: You're serious with this?
| scotu wrote:
| I had the same thought. Imagine listing all blockchains in tiny
| icons you scroll sideways. I suppose that can be done a lot
| better, but still, who decides which blockchains are included
| and which are not?
| herlitzj wrote:
| Precisely. Or what if you're some random grandma that has a
| wallet (since we're living in a make believe world where this
| is easy to create). Imagine you've forgotten which blockchain
| your wallet is on. Will there be a search box to find my
| wallet in this mess of combinatorics that is a login page?
| jVinc wrote:
| It's not Web 3.0, that was the semantic web, which also aimed
| in some sense to be decentralized data but wasn't about turning
| the internet itself into a vehicle for ridicules investment
| ponzi-schemes. The "new" one is Web3
| codeptualize wrote:
| This is what bugs me most about this whole web3 situation, if
| people want to dump their money into these ponzi-scheme pump
| and dump bs be my guest, but then naming it web3 isn't very
| nice.
|
| To then attach all kinds of good qualities to it that are not
| shown, nor proven, and often demonstrable incorrect just
| finishes it off.
|
| As you say, a lot of the bigger ideas claimed to be part of
| this "new" web3 thing aren't new, and are interesting ideas
| that should be further explored, it would be much better
| without the ponzi sauce.
| BlueTemplar wrote:
| web3 = Web 4.0 I guess ?
|
| (Just like IPv5 never got anywhere ??)
| mark242 wrote:
| The image amplifies what we already know is a fundamental
| problem with OAuth; people, instead of forgetting their
| username/password combo, now are forgetting which provider they
| use to sign into a service.
|
| That "Web 3.0 login" portion of the slide only makes that
| problem worse. Decentralization and a variety of choices
| absolutely fall apart when they meet non-tech users who have no
| idea what icon means what.
| mattlondon wrote:
| Agreed - the UX mock up there looks awful. If you go look at
| coinmarketcap.com there are already hundreds of coins out
| there. Are users going to have to find their wallet from
| hundreds/thousands on the lists? Or are maybe not all sites
| going to support every wallet, so therefore you're going to
| need to have multiple wallets to support multiple sites ...
| suddenly that "consistent identity" fails as you are actually
| juggling 20-30+ wallets for logging into different sites.
|
| .... or it ends up that everyone just logs in using an ethereum
| wallet and you're back to centralisation.
| sazz wrote:
| The major issue with the article is that the source of the
| described problems are due to business agenda and not technology.
| Everybody can run an OAuth2 authority but of course of only tech
| giants have the marketing to lure everybody into their nest.
|
| Technology won't fix greed which drives business.
| astoor wrote:
| IndieAuth[0] is an open standard decentralised authentication
| protocol which doesn't need blockchain or cryptocurrency.
|
| [0] https://en.wikipedia.org/wiki/IndieAuth and
| https://indieweb.org/IndieAuth
| Traster wrote:
| I'm glad someone took the time to write this. I think it's quite
| interesting that the prime example picked here is UI issue. The
| author freely admits that the "web3" solution is basically just
| private keys with better UI. I'm not all that up to date on web3
| stuff, but... it's not UI.
|
| The quote from Vitalik is great though - the goal of crypto is to
| let people make all the same mistakes and find out single central
| authorities actually have been established for a reason.
| codeptualize wrote:
| I do think a lot of these things go round the circle then end
| up on the same solutions we had before.
|
| Coinbase is a nice example; turns out it's quite nice if some
| sort of company that protects your money, makes sure you don't
| loose access to it, provides you with insurance in case
| something goes wrong, and lets you easily send, trade, and
| convert money. Such a revolutionary idea, right?
| somewhereoutth wrote:
| I suppose blockchain can be a mechanism for the reification of
| pure information. So turning something that only has a value,
| into something that has a unique identity that can be 'pointed
| to'.
|
| In the real world I might have a physical key (or some other
| interesting object) - there is exactly one of it and it exists in
| exactly one place (though of course I can create copies - but
| they are new objects).
|
| In the virtual world this is a bit harder to construct and
| enforce - information is entirely ephemeral, and has no concrete
| existence or place. Maybe blockchain can provide that (in the
| context of the chain only of course).
| KaiserPro wrote:
| So the main selling point to "rational" people is that you can
| connect your wallet to websites?
|
| As in potentially link your income to every site you want access
| to?
|
| If I wanted to do micro transactions, and let everyone drain my
| bank account, I'd not have 2fa on, use my real name, address DoB
| for things.
| mexicanandre wrote:
| All these "web 2" companies are going to create their own "web 3"
| services that will only work on their own product, and we have
| overly complicated solutions to an issue which didn't really need
| solving.
|
| Can't wait for my reddit or meta tokens which have a zero value.
| rbanffy wrote:
| I was fully expecting to see an empty HTML page.
|
| Correct me if I'm wrong, but the only new idea here is to use a
| ledger to hold public keys associated with an identity. You could
| add keys by signing a new key with one of the previously globally
| accepted ones proving you are that entity and the same would go
| for removing a lost one, by signing a new message with all the
| remaining keys.
|
| Having a key copied without your knowledge would be a major
| disaster, however.
|
| Apart from that, this is not very different from using keys in
| SSH and providing a challenge/response login form would be very
| simple.
| betwixthewires wrote:
| It's not about using a ledger to hold public keys. The keys
| exist regardless of the ledger. The idea is to use the ledger
| to indisputably prove ownership or control over resources.
| Could be money, could be access to certain services, could be
| files, anything.
|
| Also, the ledger doesn't have to be public.
| rbanffy wrote:
| If the ledger is not public, why would I trust it? If someone
| else claims they are you, how would I differentiate the
| conflicting claims?
| betwixthewires wrote:
| Keys are identities. Someone claiming to be you doesn't
| matter. Always defer to keys.
|
| A non public ledger would be something agreed upon by
| participants only. So you and I and 5 other people for
| example could run some type of organization using some
| private way to keep track of state. You _choose_ to trust
| it, if you don 't, then don't use it.
| numtel wrote:
| Messages are signed by cryptographic signatures so nobody
| can claim to be you.
|
| This is how JWTs and many other protocols ensure message
| authenticity.
| rbanffy wrote:
| Nobody can claim they own the key you claim you owned,
| but, unless you have a person-to-key map somewhere, my
| claim I'm you is as good as yours.
| mattlondon wrote:
| > nobody can claim to be you.
|
| Nobody can claim _to have your private key_ , but they
| can sure as hell claim to be you.
|
| We won't know who the real numtel ever is without some
| real-world proof and verification. This is where a lot of
| this crypto-based stuff starts to crumble: sure the
| mathematics of the cryptography works well _on chain_ ,
| but there is a very limited set of things that exist 100%
| purely on the blockchain - as soon as you need to go off
| of the blockchain for anything (e.g. proving human
| identity, proving ownership of a physical asset like a
| house etc) then you're back to the same old problems
| we've always had of having to prove
| identity/ownership/whatever, and you cant use a
| cryptographic hash to prove that I own the apple I am
| eating right now ... perhaps you can prove that I own
| _an_ apple, but can you prove I own _this_ apple?
| iskander wrote:
| A lot of these "this is not very different from X, you could do
| Y" replies remind me of the original Dropbox news.yc thread.
|
| What everyone seems to be missing is that the web3 apps and UI
| conventions already have broad adoption among millions of only
| mildly techy users. They don't know what SSH is but they do
| know how to sign things with their in-browser wallet app. Of
| course, they also seem to not always know that giving away your
| private keys is quite bad...
|
| But any "solution" that requires e.g. using the terminal is not
| really competing in the same space.
| johnny22 wrote:
| I hate all this "web3" stuff by default, but this is so
| important to remember so you don't miss out on what actually
| makes it through the hype cycle.
| rbanffy wrote:
| > But any "solution" that requires e.g. using the terminal is
| not really competing in the same space.
|
| The UI required for that is something that can be done in a
| couple minutes. The heavy lifting is done by libraries
| provided with the OS.
| iskander wrote:
| And Dropbox was trivially just rsync...
|
| Yet, crypto wallets remain the only cryptographic signature
| UI that normal people interact with.
| ryan93 wrote:
| What's the recourse if you lose your private key?
| nateburke wrote:
| Great post!
|
| This definitely has me thinking more about the extent to which
| the strength of a particular identity representation is
| determined by our willingness to bind artifacts of value to it.
| dathinab wrote:
| Most web2 apps supports a smaller number of SSO providers.
|
| Technically "independent" SSO providers and similar existed, but
| non made it mainstream because there was no reason for App's to
| support them, but there was cost to support them.
|
| There is even less reason IMHO for most App's to support Web3
| login (more complexity).
|
| Furthermore even if they do the web3 login would probably still
| list Google etc. as the web2 login still lists email.
|
| It's questionable that more than one maybe two blockchains will
| be supported.
|
| It's likely that often only a small number of wallets will be
| supported, it's also likely that "bigtech" companies like google
| will provide web3 logins if it becomes successful.
|
| So, it might happen. But I don't see it tbh.
|
| There is just no reason to go the extra length to support web3
| login for most Apps/Companies.
|
| EDIT: Also trust of the general public into anything containing
| the word "crypto" or "blockchain" is constantly undermined by an
| endless slew of scams, and money grabbing schemes. Which can hurt
| adoption of web3 login.
| spinny wrote:
| > It's questionable that more than one maybe two blockchains
| will be supported
|
| You don't really need a blockchain unless you need to keep data
| on a blockchain. To login and identify a user you can simply
| sign a message. I consider the address as the user "identity".
| Any blockchain data related to that address is mean to be
| public (some people register <some-name>.eth on the ENS for
| example)
| jdlshore wrote:
| Several years ago, Mozilla/Firefox created "Persona," which was
| an open-source federated identity system that provided all the
| benefits described here. The idea was that it would eventually be
| built into browsers. I used it on a commercial site myself for
| many years.
|
| It failed to gain traction, and Mozilla eventually pulled the
| plug.
|
| Persona had many advantages over the Web3 vision described in
| this article. It was painless for a new user to create an
| account, because Mozilla provided a default identity server. It
| was easy for a website owner to set up, because Mozilla provided
| a JavaScript shim that worked on any browser. And it didn't rely
| on a wasteful and slow distributed ledger.
|
| Despite these advantages, Persona failed. I don't see how a
| blockchain-based approach, with so many disadvantages compared to
| Persona, could possibly succeed outside of the blockchain
| enthusiast community. And, on a technical level, a federated
| approach seems innumerably simpler and less wasteful than a
| blockchain-based approach.
| gillesjacobs wrote:
| Cryptocurrency ecosystems have the advantage of economic
| incentivization and if they're decentralised, uncensorability.
|
| Those are two major advantages.
| mattlondon wrote:
| > uncensorability
|
| I suspect that this will be a major issue in the long-run.
| Once these sort of crypto-based logins become synonymous with
| CP and terrorism, they're going to be shunned by the average
| person on the street.
|
| Yes yes yes, people use email and whatsapp for the same, but
| at least there is the _option_ for Google and Facebook to
| censor or block /ban those users (and it feels like there is
| increasing legal/legislational tension to try and compel the
| tech giants to _actually do something_ in this area). You
| cannot say the same about an indelible blockchain.
| ilogik wrote:
| if I run an online service, and you login with web3, if
| you're an asshole, I can still ban your "indelible" account
| mattlondon wrote:
| Yep - so there all these claims about no censorship or
| gatekeeping etc are clearly bullshit.
| superfrank wrote:
| > Despite these advantages, Persona failed. I don't see how a
| blockchain-based approach, with so many disadvantages compared
| to Persona, could possibly succeed outside of the blockchain
| enthusiast community. And, on a technical level, a federated
| approach seems innumerably simpler and less wasteful than a
| blockchain-based approach.
|
| Sometimes it's all about being in the right place, at the right
| time, with the right amount of hype. Inferior technologies win
| out all the time.
|
| That being said, if (major if) auth through web3 did take off,
| I wouldn't be surprised if over time it slowly creeped back
| toward a solution that doesn't use blockchain since a non-
| blockchain solution would probably be simpler, cheaper, and
| faster.
| iskander wrote:
| For all of its flaws, I find the web3 space fun...but I'm
| also hoping that some of the non-financialized use cases move
| to other kinds of distributed algorithms, like Hypercore
| (https://hypercore-protocol.org/).
|
| Even if the technological ideal comes to fruition in a few
| years (sharded modular proof-of-stake consensus blockchains
| with zero-knowledge rollups and dedicated data availability
| layers), it will still eternally remain enmeshed with
| speculation and scamming. I think there's a narrow time and
| place for the speculative assets but wouldn't want that
| interwoven throughout the fabric of everything online.
| nathias wrote:
| federated systems are bad, they combine the negatives of
| centralized and decentralized systems it is no wonder that they
| fail repeatedly
| zingplex wrote:
| Perhaps, but I think in this case what killed Persona was
| lack of adoption and interest from the public, nothing
| inherent to the actual technology
| nathias wrote:
| Yea, but that's kind of my point. Actually decentralized
| software is just out there and you can use it if you find a
| use case for yourself, there is no one that would shut it
| down if it isn't popular enough.
| pkulak wrote:
| They fail because they are in the best interest of users, not
| corporations.
| hffft wrote:
| > Persona had many advantages over the Web3
|
| it has none now ;)
| whywhywhywhy wrote:
| > I don't see how a blockchain-based approach, with so many
| disadvantages compared to Persona, could possibly succeed
| outside of the blockchain enthusiast community
|
| What's in it for the user to sign up for persona? Nothing
|
| What's in it for the user to get a crypto wallet? Money
|
| There's your answer.
| yosito wrote:
| I don't know. Brave promised me money, and I still haven't
| gotten anything of significant value from that.
| Hoasi wrote:
| I have about $100 in BAT from the initial Brave giveaway,
| even though I almost never use Brave aside from testing.
| latchkey wrote:
| Really? BAT was pretty profitable. Showing me a few ads as
| desktop notifications paid for a lot of my transaction
| costs in the early days. I just looked, BAT is up 754% over
| all time.
| yosito wrote:
| Twice, on different devices, I tried Brave as my default
| browser for month with ads turned on, and both times
| after a month of clicking on ads, the browser still said
| I had 0.0 BAT.
| itsdrewmiller wrote:
| One possible advantage web3 has over Persona is that it is not
| under the control of Mozilla or whatever foundation Mozilla set
| up to address those very predictable concerns. Being
| distributed might help it gain early adopter mindshare which
| could lead to future UX improvements. (Not saying I believe
| this will definitely happen, just that Persona failing isn't a
| guarantee of failure here.)
| enos_feedler wrote:
| This doesn't explain why Persona didn't work. Unless we
| understand why it didn't work and show how web3 alleviates
| the problem, how is anyone to believe a web3 login system
| will work? You could also ask what has changed since Persona
| tried and failed? In other words, why now?
| [deleted]
| jdlshore wrote:
| Persona wasn't under the control of Mozilla, either. You
| could still use it today, if you were willing to set up your
| own identity server, and if you could find any websites that
| supported it.
| jdgoesmarching wrote:
| That's a lot of words to say "this will have better marketing
| thanks to crypto hype."
|
| Seems to be the selling point of most web3 and blockchain
| solutions once you brush the buzzwords off the copy.
| gjulianm wrote:
| If it only were Persona the thing that failed... But I've
| seen quite a lot of attempts at federated identity and turns
| out people don't care too much about that. People just want
| to login to whatever site to do things. Login with
| Twitter/FB/whatever is offered to reduce login friction, not
| because people think of them as identity providers. Offering
| "another identity provider" is solving the part of the
| problem most users really don't care for.
| scotu wrote:
| Agreed. This comes down to lack of power to push a system onto
| it's potential users, mozilla didn't have a userbase large
| enough nor could incentivize 3rd parties to force onto their
| users. You could argue if the ux was good it would have just
| succeeded, but I think that's bs. Funds are the number one
| predictor of success of anything.
|
| My worry with the blockchain is that now it has VCs that are
| going to pump so much funds in it to keep it spinning and force
| everybody to use it because you need that service, and now (in
| the future) it's only provided through the blockchain (because
| the alternative off-chain company cannot raise funds so it
| doesn't exist, it fails, or it's a worse experience).
| carlosdp wrote:
| I joined the team at Mozilla that developed Persona as an
| intern, just as they closed it down.
|
| Persona failed because it was fighting against a head-wind of
| an already established trend of using Google/FB OAuth2, without
| giving the _service provider_ any new benefits. There was no
| incentive for a website to actually implement Persona, since it
| was just another auth provider and users weren 't using it.
| Users didn't use it because no one implemented it. Chicken and
| egg.
|
| Websites that integrate web3 wallet login _do_ get something
| new: built-in, straightforward payment rails.
| [deleted]
| throwaway92873 wrote:
| The Persona team approached the company I was working for,
| asking us to add Persona login alongside our other login
| options. Mozilla came to us because we had a huge web presence
| at the time (about the size of Wordpress, let's say). We
| discussed it internally and ultimately rejected their request.
| We were going through a re-org and just didn't have anyone to
| spare. We were also rewriting the component where the login
| would live, and this would have been out of scope.
|
| Looking back, I now see that not volunteering myself for the
| challenge was one of the biggest mistakes I've made in my
| career. It was one of those rare opportunities to make a
| difference.
|
| I also wonder why nobody has tried it since. It's a simple
| approach, but you'd need a good security team backed by a
| trusted organization to make an implementation credible.
| dane-pgp wrote:
| > I also wonder why nobody has tried it since.
|
| For what it's worth, the vision does live on and people are
| working on developing web standards that get us closer
| towards it. One example is the W3C's "Credential Management
| Level 1" from 2019, which specifically references[0]
| Mozilla's work:
|
| "The API defined here does the bare minimum to expose user
| agent's credential managers to the web, and allows the web to
| help those credential managers understand when federated
| identity providers are in use. The next logical step will be
| along the lines sketched in documents like [WEB-LOGIN] (and,
| to some extent, Mozilla's BrowserID [BROWSERID])."
|
| More recently, in fact, today, I see there is a "Federated
| Credential Management API" draft published,[1] which has the
| goal of:
|
| "enabling a website to request a users [sic] federated
| credentials from a user agent, and to help the user agent
| store the users [sic] federated credentials for future use."
|
| [0] https://www.w3.org/TR/credential-management-1/#teh-futur
|
| [1] https://wicg.github.io/FedCM/
| w-j-w wrote:
| mwattsun wrote:
| I'm reading this with an open mind, but I have questions:
|
| > Problem #1: Owning Your Own Digital Identity & Fixing
| Authentication
|
| My very technical friends who are security minded are on
| keybase.io. Multiple usernames and passwords across the internet
| is solved in various ways without blockchain. There are a lot of
| good password managers (I use and encrypted text file.) I don't
| feel Google owns my identity because I use their authentication
| system, so unless I'm missing something, I don't see a problem.
|
| > enables advanced features like social recovery, which lets you
| recover your account if you lose your key via a smart contract
| that takes votes from guardians (friends or paid services).
|
| > The idea here is that you could give keys to your friends and
| family, or to some sort of business service, then if you lose
| your key, use your friends to "vouch" for you and move the
| account to a new key.
|
| This doesn't seem very workable in a practical sense. It seems
| like this could be spoofed fairly easily or the business service
| gets hacked
| thebean11 wrote:
| > This doesn't seem very workable in a practical sense. It
| seems like this could be spoofed fairly easily or the business
| service gets hacked
|
| You could give keys to two businesses / people and require them
| both to agree before they can "unlock" the account. You could
| also add a timelock, so you have time to respond if they get
| hacked or collude against you.
|
| These aren't really new ideas and exist in existing, non-crypto
| social recovery schemes.
| llbeansandrice wrote:
| > The idea here is that you could give keys to your friends and
| family, or to some sort of business service, then if you lose
| your key, use your friends to "vouch" for you and move the
| account to a new key.
|
| Facebook already has this functionality and it's an absolutely
| massive pain if you're somehow not on their happy path. With no
| real way to figure out what the issue is and get it fixed or on
| the happy path.
| YXNjaGVyZWdlbgo wrote:
| Alone the audacity to think a single point of failure without
| any chance of recovery is a good idea for persona management in
| the real world is insane.
| choward wrote:
| I was expecting a blank page.
| riddleronroof wrote:
| Not to be _that_ HN poster, But wouldn't pgp key browser plug-in
| do just as well?
| lern_too_spel wrote:
| My question with any blockchain application is always what does
| it solve that a centralized trusted database doesn't solve faster
| and with less waste? You can implement social recovery in a
| centralized database with less waste.
| dylkil wrote:
| trustless, immutable, censorship resistant, permissionless.
| StrLght wrote:
| What's even the difference between <<owning your digital
| identity>> with email/password vs any other authentication
| method? Why does it even matter [0]? You don't own any data
| connected to that digital identity [1]. I might be a bit on a
| radical side here, but to me it's either you own everything or
| you own nothing. There's no in-between.
|
| [0] Except for OAuth since OAuth provider could ban you at any
| time.
|
| [1] Until it's encrypted with your own public key and isn't
| stored anywhere in plaintext. Which can't be 100% guaranteed with
| any proprietary 3rd party service.
| mattlondon wrote:
| > We need some way of saying "who we are" on the internet in a
| consistent manner. That way we can communicate with others in a
| verified way and associate with digital data that we own. We also
| often need that data to be interoperable between different web
| properties.
|
| Do we really need this? Do we really want to permanently tie
| identity across websites like this? I find this initial
| "need"/justification/requirement questionable.
|
| I have a login on HN that is totally unique to e.g. Twitter and
| Instagram and <shudder> LinkedIn. Same with work vs personal.
| This is deliberate. I do not want to have the same identity here
| as I do elsewhere. There are many hopefully obvious reasons for
| this - mostly privacy (both in terms of immediate "in the moment"
| privacy, but also temporal privacy in the sense that I might not
| want some potentially ill-advised comments I made on some website
| 15 years ago to come back and bite me), but also it offers
| protections against "cancel culture" and general cyber-stalking
| and doxxing etc as that would become a whole lot easier if you
| can just run some query on a blockchain and find every single
| website I've ever used and dredge up my comments/content/etc.
| Being able to do that sounds _very_ dystopian to me - why don 't
| we just tattoo a barcode on our necks and be done with it?
| lamontcg wrote:
| Yeah I think it is mostly businesses that think this is a huge
| problem to solve to have identities matched across everything
| seamlessly.
|
| Mostly what I care about is logins and payments which are
| addressed by password managers and form filling for credit
| cards. I just want a friction free experience for setting up an
| account, logging back into it, and maybe purchasing something.
|
| And ideally I'd like to self-host, maybe with a service that
| looked like a NAS appliance hanging off a guest network on my
| router with a forwarded port through the firewall and some
| method for tracking my IP address (dyndns or similarish).
|
| And ideally payments happen by a handshake between the service
| I run, the processor and the merchant in a way that my actual
| credit card details are never used. And for recurring payments
| I have the ability to just switch them off. Bringing all the
| control back to me and not leaking out reusable PII everywhere.
|
| Of course corporations would aggressively hate that since it
| would destroy their business models of recurring payments for
| services the user is no longer using and the requirement of
| calling up the business and having to convince some phone
| operator that you really want to cancel.
| mattlondon wrote:
| > Yeah I think it is mostly businesses that think this is a
| huge problem to solve to have identities matched across
| everything seamlessly.
|
| Your comment just gave me a thought - just imagine the online
| advertisers using this for tracking purposes!
|
| At the risk of spreading FUD, it would not surprise me to
| learn that perhaps this web3 thing is being fuelled/funded by
| the existing crop of online advertising networks or their
| close associates? (or at the _very least_ they are watching
| this situation develop with an incredibly close level of
| detail)
|
| Who needs cookies if you have a 100% reliable & long-lived
| (potentially immortal?) ID that the user takes with them
| everywhere they go online (and is the same on every site they
| visit) and for every purchase they make (using that wallet)
| online and offline?
|
| This would be advertising networks' _absolute dream
| situation_ if it becomes widespread - users voluntarily
| creating their own unique tracking fingerprint and using it
| on all the sites they visit, as well as helpfully logging all
| of their purchases they make with that ID on a public ledger
| that anyone can mine the data from.
|
| It really does not get much better for the online advertising
| industry than that.
|
| If you want a cynical take on web3 and are looking for your
| next billion dollar startup idea, then web3 ad tracking &
| targeting might be your best bet :)
| pkulak wrote:
| Private keys are cheap to make. There's no reason you couldn't
| have a different one for every site. Of course, then it's on
| you to keep track of them, but it's already on you to keep
| track of the credentials you're using now. At least this way,
| the default of "use the same creds everywhere" is secure, if
| not more private.
| thebean11 wrote:
| This is already solved by existing crypto wallet tooling too,
| you can create an infinite number of keys all derived from a
| single root key (usually a 12-20 word phrase in modern
| wallets). A service with access to a single child public or
| even private key can't tie them to the sibling keys.
| DeepYogurt wrote:
| I agree that we don't need unique identities across everything,
| but even if that is a real problem it is also solved by public
| key cryptography without a requirement of a blockchain.
| djohnston wrote:
| Sure but the blockchain env like Ethereum gives you that for
| free along with a few slick chrome extensions like Metamask
| and a JS library (web3.js) that make all of this super easy
| to build on.
|
| You don't need to make any transactions or whatever, but
| you're inheriting all these tools for free.
| tchock23 wrote:
| The reviews on the metamask chrome extension are pretty
| scary. And it has access to view all data on all sites you
| visit. Is there a better way?
| betwixthewires wrote:
| So the thing about this is that there is no need to
| _permanently_ tie identity across _all_ sites and services you
| used (and provide), rather, the ability to do so when and where
| you need to do it.
|
| There's nothing requiring a user to use the same identity
| across every service they interact with, but the option should
| be there. I wouldn't want my matrix username(s) and my
| fediverse account(s) tied to my HN username(s), but I might
| want a github/gitlab/codeberg account tied to a
| social/messaging account while having different "personas" for
| different applications. Overall it's a useful tool to have in
| your belt, so long as it doesn't limit you in other ways.
| mattlondon wrote:
| So if you are not going to go whole-hog and have one true
| identity for everything, why bother using anything apart from
| an email address?
|
| The argument seems to be that consistency allows you to prove
| ownership and re-use all of your content etc across the web
| by tying everything back to one verified identity. If you are
| having different identities on different sites then that
| benefit disappears, and I fail to see how it is then any
| better than using email addresses? You end up with different
| wallet IDs each with their own island of content, just like
| you have with email addresses.
|
| Sure you could chose to "move" content with one of your many
| identities by just logging in with the ID (presumably losing
| all of your existing content), but we have copy-paste for
| that already (and I am only half-joking saying that...)
| wan23 wrote:
| Email addresses aren't really good for this. It's really
| easy to sign up for a service with someone else's email
| address, for example. Sure, if that person ever finds out
| they can potentially claim ownership of the account through
| a password reset, but it doesn't erase the fact that you
| have been using their "identity" for some time.
| mattlondon wrote:
| Is this still a thing though? Pretty much everything I've
| used in the past 10-15 years has required email
| validation before allowing you to do anything meaningful.
|
| Either way though, I don't see how an account claiming to
| be "wan23" would be any more trustworthy to me as created
| off of the back of an email account or off of a wallet ID
| - I still have no idea (nor do I care) who you are.
| endisneigh wrote:
| > Email addresses aren't really good for this. It's
| really easy to sign up for a service with someone else's
| email address, for example. Sure, if that person ever
| finds out they can potentially claim ownership of the
| account through a password reset, but it doesn't erase
| the fact that you have been using their "identity" for
| some time.
|
| This is also true of a private key, in fact it's
| literally the same scenario...
| yob89 wrote:
| roca wrote:
| I'm open to the idea that there are real problems that are best
| solved by PoW/PoS blockchains and smart contracts, so I was
| hoping this article would reveal one. It doesn't. As mentioned
| elsewhere, Persona was already a perfectly good technical
| solution to this, years ago. It failed for various reasons, none
| of which would be addressed by blockchains/smart contracts.
| Likewise, the problem of "conveniently and securely log in
| everywhere" is well solved by Webauthn.
|
| Arguing that "web3" will help because it will improve _UX_ is
| ludicrous. "web3" provides nothing directly to boost UX. "web3
| hype means there's lots of money sloshing around which can be
| used to improve UX" is an admission of defeat; all the money
| being sucked into the crypto space could be better deployed to
| solve these problems directly.
|
| If this is the best shot at "real problems web3 solves", then
| there really is nothing there :-(.
| armchairhacker wrote:
| tldr; this article describes one problem that a blockchain solves
| better than existing non-blockchain solutions (identity).
|
| My issue with the article is that it uses a lot of words to try
| to explain why web3 and blockchain _may_ be the future. But for
| what point? If an important technology comes around which happens
| to use web3 or blockchain, i'll see it's important from its
| description and i'll adopt it. I don't need to support "web3" as
| a concept, because web3 basically means nothing. And i don't
| think that web3 or blockchain is intrinsically bad, i just
| haven't seen anything particularly useful with those technologies
| yet.
| linseed_213 wrote:
| Are there security/UX risks with users getting used to using
| their wallet for auth ? It's difficult to know a safe vs.
| potentially unsafe site when it comes to crypto. Reading the
| docs, it appears to be relatively limited permissions, but either
| by giving more permissions than desired or phishing? Or can they
| combine the authentication with additional information to become
| a more effective spearphishing target?
|
| If my email account is phished or hacked, it's bad, but there's a
| level between my cash and my email account. If I make a mistake
| here, potential losses are higher. In which case I'd probably
| have a 2nd wallet for auth and another I actually use, which then
| becomes more of a pain. I don't trust my parents or less
| technical relatives to use this flow safely.
| gdsdfe wrote:
| unless you're running your own servers, you don't own nothing ...
| you still going to be tied to a 3rd party that does that for you.
| This is what the web3 crowd don't want to understand, they will
| keep telling you : big tech ruined the internet bla bla bla
| switch to us because we are decentralized and you own your own
| data, ok ... but if anyone wants to use it or access it they need
| to go through us
| larsrc wrote:
| I like the "social wallet" idea, though no blockchain is needed
| for that. But there's a real danger that if enough of your
| friends get compromised, you can get compromised as well, and
| that can snowball. And most people would not be secure enough. So
| you'd want to have someone more secure as part of your "social
| set" - a large organization that actually does serious security.
| But then you're again depending on some large organization. You
| could require at least one of several large organizations, but
| that in turn reduces security.
| dmitriid wrote:
| Article: web3 solves decentralized auth, and you are now in
| control!
|
| Also article: to use it, you need to trust a centralized entity
| like Metamask that develops your Chrome extension and some
| unknown programmers that code some "smart contracts" aka
| unverifiable code in esoteric programming languages.
|
| Also article: look! a solution! it's better!
| erosenbe0 wrote:
| He isn't describing the true state of the world. Banks,
| brokerages, mortgage providers, and medical entities mostly don't
| use oauth2 and won't use this stuff either.
|
| The world is still old school.
|
| Grandpa dies and I go find the paper will.
|
| I get an affidavit from a lawyer and a death certificate with a
| seal from the state.
|
| I go into the bank with a bunch of papers and they figure out
| what to do.
|
| There isn't a chain of trust that the state uploads a PK signed
| death certificate to, which in conjunction with a PK signed 'will
| and trust' then triggers a preexisting blockchain contract to
| effect the asset transfer.
|
| This is 20 or 30 years off. Maybe 10 or 15 in China.
| weego wrote:
| It's forever off because it's the wrong solution to a problem
| that no one is invested in even fully identifying let alone
| working at.
|
| My hot-take parallel argument is that full self driving is a
| smart road problem with 'dumber' cars and not a dumb road and
| smart cars problem. But there's no scope to VC of profit your
| way into smart road infrastructure so we do it the wrong way
| round and hope we can throw resources at it till its fixed.
| thesuperbigfrog wrote:
| Why can't this be done with existing public key cryptography?
| meheleventyone wrote:
| There's even a standard for doing this with WebAuthn.
| iskander wrote:
| ...which has effectively neither adoption not momentum to
| achieve adoption:
| https://sec.okta.com/articles/2020/04/webauthn-great-and-
| it-...
|
| For better or worse, there are a large (and ever growing)
| number of Metamask users these days...
| meheleventyone wrote:
| Absolutely, but let's not pretend this is some magic
| technology that only cryptocurrency can solve. Nor is it
| clear cut that we'll see adoption of wallet logins outside
| of crypto circles.
| cle wrote:
| The author discusses this explicitly in the article.
| dylkil wrote:
| It can. The biggest success of crypto has been putting
| public/private key pairs in the hands of 10s of millions of
| people.
| spinny wrote:
| It can. It just happens that the easiest way to achieve this is
| using web3, even if there is no blockchains involved. The
| article is about login methods, not cryptos or web3
| jeroenhd wrote:
| > It just happens that the easiest way to achieve this is
| using web3
|
| Is it? U2F is actually rolling out to more and more websites
| but I've never seen any website offer to log in with a
| dropdown for cryptocurrencies
| spinny wrote:
| websites that are related to cryptos do it, others
| generally don't. try dappradar.com/ for example
| vanusa wrote:
| Great - now I'm forced to be on some blockchain somewhere to get
| anything done.
|
| This is progress?
| spinny wrote:
| You are missing the point. The article is about login methods.
| Username/password vs message signed with a private key. The
| blockchain part is there because is the only ready-to-use way
| to do it in an browser.
|
| It's absurd how HN users in general are so dismissive of
| anything cryptocurrency
| vanusa wrote:
| My point was usability. And being (effectively) forced to
| join / legitimize their hive to get anything done.
|
| _It 's absurd how HN users in general are so dismissive of
| anything cryptocurrency._
|
| It's quite reasonable actually, given the prevalence of not
| just hype, but frequently delusional / just plain rambling
| and incoherent hype surrounding it -- not to mention blatant
| fraud and manipulation aimed specifically at unsophisticated
| users.
|
| And the skivviness of many people involved in it.
|
| That said, the OP presents one of the more thoughtful
| proposals I've read recently, and may belong to the 5 percent
| or so of blockchain applications that just might have a
| useful application. With emphasis on "just might".
|
| We'll see.
| spinny wrote:
| > My point was usability. And being (effectively) forced to
| join / legitimize their hive to get anything done
|
| I agree with you on this. For the purpose of login in with
| a private key, i would prefer some browser extension (or
| built in the browser) that generates a key from a seed
| (like a crypto wallet) and only does that. This doesn't
| exist at this point.
|
| > ... not to mention blatant fraud and manipulation aimed
| specifically and unsophisticated users
|
| Also agree, but probably for different reasons. Many people
| on twitter have the tendency to be mean, twitter doesn't
| make people mean, but it amplifies it. There is so many
| scams and manipulation because scammers and con artists
| always existed and people's greed for that 100x token and
| so does the scamming
|
| The speed of communication that the internet gave us also
| serves as an amplifier of the ugliness of human nature
| jeroenhd wrote:
| > For the purpose of login in with a private key, i would
| prefer some browser extension (or built in the browser)
| that generates a key from a seed (like a crypto wallet)
| and only does that. This doesn't exist at this point.
|
| What about
| https://www.yubico.com/products/yubikey-5-overview/ or
| https://cloud.google.com/titan-security-key/ or
| https://krypt.co/ (before it was acquired, I still use it
| though) or any of it's equivalents?
| evrydayhustling wrote:
| I like the starting focus on identity. Imagine if emails to you
| were authenticated by a token that you authorized by logging in,
| and could revoke at any time. In a Web2 world, features like this
| get created by Google, Apple or whomever inventing a permissions
| system that works on their platform -- and serves their product
| goals. In a Web3 world where you issue identity tokens, you can
| revoke them arbitrarily, so if your identity is shared you can
| trace and revoke at the root. Services move from worrying about
| how to game Apple's privacy model to how to avoid a ban that
| remains strictly in your control.
| KarlKemp wrote:
| ...and in a Web 1 beta II world this was already done by PGP in
| 1991. Granted, it never achieved mainstream adoption because
| it's somewhat cumbersome and solves a problem people do not
| actually experience. Sort-of like everything blockchain, one
| might say.
___________________________________________________________________
(page generated 2022-01-04 23:01 UTC)