Auth & identity
May 4, 2022
Author: Reed McGinley-Stempel
Web3’s fundamental improvements to data portability and user authentication enable new, exciting experiences, but solvable shortcomings remain.
Tech conversations are now peppered with a new, contentious buzzword: Web3, and we’re all likely to hear a lot more of it in the coming years. It’s an umbrella term for disparate ideas all pointing in the direction of making the internet more decentralized using blockchain-based applications.
If Web3 fully materializes, which we believe will happen once a few acute shortcomings are addressed, it is going to have profound implications. Web3 optimists point to decentralized technology’s ability to challenge the power of big internet middlemen like Facebook, Google, and Twitter, while Web3 skeptics understandably struggle to connect the dots on how the current state of Web3 applications could ever truly rival the user experiences and network effects that Web2’s most successful tech companies have built.
Given the current state of Web3 applications (nascent but improving quickly), you won’t need to squint much longer to see the potential of this technological paradigm shift. Web3 means many things to people, but our team finds the most important characteristics of the shift from Web2 to Web3 to be the following:
While Web3 has the potential to reimagine how we use the internet, it also raises thorny issues around privacy, user experience, and how much control users truly want. We believe many of the underpinnings of Web3 are here to stay, but we’re likely to see major shifts in the user experience of Web3 as it goes mainstream.
Web3’s technological merits are best understood when using tangible examples of how it is already reinventing what’s possible in our digital lives.
On December 25, 2021, many participants in the crypto economy woke up to an unexpected gift. The cryptocurrency market’s blistering performance in the past year owed part of its success to the growth of non-fungible tokens, or “NFTs.” (NFTs are unique, digital items that are represented on a blockchain, which have recently found popularity in use cases such as giving ownership rights to digital art and video game items.) As the NFT craze took off, a marketplace enabling peer-to-peer NFT sales called OpenSea became one of the most popular Web3 applications. For hundreds of thousands of users exploring NFTs for the first time, OpenSea became the gateway into this new asset class.
When users buy or sell NFTs through the OpenSea platform, they are actually interacting with OpenSea’s smart contracts. These smart contracts run on the Ethereum blockchain, which introduces a notable difference in how most of our digital interactions in Web2 occur. In Web2, unless we’re publishing something to a public newsfeed (e.g. Twitter), data about our interactions is known only to the specific application we’re interacting with. When I buy tickets to a concert, only TicketMaster knows of that transaction.
However, when interacting with a Web3 application (e.g. OpenSea), the smart contracts fueling the application live on a public ledger (e.g. Ethereum) and our interactions are captured as publicly-available data tied to our pseudonymous blockchain accounts. This poses real privacy concerns (which need to be addressed for Web3 to truly flourish), but it also introduces significant opportunities.
OpenSea users have been lobbying the company to perform an “airdrop” for years, asking the company to issue their own token to reward loyal users of the platform. Many OpenSea users feel that their usage of the platform (and the fees they have paid) have helped the marketplace to reach its current market position, and they want to share in that upside. In a situation like this, Web3’s technical architecture becomes very interesting. One of the unique traits of tracking interaction data on a public ledger is that OpenSea’s user base and activity is publicly available on the blockchain by their wallet addresses. If you have a bit of know-how, you have the ability to pull a list of every pseudonymous user of OpenSea and can calculate their usage (and the associated fees) on the platform. In Web2, achieving this level of competitive intelligence is likely impossible without committing a crime to leak that information from a private ledger like a centralized database.
Which brings us to Christmas Day 2021 when an organization named The OpenDAO emerged with a savvy use case built on top of this public user intelligence. The OpenDAO issued a new token with the ticker $SOS to proportionally divide across OpenSea’s users based on their usage of the marketplace. This practice of issuing a new token and allocating it to users based on certain criteria is called an “airdrop” in the crypto world—it’s a fairly frequent occurrence, but the $SOS airdrop is the first successful, large-scale example of an organization choosing to airdrop a token to users based on their interaction with a third-party product that it doesn’t have a formal relationship with.
We can only begin to imagine how this ability to invent new incentive structures based on third-party application usage might reshape modern competitive dynamics. However, rather than using this airdrop as an incentive to convince users to jump ship from OpenSea to a competitive platform, The OpenDAO’s initial focus has instead been to provide valuable features to OpenSea’s user base that are not available from OpenSea today. For example, a proportion of the new tokens created are allocated towards compensating scam victims on OpenSea (like elsewhere in the crypto ecosystem, scams remain common):
Nearly 200,000 OpenSea users claimed the $SOS token by connecting their crypto wallet to prove they own the blockchain address that had used the OpenSea product, allowing them to claim these tokens. The OpenDAO airdrop of the $SOS token exemplifies many magical pieces of Web3 technology:
With these building blocks, Web3 makes it easy to rewrite user incentives on the web. The OpenDAO project provides insights into what’s possible when users own their data and can easily port it to other services.
In the future, this could allow users to control how they share their own data and bounce around, say, from social media to a finance app to shopping using a single personalized account, creating a public record on the blockchain of the core parts of that app’s activity. This level of data portability that Web3 enables will challenge many of the expectations we have of how applications work on the internet. Historically, most applications have built either closed or tightly permissioned gardens, which limit users’ data portability. As a result, we’ve ended up with companies that have built mammoth network effects that are nearly impossible for a truly competitive market to unseat.
One thing is certain: in a Web3 world, users will navigate the Internet and gain access to its services in very different ways. First, it helps to understand how the Web has evolved.
The early days of the Internet in the 1990s were Web 1.0. The web then was composed mostly of static sites that you could read, but there wasn’t much interaction. It was a little disorganized and difficult to navigate. In a world of static sites, there’s not much need for authenticated user accounts. As an example, a static site serving blog posts would serve the same content regardless of whom the reader was.
Then came Web 2.0 in the mid-2000s. Sites became dynamic, and there was an explosion of apps that allowed users to do more than simply read data. Platforms like Google, Amazon, Facebook, and Twitter made it possible to connect and transact online. These applications required the ability to store user data on their servers and then reproduce it in the future.
As Web 2.0 proliferated, users collected hundreds of different accounts siloed across different applications. The common authentication method that proliferated (the password) has become one of the shortcomings of navigating the web, due to user difficulties and security shortcomings.
Web 3.0 (Web3), based on blockchain technology that already underpins things like Bitcoin and Ethereum, uses an open, decentralized database and compute layer rather than each application reproducing the database and compute layers on their own siloed application. As users cruise the internet and use applications, the data from those interactions no longer solely lives on that single application’s server. It’s recorded on a shared and publicly accessible ledger.
Authentication doesn’t live on the application’s server either. Rather than storing a memorized secret like a password, users can apply public key cryptography to sign up, access sites, and take sensitive actions by using private keys to deterministically prove ownership of a represented account on a shared ledger. It may sound like voodoo to the average person, but it is a bit like electricity. Flip a switch, and it comes on—without the need to understand what’s happening behind the scenes.
Web3 offers many advantages. Namely, data flows freely and is publicly verifiable. Companies no longer need to build user authentication using things like passwords into their applications. Instead, users can have a single account for the internet in their Web3 wallet: think of this as a “bring-your-own-account” architecture where the user verifies their account as they browse different websites, without the need to create a unique username and password for every site.
Because authentication is based on public-key cryptography, certain security gaps with the Web2 approach to authentication (e.g. weak passwords and password reuse) are nonexistent. Users don’t have to remember passwords or fill out multiple screens when they sign up for an application.
As with everything in tech, there are disadvantages too. Web3 eliminates the password, but it introduces other weaknesses. Anybody who has tried to set up a Web3 wallet like MetaMask knows that the user experience (UX) can be foreign and unfriendly. It requires introducing users to a completely novel concept of secret “seed” phrases, which are 12-to-24 words long and required for users to be able to recover their account when they switch devices. The UX burden for users that are new to Web3 can be overwhelming. A new user is introduced to this strange concept of seed phrases and told that failing to properly store their seed phrase will result in the irreversible loss of everything in their Web3 wallet.
Additionally, wallets like MetaMask ask users to also create a password for their wallet, and users’ confusion only compounds when they learn that this password cannot be used in any way to recover or access their account from another device. Instead, the password only works to unlock the “local” copy of the wallet on their device, which runs counter to everything users have been taught about the portability of passwords since the web’s early days.
The UX burden of seed phrases and non-portable passwords presents a number of risks for users. These confusing and foreign authentication concepts can lead to users being more easily scammed. Unwittingly, users might provide their seed phrase to a phishing site because they want to take a shortcut when confronted with a clunky, mentally taxing UX flow.
Users might also lose or misplace a seed phrase and therefore forgo any chance of recovering an account. Traditional account recovery (“reset your password”) does not exist in Web3 wallets. There’s also no 2-factor authentication today for users to retain additional control over authentication. Whether the transaction is $1 or $1 billion, wallets by default only require private key signing.
Data is transparent. That also means it’s public. While accounts are pseudonymous, users may take actions that accidentally leak their identities when they don’t intend to. Adding to the challenge, transactions are irreversible, which puts even more burden on the user to not make mistakes. In the Web3 world, users can’t call their credit card company to reverse a fraudulent charge.
To make Web3 work, users will need to reorient their thinking, from creating a new account for every app to a “bring-you-own-account” structure with one wallet, or passport, for navigating the web. It will be a big positive change, because Web3 accounts can be authenticated with cryptography, without the dreaded password, and with a lot less friction.
Companies will need to build Web3 experiences that passively detect identities and accounts. If a user provides consent, then authentication and data provisioning can happen in one click. This is one way companies can reduce friction and drop off in their funnels. Another way to reduce friction is to blend identity and payments—something that’s relatively easy to do with Web3—and seamlessly prove and provide both to applications that users trust.
There are still unknowns with where Web3 will go, but its momentum is undeniable and its advantages outweigh the disadvantages. The best thing to do is to build the best possible version of Web3, one that’s safe and easier to navigate for internet travelers. For that, everyone is going to need a passport to the internet, and companies will need to make it safe, secure, and easy for everyone to navigate.