Several years ago, Mozilla/Firefox created "Persona," which was an open-source federated identity system that provided all the benefits described here. The idea was that it would eventually be built into browsers. I used it on a commercial site myself for many years.
It failed to gain traction, and Mozilla eventually pulled the plug.
Persona had many advantages over the Web3 vision described in this article. It was painless for a new user to create an account, because Mozilla provided a default identity server. It was easy for a website owner to set up, because Mozilla provided a JavaScript shim that worked on any browser. And it didn't rely on a wasteful and slow distributed ledger.
Despite these advantages, Persona failed. I don't see how a blockchain-based approach, with so many disadvantages compared to Persona, could possibly succeed outside of the blockchain enthusiast community. And, on a technical level, a federated approach seems innumerably simpler and less wasteful than a blockchain-based approach.
> Despite these advantages, Persona failed. I don't see how a blockchain-based approach, with so many disadvantages compared to Persona, could possibly succeed outside of the blockchain enthusiast community. And, on a technical level, a federated approach seems innumerably simpler and less wasteful than a blockchain-based approach.
Sometimes it's all about being in the right place, at the right time, with the right amount of hype. Inferior technologies win out all the time.
That being said, if (major if) auth through web3 did take off, I wouldn't be surprised if over time it slowly creeped back toward a solution that doesn't use blockchain since a non-blockchain solution would probably be simpler, cheaper, and faster.
> That being said, if (major if) auth through web3 did take off, I wouldn't be surprised if over time it slowly creeped back toward a solution that doesn't use blockchain since a non-blockchain solution would probably be simpler, cheaper, and faster.
I don't think you necessarily need blockchain. Can't you just prove that you are who you say by signing something and sending it to the service? You can just use the protocol.
> I don't think you necessarily need blockchain. Can't you just prove that you are who you say by signing something and sending it to the service?
It's important to remember that blockchains are just public-key cryptography where you have a private key that can sign things and, importantly, everyone knows everyone else's verified public keys. That's it. It solves the key distribution and verification problem that PGP and TLS etc have and this enables a lot of use cases such as universal private communication channels and authentication.
Signing the message is key for this yes but knowing that a certain key is connected to a specific user and that user having the ability to use it to sign verified messages everyone in the world can trust is the real utility here and what makes this universal SSO system work well.
But it doesn't solve that at all since there's no way to tie something on the block chain to the real world. All the same problems of knowing whether some particular PGP key belongs to the person you want apply the same to a wallet address.
I probably should have worded it differently to avoid that connotation. There are a lot of identity protocols but that's not what I was focusing on.
On HN I am Sargos. You know this because I am replying to you and only I can do that with this account. I can also tell you that I'm @JamesCarnley on Twitter but there's no way for you to verify that. If I were using my public key to log into HN and Twitter you would know those are both my accounts and thus my persona is verified across multiple applications. If I were to link my public key to my government's identity database then you'd also be able to verify I am really James in real life as well.
It feels like you're trying really hard to not get web3 any credit here. Try making something like this in the traditional web. People have tried and failed.
Ethereum provides a robust, secure, and increasingly usable key storage and usage system to everyone which makes "just signing a message" a simple task and not a 10 step process probably involving a CLI. It's worth considering the utility of this and the possibilities everyone having a person public/private key pair allows. My fellow software developers among us likely have their mouths watering at the use cases this unlocks. Here's a pretty good thread about the implications: https://twitter.com/BrantlyMillegan/status/13892701158840975...
I’m not sure what utility signing a message has inherently. You do this already behind the scenes on apps like iMessage or Signal with end to end encryption.[1] Or if you want to do it more directly but without the command line, there is Keybase: https://keybase.io/sign
Unless you were to upload each and every chat to a blockchain - which is prohibitively expensive - I don’t see the killer advantage over the previous alternatives. Also, many people here are also programmers, developers, and - surprise - hackers, so I am sure we would be interested in the mouth-watering use cases you’re thinking of (I looked at the Tweet thread you linked but it was just an explanation of public key cryptography in general.)
How does everyone know everyone's verified public keys? How are they verified? Who does the verification? How do you trust the verifiers? How do you know that person x in the real world has pubkey x?
Verified probably isn't the right word here. Authentic would probably work better.
I as a person have accounts on lots of apps but no real way to prove I own all of them. When you use a public key as your identifier then everyone can verify that the entity that owns Sargos on HN also owns Blah on Reddit if I want them to. Essentially you can trust that the digital entity you are interacting with is the digital entity you knew and trusted on the rest of the web in the past.
If you are using a web3 app and see vitalik.eth then you know for a fact that it's Vitalik Buterin. Unfortunately we only know this for sure because he said that is his address in public but there are many identity protocols trying to solve this problem and if you were to tie your public key to your government's identity database then you would be able to prove real world provenance.
1. They can (theoretically) examine the whole ledger.
2. Your possession of the private key “verifies” your public key, if someone takes it they are now you.
3. Depends on the consensus mechanism but in the best case, “everyone” and in the worst case “coinbase.”
4. You don’t trust them, the system is supposed to be trustworthy with untrustworthy participants, and when that’s not true you will just have to trust the architects of the hard fork.
As far as the technology goes, you could have the user GPG sign something and upload that attestation. Something about the UX of that leads me to believe that'll be a non-starter though.
Login/verification doesn't require a transaction though, so is relatively quick. Blockchain in this context can be thought of as a collection of (public) keys.
For all of its flaws, I find the web3 space fun...but I'm also hoping that some of the non-financialized use cases move to other kinds of distributed algorithms, like Hypercore (https://hypercore-protocol.org/).
Even if the technological ideal comes to fruition in a few years (sharded modular proof-of-stake consensus blockchains with zero-knowledge rollups and dedicated data availability layers), it will still eternally remain enmeshed with speculation and scamming. I think there's a narrow time and place for the speculative assets but wouldn't want that interwoven throughout the fabric of everything online.
I see the speculation-everywhere mode that web3 is currently in as a something that the future web will occasionally devolve into.
An idea will come along that enough of us can get behind, that idea will attract money and solve real problems for a while and when they're no longer problematic enough to warrant spending money on the system will collapse back into speculation hell until the next idea-that-we-can-get-behind comes along.
The Persona team approached the company I was working for, asking us to add Persona login alongside our other login options. Mozilla came to us because we had a huge web presence at the time (about the size of Wordpress, let's say). We discussed it internally and ultimately rejected their request. We were going through a re-org and just didn't have anyone to spare. We were also rewriting the component where the login would live, and this would have been out of scope.
Looking back, I now see that not volunteering myself for the challenge was one of the biggest mistakes I've made in my career. It was one of those rare opportunities to make a difference.
I also wonder why nobody has tried it since. It's a simple approach, but you'd need a good security team backed by a trusted organization to make an implementation credible.
For what it's worth, the vision does live on and people are working on developing web standards that get us closer towards it. One example is the W3C's "Credential Management Level 1" from 2019, which specifically references[0] Mozilla's work:
"The API defined here does the bare minimum to expose user agent’s credential managers to the web, and allows the web to help those credential managers understand when federated identity providers are in use. The next logical step will be along the lines sketched in documents like [WEB-LOGIN] (and, to some extent, Mozilla’s BrowserID [BROWSERID])."
More recently, in fact, today, I see there is a "Federated Credential Management API" draft published,[1] which has the goal of:
"enabling a website to request a users [sic] federated credentials from a user agent, and to help the user agent store the users [sic] federated credentials for future use."
Didn't Apple try it 2 years ago? Log in with Apple...
I would never use these services unless it was completely open, free and privacy centric though.
Apple comes a bit of the way but they tend to make stuff work only on their own hardware wish won't work for me. Persona would have been a good option. Especially because it could be self hosted. That would be amazing. It was just a bit too early.
I joined the team at Mozilla that developed Persona as an intern, just as they closed it down.
Persona failed because it was fighting against a head-wind of an already established trend of using Google/FB OAuth2, without giving the service provider any new benefits. There was no incentive for a website to actually implement Persona, since it was just another auth provider and users weren't using it. Users didn't use it because no one implemented it. Chicken and egg.
Websites that integrate web3 wallet login do get something new: built-in, straightforward payment rails.
> Websites that integrate web3 wallet login do get something new: built-in, straightforward payment rails.
I'm not convinced it's that a large benefit.
For the foreseeable future, any website that aspires to be anything more than a niche web3 player will need to support web2 auth and web2 payments. So web3 is just adding layers, not removing them. Until web3 becomes powerful enough that you're losing customers because you aren't supporting it, there's no incentive to support it. (Exactly the same predicament Persona was in.)
Additionally, cryptocurrency is not practical as a currency right now because of high transaction fees and slow settlement. This situation won't change until layer 2 networks come of age, which seem to have been "just around the corner" for the past five years.
That's because you're not a merchant that has to deal with the monopoly of Visa/Mastercard which inflict high fees on your business and who at a moments notice can bankrupt your business by blocking all payments.
Companies that are built around "SIN" such as weed and porn have basically been strong-armed by this financial monopoly, to the point that Crypto is a welcome addition and which they offer big discounts to users who pay with it.
Additionally, cryptocurrency is not practical as a currency right now because of high transaction fees and slow settlement. This situation won't change until layer 2 networks come of age
There are plenty of L1 solutions like Solana and Avalanche which offer low txn fees and high TPS. L2 networks such as Polygon have already launched and are being used.
> That's because you're not a merchant that has to deal with the monopoly of Visa/Mastercard
Visa and MasterCard don't have a duopoly on payment. They have a duopoly on “instant credit-card-based payment with charge back”, and Blockchain "tech" isn't competing in any of these features. If you don't need this and don't care about subpar UX, you can use bank transfers and still have a better solution than a blockchain-based one.
> high fees on your business
You think Visa fees are high? Blockchain transaction fees must look giagantic to you then…
> Websites that integrate web3 wallet login do get something new: built-in, straightforward payment rails.
Is this really any better than Apple/Google pay? Those are already set up, trustworthy, I don't need to convert my fiat into a cryptocurrency than can swing in value wildly, and it's super easy to set up with stripe or any of the other platforms that the website is probably already using.
I'm not very knowledgeable about Web3, but what you point out, I also find confusing. Why do I need to use ETH to buy an NFT -- my credit card should just do fine -- shouldn't it?
Clicking the "Connect My Wallet" button is kind of fun. But I feel like I've gained nothing over just using my credit card -- in fact my credit card provides me (as the consumer) tons more benefit than using ETH -- and don't get me started on gas fees!
There's work happening now to make this a reality by partnering with on-ramps and off-ramps to go from fiat to crypto.
One can imagine a world in which this is completely transparent to the end user.
High ETH gas fees are also being solved by Layer 2 solutions which get fees down to cents by either batching transactions or doing the work off the main chain and posting only the proofs to the main ETH chain. Checkout zero knowledge rollups, aka zk-rollups.
What happens if Visa/Mastercard decides to block the merchant you want to use? Or you yourself are a merchant that gets hit with high fees simply because you're in a business that is deemed "high-risk"
I seem to remember pornhub being hit by this, which is why they removed unverified content. Perhaps it's also why OnlyFans decided to ban explicit content a few months back (before backpedaling).
> Websites that integrate web3 wallet login do get something new: built-in, straightforward payment rails.
With super high fees, transfers that take litteral minutes to complete, no charge back and the ability to lose all the money yoy have if you ever get hacked. How exciting! Even bank transfer as a mean of payment is way better UX.
Agreed. This comes down to lack of power to push a system onto it's potential users, mozilla didn't have a userbase large enough nor could incentivize 3rd parties to force onto their users. You could argue if the ux was good it would have just succeeded, but I think that's bs. Funds are the number one predictor of success of anything.
My worry with the blockchain is that now it has VCs that are going to pump so much funds in it to keep it spinning and force everybody to use it because you need that service, and now (in the future) it's only provided through the blockchain (because the alternative off-chain company cannot raise funds so it doesn't exist, it fails, or it's a worse experience).
The new hot take (I heard it from Matt Levine, I think, but I doubt it's original to him) is that pyramid schemes solve the adoption problem for technologies with network effects.
Everyone would be better off with better identity management, but it's not worth anyone's time to be one of the first users of a system with no sites supporting it or one of the first site supporting a system with no users. The web3 version of this will be something where if it takes off the first adopters get super rich at the expense of late adopters, and that makes it take off.
Similarly, conventional profit models incentivize the creators of a technology to make it as centralized and locked in as possible, so that they can profit off it over time. The pyramid scheme business model incentivizes the creators to make a decentralized and open system, so that they don't have to do any work over time once it takes off.
Is this the special kind of stupidity that only really smart people can aspire to, or the special kind of genius that only really stupid people can? Time will tell, I guess.
I like Mozilla and Firefox is my default browser, but clearly that was doomed. Google is never going to be OK with Mozilla owning the identity system. Neither would Facebook, or Apple or anyone else. They all have their system for “just use us as the login to every service!” And the only result is that there are 50[1] different “universal” login options for every site.
[1] ok most sites limit it to 2-3 options, but which 2-3 is up in the air.
> I don't see how a blockchain-based approach, with so many disadvantages compared to Persona, could possibly succeed outside of the blockchain enthusiast community
What’s in it for the user to sign up for persona? Nothing
What’s in it for the user to get a crypto wallet? Money
The major problem with crypto-bros is that they think "money" is a good enough answer. Money is an extrinsic motivator, and extrinsic motivators extinguish intrinsic motivation.
Money will never be a good enough reason to do things. Especially not the infinitesimal fractions of garbage coins that web3 will pay.
Really? BAT was pretty profitable. Showing me a few ads as desktop notifications paid for a lot of my transaction costs in the early days. I just looked, BAT is up 754% over all time.
Twice, on different devices, I tried Brave as my default browser for month with ads turned on, and both times after a month of clicking on ads, the browser still said I had 0.0 BAT.
I don't know about that. I feel like oAuth and other forms of authentication are overly complex to implement. If they build a super simple implementation API then I could see it taking off.
I had a go at writing oAuth from scratch, to understand it. I made a working solution.
But I don't use oAuth; while I was writing the code, I understood it, but I don't any more. An auth system needs to be understandable and transparent to a normal user, and oAuth is not such a system. Like, I couldn't explain it to my non-tech relatives, even if I swotted up on it first.
Explaining blockchain-based auth to a non-tech user is a problem of a much greater magnitude.
I suspect that this will be a major issue in the long-run. Once these sort of crypto-based logins become synonymous with CP and terrorism, they're going to be shunned by the average person on the street.
Yes yes yes, people use email and whatsapp for the same, but at least there is the option for Google and Facebook to censor or block/ban those users (and it feels like there is increasing legal/legislational tension to try and compel the tech giants to actually do something in this area). You cannot say the same about an indelible blockchain.
That's not true if it's a smart contract. People are still using the uniswap v2 smart-contract even though the uniswap website has completely moved on to v3.
In that case you're running a traditional centralised web2 service. If your service runs as a set of smart contracts, anyone willing to pay the fees can always use it. Forever.
Yeah the economic incentive is the problem also. People just get into it for the money, not because they believe in it. This is the whole issue with crypto currency and web 3.0 too.
It's a bit sad because it never started out as something intended for "make money fast" kind of investors. Bitcoin started as a way to free users from the centralised banks and regulation.
Freeing users from regulated banks and taxes is a way to make money fast. It s never been the goal of bitcoin to provide any utility to businesses (insured loans, public offering, leverage financing, future contracts, merger consulting, asset management, wealth optimization).
And if they cant do what banks already provide, what sort of "freedom" do they offer ? The ability not to have a retail account, the low hanging fruit of banking ?
This BS kneejerk 2008 crisis reaction Satoshi pretend to have had at the time, made him both one of the richest financial force in the world and the biggest financial risk (if he sells for some random reason just one btc from a genesis wallet of 1M BTC, what do you think will happen?). He became Maddoff...
"Ecosystem" in tech means usually means vertical integration, which is not what it means in nature.
Anybody looking to build a tech ecosystem is looking to build vendor lock-in. There is no advantage to planning for decentralization, and no laws to force companies to adopt a decentralized approach.
Yea, but that's kind of my point. Actually decentralized software is just out there and you can use it if you find a use case for yourself, there is no one that would shut it down if it isn't popular enough.
One possible advantage web3 has over Persona is that it is not under the control of Mozilla or whatever foundation Mozilla set up to address those very predictable concerns. Being distributed might help it gain early adopter mindshare which could lead to future UX improvements. (Not saying I believe this will definitely happen, just that Persona failing isn't a guarantee of failure here.)
If it only were Persona the thing that failed... But I've seen quite a lot of attempts at federated identity and turns out people don't care too much about that. People just want to login to whatever site to do things. Login with Twitter/FB/whatever is offered to reduce login friction, not because people think of them as identity providers. Offering "another identity provider" is solving the part of the problem most users really don't care for.
Persona wasn't under the control of Mozilla, either. You could still use it today, if you were willing to set up your own identity server, and if you could find any websites that supported it.
The best product doesn't win, the 'sexiest' ones do because they can drum up the press coverage and mainstream recognition necessary to become a household name.
WeWork might not have a a 'tech' company, but it behaved like one after juicing on all that Softbank money. Turns out they had nothing Regus or other 'boring' companies couldn't provide. But they bought a lot prestige properties and advertised constantly, so they became the household name for co-working.
This doesn't explain why Persona didn't work. Unless we understand why it didn't work and show how web3 alleviates the problem, how is anyone to believe a web3 login system will work? You could also ask what has changed since Persona tried and failed? In other words, why now?
It failed to gain traction, and Mozilla eventually pulled the plug.
Persona had many advantages over the Web3 vision described in this article. It was painless for a new user to create an account, because Mozilla provided a default identity server. It was easy for a website owner to set up, because Mozilla provided a JavaScript shim that worked on any browser. And it didn't rely on a wasteful and slow distributed ledger.
Despite these advantages, Persona failed. I don't see how a blockchain-based approach, with so many disadvantages compared to Persona, could possibly succeed outside of the blockchain enthusiast community. And, on a technical level, a federated approach seems innumerably simpler and less wasteful than a blockchain-based approach.