Web3 ID or Web3 login is being touted as a solution to many of our problems — it’s decentralized, OTP-less, and passwordless. However, before we all move to this new, happier world, there are a few questions that need to be addressed:
- How do we rotate a key and deal with a stolen private key?
- Is it truly passwordless? How do we unlock a wallet, and how do we recover a password?
- How do we make it cross-device?
I propose a better answer to these challenges — Web5 Auth, or as we call it in our Affinidi SDK, DIDAuth.
DIDAuth is an edge auth protocol that proves ownership of private keys based on DID (Decentralized Identifiers). With DID, we decouple but cryptographically bind the Controller (user), private/public key pair, and identifier. So with a DID method that supports key rotation, we could solve the first challenge. With seed migration, we could solve a cross-device experience. Recovery is a more complex story; Affinidi SDK solves it for custodial users and provides building blocks for edge developers to implement their solutions for this challenge.
Web3 login or Web3 identity is a simple concept — login with your wallet, such as Metamask. However, this approach has several issues:
- Key Rotation: If someone steals your wallet, they steal your identity. Key rotation should be a key feature, but it’s not working well with login with Metamask or other similar solutions.
- Passwordless?: Despite claims, you still need to maintain a password to access your private key. So, it’s not truly better than what we already have.
- Portability: It’s not easy to port your wallets to different locations.
- Recovery: If you forget the password, what should you do?
The main concern is the possibility to rotate keys, which is why there are a lot of problems about the Web3 login.
This article is based on the video “Web3 login web3 ID vs Web5 DIDAuth ( DID authentication)” by Volodymyr Pavlyshyn. The video was uploaded on January 29, 2023, and has been viewed 89 times as of the time of writing.
What I can offer, which has been available in our Affinidi SDK for a few years, is Web5 login. This protocol solves several issues:
- Decoupling: The Decentralized Identifier (DID) allows you to decouple several elements. This is represented as a triangle, not as popular as the self-sovereign identity triangle, but it’s the identity triangle. This triangle is the cryptographic binding between three things: the user or controller, the key pair (public and private key), and the identifier. The DID is your identifier that is cryptographically bound with the private and public key and cryptographically or otherwise bound with the controller.
- Key Rotation: We need to find DID methods that allow us to keep the identifiers stable but still connected to the private and public key and to the controller, and allow us to rotate the keys. There are several DID methods that allow this, including DID peers, DID Key, and off-chain methods. On-chain methods can be quite expensive and not all of them give you the possibility to easily rotate the signing key.
- Portability and Recovery: There are still open questions about how we do the portability between devices and how to do the recovery. For the Affinidi SDK, we have the answer for the recovery because we have the backup of the seeds and then you could use your email or phone to recover with your password. However, if you compromise your key, we need to build some extra protocol that allows us to do the operations in this case. The answer to this could be DID Key or DID Peer, and you could notify all your peers that this key is not valid anymore.
While I see a lot of potential in Web5 Auth, I also see a lot of gaps and problems in the idea of logging in with your wallet. I encourage everyone to stay connected, share what you think, and let me know if you need more technical examples.
Top comments (0)