Read this first #
The most interesting things about Web3 are coming from beyond the blockchain ideas that are taking up most of our attention. At my day job, for example, we’re looking hard at protocols around education and credentials. Part of that problem will requires us to think about how credentials and identity work in a decentralized world.
Of course, Web3 applications require authorization/authentication solutions today. Go to most any Web3 app, whether that’s Steve Aoki’s Aokiverse to a marketplace like OpenSea or MagicEden and you’ll almost certainly see a “connect wallet” button. I’ll link to some overviews below, but long story short, these sites treat cryptocurrency wallets as your login & password. Unlike traditional solutions, the web site has no secret stored: no password, no seed for 2FA… nothing. The private keys are in your wallet, and your browser and your wallet extension determine whether you’re logged in or not. I’m oversimplifying but you get the point.
This is coming forward at a time when the major OS & browser companies are pushing to get rid of passwords using FIDO U2F hardware tokens. That’s great - you have a hardware token you plug in or pair with your device. It’s really simple - strongly encourage you to pick up a Yubikey if you want to play with this. Limited Mac OS and iOS support, but hopefully Apple’s announcement will change that.
If you squint, what I’ve described is a lot like having a Web3 wallet, except the wallets have a better UX. Basically, users prove they have control over the private keys for a specific account. Connecting the wallet to the site serves as registration, and the wallets have secure methods for doing that.
- Uses browser extensions to store or mediate access (for hardware wallets) to private keys.
- Allows recovery of private keys using secret key phrases (useful if your hardware wallet gets damaged or lost).
- Lots of choices: mulitple browser extensions and hardware wallet vendors.
I recently invested in a hardware wallet, a Ledger Nano X, and it has support for FIDO U2F. I would love to use it to log into everything even beyond crypto sites. The question is whether the crypto experience will take over or whether U2F adoption will make it more common for folks to have hardware wallets.
Related Links #
- A Guide to Common Types of Two-Factor Authentication on the Web: EFF overview of two-factor authentication options - their section on FIDO U2F is very good. This is from 2017, btw - this standard is not new.
- The Best Security Key for Multi-Factor Authentication: An overview of U2F hardware keys from the Wirecutter. They do a good job explaining the basics in the “who is this for” section of the article.
- Soulbound: Creator of Ethereum on making NFTs that are bound to a single person, not just a wallet, and not transferrable by simply buying it off of someone.
- “Tough to forge” digital driver’s license is… easy to forge: A good reminder that modern bringing identity and credentials into software can be tricky.
Reads #
- Tweet by Benedict Evans: How hard is it to buy an ad on Instagram? He found out it’s not as easy as it should be.
Code & Tools #
- Gitbook: New to me, but it’s been around a while. Lots of Web3 projects relying on this to publish their whitepapers and other documentation.
- Notion: Another Web3 favorite that I’m now using a lot.
- Linear: Our team is looking hard at Linear for our issue tracking. Some nice functionality in there, including an integrated roadmapping feature. In my previous job, I brought in an entire new tool just for better roadmaps. This seems like a good compromise.