January 25, 2022
Blockchain ‘n Chill EP2
With: Nik Kalyani & Jonathan Sheely - Senior Architect
In our second session of BlockChai ’n Chill we took a deep-dive into the nuances of Authentication and Authorisation in Web3.
Hosted by Decentology's CEO & Founder Nik Kalyani and Senior Architect Jonathan Sheely, the fascinating discussion covered topics such as the distinctions of authorisation in Web2 and Web3, why and how blockchains use Private Keys to secure transactions and some of the problems that arise from how authorisation happens in wallets, dApps and on the blockchain.
In case you missed it, we’ve got you covered. Here are some of the thought-provoking insights we discussed:
Comparing Authentication in Web2 vs Web3
So what is authentication and how is it different in web3 compared to earlier web models? We can understand this by looking at how you typically access secure assets or accounts on the various web platforms.
Web1: The classic Username / Password combo that we all know and love.
Web2: Introduced Social Signing, oAuth and SSO with verification happening via third party services such as Google, FB etc.
Web3: Authentication by Wallet providers
Through all iterations, what we’ve learned is that Authentication is hard!
Take Web1 vs Web2 for example; if you’re using SSO and Google goes down you no longer have access versus the good old days where as long as you have your password you get access (given the site is up).
Authentication vs Authorisation: What’s the difference?
In Web2 Authentication and Authorisation are distinct processes. Authentication is having access, Authorisation is WHAT you have access to.
There’s a ton of moving parts involved in the authentication process. Essentially you’re connecting the website, the social login provider, a layer of roles (which provide levels of access), profile data (which you don’t control), the web owner and social platform who decide what happens.
So if they decide not to allow access, you don’t get it.
Welcome to Web3: Decentralised Authentication
To understand the distinctions, our discussion looked at the example of the Ethereum blockchain model. With a blockchain there’s no username & password, the social providers are gone… so how do we login?
Authentication in Web3 boils down to Public/Private Key encryption, which currently forms the backbone of SSL, TLS etc. Web3 allows every individual user to hold a Private Key which is used to generate a Public Key which is then linked to a Wallet.
As every key is unique and locked to a wallet address, there’s no longer any need for a central authority to perform the authentication, every individual now controls their own authentication.
Some Terms worth defining:
Public & Private Key Cryptography: String of numbers and letters. Private keys verify and validate Public keys.
Wallet: A collection of Public/Private Keys. Important to note that assets (Crypto, NFTs) are always stored on the blockchain, not physically in your wallet. Your wallet, via your key, gives you access to your assets on the blockchain.
And that’s why it’s integral to keep your private key safe. No Key. No access. Ba-bye Bored Ape :(
Nick and John discussed how this actually plays out inside a real transaction.
Say I want to send you 10 ETH. My private key signs the object (10 ETH), validating that I am the one who owns and is sending the 10 ETH to your address. The authorisation or signing process shifts from having a password to having a private key - this is what you bring with you to every transaction.
We also had some great questions from the audience! Here are some of the thought-provoking Q&As from the show.
Q: If all the assets are on the blockchain and you lose your Private Key is there any way to access it?
Short answer, no! For all practical purposes your access is gone. The rub is that even though publicly anyone on the blockchain can see that “Wallet Address XYZ” owns, say an NFT asset, without the private key, you can no longer sign and verify that YOU are the owner, and therefore authentication and authorisation stops.
There is no “reset password” in Web3!! This is why keeping your Private Key secure is so important.
This is why when you set up a new wallet you are given a series of mnemonic words, which the platform provider will ask you multiple times to verify that you’ve saved them. These mnemonic phrases are what is used to create your private key.
Keep your Private key private, and secure!!
How do we solve this?
Potentially, smart contracts may involve third party arbiters (trusted parties) that could act as a verification layer in case of lost private keys, to verify you are who you say you are and that you are the owner of the blockchain asset.
The best, and safest, way is to literally write down your keys on paper.
Q: If Private Keys are so valuable doesn't this make them more susceptible to malicious actors?
Everything is transparent on the blockchain (READ access is public) - I can find you on Twitter, search etherscan and know exactly what the balance in your wallet is. So it’s relatively easy to target large wallets.
Splitting identity via different wallet addresses, like having multiple email addresses in real life may solve this issue.
Q: How does Authorisation work in Web3? Could we use something like oAuth?
On Web3 the Wallet + Private Key signs all transactions, the API simply verifies the signature. Web3 streamlines the verification process because you both sign and send the transaction packet through the API, rather than the API having to collate the signature and the transaction separately, and matching them to authenticate that you are verifying that particular transaction.
This simplifies what the API needs to handle, making a simpler experience for developers. Everything is handled by the user sending the transaction.
However, developers must be able to create smart contracts that verify that the transaction is originating from a person (or wallet) and not another smart contract, as this is a way that malicious attacks can gain access to funds where developers have not developed proper authentication protocols.
What about mobile?
We couldn’t have a Web3 authentication discussion and not explore mobile, as so many of us access our wallets, buy crypto and NFTs and want to use crypto for purchases in the real world.
Here are some great insights on how mobile plays into all this.
The device itself can actually handle much of the authentication (face ID etc). In the real-world devices can connect to transactions at point of sale (say buying a coffee) through Wallet Connect and a simple QR code scan, using existing protocols and minimal API coding.
The device, plus the mobile wallet and Private Key authenticate and authorise the transaction on the spot.
For developers, Wallet Connect is a standard protocol for wallet and dApps, that gives developers the ability to build 1:many connections between available dApps and wallets, without having to code specifically for each wallet.
Essentially, it’s opening up an on-the-fly communication point between the two systems, which is an evolving art and can be problematic.
Many wallets that started as Chrome extensions now have phone versions, to enable transactions on mobile without having to run back to a desktop.
This was a jam-packed episode with too many amazing takeaways to mention in full here.
Get the full scope on the recording where the guys also covered:
We loved bringing you this BlockChai ’n Chill session and look forward to catching you on the next one!
To continue this conversation join us on the Decentology Discord.