Original title: Why may “Universal Login” not work?
Since people began to explore non-financial use cases of blockchain, the concept of identity in Web 3.0 has been the focus of discussion.
Identity is generally applied to the network in the form of “Universal Login”, that is, one identity is used to access all web pages. This article will analyze why universal login is not the best policy for Web 3.0. Tip: The problem of universal login does not lie in “general”, nor does it concern passwords, but in “login”.
UniLogin, one of the main supporters of Universal Login, has ceased operations. The soaring gas price, the “aristocratic” of DeFi, and the constant changes in browser privacy mean that the effectiveness of the browser’s local storage is reduced. For details, please read their blog post.
When the new crown epidemic had not yet become a global crisis, Bokky held a “bring your beer” blockchain seminar in Sydney to explore the cryptographic principles behind the blockchain. I remember a scene. When the speaker said that any cryptographic signature can be used for two-party authentication such as logging in to a website, other participants appeared surprised.
“In other words, we can use the Ethereum address to log in to the website without having to enter a password?” a participant asked.
“Yes,” the speaker replied, “Or, you can generate a “key” based on your Ethereum key to hide your real address from the website. If all your “keys” have only one source, you You can achieve’universal login’-get a’master key’ that can open all doors.”
After hearing this speaker’s words, the participants of the seminar were all excited. I can only imagine the same eye-opening scenes that have appeared in similar scenes in other cities.
The cryptographic identity authentication boom
The speaker is right, the mechanism behind the “universal login” is cryptographic authentication. Since the birth of the Internet, some people have tried to implement “universal login” every ten years.
Today, people praise W3’s Web Authentication API (a specification published in 2020 on how to use cryptography to solve login problems) as a pioneer, but it is not a new idea. W3 released WebCrypto API, the predecessor of Web Authentication API, as early as 2014, but the latter is not well-known.
The HTML form element <keygen>, which is also used for public key login, existed as early as 2008, but few people know it, and even no website uses it. Wait until HTML5, this form element really comes into play. To this day, most browsers have disabled this element when cleaning up infrequently used functions. After experiencing glory, <keygen> died silently.
Having been obsessed with cryptography since I was a child, I know that cryptographic identity authentication technology has only ushered in another iteration. Seeing people so excited, I can’t help feeling surprised, and I hope this iteration will be different.
If “Universal Login” can really succeed this time, it will be a miracle. unless……
… What happens if a new use case emerges? Just like in early 2008, Web 2.0 use cases have revived the long-silent AJAX technology?
New use cases for cryptographic authentication
You might be thinking, is there a new use case for network login? Before we delve into it, we should think about a question: Why must network identity authentication be related to login?
This question may seem silly. Think about it: What is the difference between identity authentication and login? Identity authentication is login; login is identity authentication. They are the same thing at all.
However, it is different here in Web 3.0.
Nowadays, blockchain users tend to think that Web 3.0 will become a tokenized network in the future. In this network, users hold tokens from various decentralized components (ie smart contracts) to avoid large companies from controlling the network.
Let’s imagine new application scenarios. Assuming that the tokenized network has been implemented, you have some tokens in your browser wallet. At this time, you visited an online game mall.
You use proof of age (a feature of identity tokens) to access restricted games. As a result, something magical happened, and the mall’s game list changed.
Then you use another token: bundled discount tokens . This is a membership token developed by AAVE, which provides discounted prices for a variety of games. Recharge ◈100 DAI, and AAVE will give you 100 bundled discount tokens, which can be used to enjoy discounted prices for many games on the online game mall.
You look at the game list and decide to buy the popular Japanese game “Collection!” Animal Crossing Friends Association. You can pay with DAI, but the mall knows that you have SUSHI, so it provides you with additional rewards: if you buy this game with the same amount of SUSHI, you will be given a special fishing rod game item to help you start your adventure .
After the payment is successful, you will get a game owner token. This token allows you to play purchased games on supported platforms (such as Steam and Xbox).
It’s all very simple. There is no login interface, no password is required, and no “date of birth” is required. Moreover, there are no restrictions on where to buy games. (For example, Humble Bundle requires users to purchase video games from their website. Users can also subscribe.)
But what is the login procedure?
No step at all, there is no login step at all. In the traditional sense, operations such as refunding and obtaining DLC require an account, but the account can be coded into the game owner’s token. Of course, the game mall website also wants to adopt some mechanisms to increase customer loyalty. Therefore, website owners may decide to add a login option and integrate this option through tokens (for example, brand loyalty tokens).
However, login is not required. Again: login is not required. With tokens, the trust relationship is no longer limited to users and websites.
But can tokens replace cryptographic identity authentication technology, zero-knowledge proof and universal login?
When users use tokens, it is the technology behind these tokens that really play a role, such as cryptographic identity authentication, zero-knowledge cryptography (for example, providing age proof without revealing age), membership certificate (for example, , Provided when using bundled discount tokens). All the above methods are different forms of identification.
These tokens can be used on multiple websites that accept them, so they are “universal.”
Will the site be willing to cancel the login function?
The website does not need to do this, and the success of the token does not depend on whether the website owner is willing to cancel the login function. I just want to say that login does not have to be the focus of Web 3.0 development.
Suppose you are a member of the AAVE team that issues bundled discount tokens. You don’t need the game store to cancel the login function, as long as they accept your tokens. When users use bundled discount tokens on these websites, the same cryptography technology still plays a role behind the “universal login” or “network identity authentication”.
How do we achieve “universal login”?
The mechanism that really works is the negotiation between the website and the user using tokens. I haven’t found a more appropriate expression yet, let’s call this process “token negotiation” for the time being.
We call the corresponding TokenScript technology “Token Negotiation”. If you have not heard of this technology before, please allow me to introduce it-TokenScript is a technology that supports Web 3.0. In other words, it allows you to use the power of cryptography and blockchain to use tokens on your website. Although TokenScript is still under development, it can already be used to develop tokens for user wallets.
You can view the introduction and code/project examples on the TokenScript website.
Author: Weiwu Zhang
Posted by:CoinYuppie，Reprinted with attribution to:https://coinyuppie.com/why-is-universal-login-not-the-best-policy-for-web-3-0/
Coinyuppie is an open information publishing platform, all information provided is not related to the views and positions of coinyuppie, and does not constitute any investment and financial advice. Users are expected to carefully screen and prevent risks.