The Wallet-based login revolution

20 years of broken login flows

For years, our interactions with sites remained unchanged. We visit a site, click to sign up, enter a username, email, and password. and then follow a site-specific onboarding process, which asks us for details to customize our experience.

‍

Some sites ask the user to provide home address, credit card information, and other (random) details they see fit in order to "enrich" the account and experience. Moreover, some sites will ask users to prove their identity via KYC process, or even upload specific documents. In short, it is a tedious, privacy-invasive, annoying, redundant, and at times broken process.

‍

These aren’t new customer challenges, and they did not go unnoticed by tech companies. Companies have tried to solve these issues by innovating on parts of the interaction. Whether it's by offering a way to sign up via social login (sign in with Google, Facebook, etc.), building robust password managers such as 1password, or pre-filling our information via data saved in the browser. In short, a set of optimizations of an existing underlying broken flow.

‍

For the first time, crypto wallets offer true innovation on the underlying ways in which we interact with sites and apps. With a single connection to a wallet, all our relevant information can show up, the site can adapt to us, and we can do all of the above in a privacy-preserving manner. 

‍

These are not optimizations on top of the existing system, trying to reduce complexity on parts of the problem, but are rather a complete re-thinking of how identity can be shared, interacted-with, and controlled, and how sites can create magical experiences for customers. This article explores some of the exciting experiences that wallet-based authentication can bring to end consumers, and why we’ll all end up using it in a few years.

‍

A quick side note - are wallets ready?

Before we start, one has to address the elephant in the room. Much of the criticism of self-custodial crypto wallets today is rooted in either criticism of the login method, fear of wallets being drained, or recovery methods. Critics claim that wallets that risk full lockdown with a lost key or ones that allow a hacker to run them dry are not a practical authentication system. That is true. It is also an argument that misses the point, focusing on short-term flaws of a fast-moving technology that are quickly being addressed and innovated on (a frame of reference, in my mind, is email spam 10-20 years ago).

‍

As you read through the article below, please hold criticism on the current state (and crypto prices), and imagine wallets not as independent apps that require seed phrases and hard-to-understand recovery methods, but rather as technology that can exist in our current apps (Coinbase, Robinhood, Instagram, Twitter, and others), which relies on well-known mechanisms such as face ID and passcodes.

‍

A better method using public-key-based cryptography

The core innovation of wallets as authentication methods lies in their use of public-key cryptography. That is, a wallet is inherently a store of a private key that never leaves our device and an associated public key that can be shared widely.

‍

When someone wants to authenticate to a site, they “sign” a message, confirming that they have access to their private key, and proving that they are the owners of the wallet. This method isn’t unique to crypto - companies such as Google and Apple are using similar technologies with WebAuthn and Passkey - and it makes for a significantly better customer experience. Customers no longer have to remember passwords, there is no concept of password phishing, and developers no longer have to deal with “forgot password” support cases. It is a fundamentally better way to authenticate.

‍

A step beyond authentication

With other public-key cryptography options being introduced, one may ask what’s special about crypto wallet-based authentication. In short, wallet-based authentication goes beyond just authentication. A wallet is a payment device, storage device, and signing device that can be used to unlock information stored elsewhere.

‍

With wallets, we can store our information “off site” (technically, using decentralized identifiers and verifiable credentials), hold membership NFTs, store money and do much more. We can use our private key to “unlock” access to more sites and storage devices, consolidate information, and share a subset of it with websites we interact with. Below I outline some of the magical use cases that wallet-based authentication allows.

‍

It’s all about the magical use-cases

‍

True cross-web one-click checkout

One of Amazon’s more important innovations is the one-click checkout. It works because Amazon stores our information - credit card, address, and details - in their centralized systems. Other companies have attempted (with varying degrees of success), to do this outside the walls of Amazon. Shopify Pay on Shopify sites, and startups such as Bolt across other platforms. They are all ways to help us “carry” our information across sites, using email/phone and a verification code to do so.

‍

Wallet-based authentication lets us take advantage of the wallet as a storage and payment device to truly carry our information with us. By storing our physical address as an encrypted DID and VC, only allowing access to it as a part of an authentication flow, we essentially combine authentication and purchase in a single click. That means that the site doesn’t need to do much to support one-click checkout, and the information is carried by the user. Furthermore, complexity of infrastructure is shifted from the developers of the website to the developer of the wallet. Developers don’t have to think about how information is stored, accessed etc, they just need to interact with the wallet itself. For the first time, you get a real cross-web one-click checkout.

‍

Cross-sites interaction

A fundamental truth today is that sites rarely interact with each other. With information being siloed at each site, it makes no sense that you can bring things with you from one site to another. Wallets, and storage associated with wallets, break this conception.

‍

Imagine a scenario where we can collect points in one game, go to a second one, and use those to continue the interaction. A place where Nike can run special offers on tennis shoes to individuals who received a membership token from their golf association site without needing to sign ad-hoc deals with each association, or United 1k holders can access benefits simply by having a United 1k membership card in their wallet. In this world, sites can check a user’s wallet for relevant assets, and change their interaction with that user based on the relevant assets they carry. It opens sites up to new types of interactions that had a higher burden of implementation until today.

‍

Membership-only sites and gated commerce

One functionality that exists in the b2b world today is the concept of permissions. With services such as Okta, you can easily set cross-service permissions, allowing simple control of which employees can access which sites. That does not extend to consumer sites today. Permissions are not easily configurable and are definitely not transferable across sites.

‍

With wallets, companies can set permission and access based on credentials stored outside their realm. This further expands into a fascinating concept called gated commerce, where ecommerce companies can introduce new interactions for customers based on membership tokens they own or the specific balances in their wallets. New mech drops can be customized to the assets you have, you can get physical copies of your digital goods and much more. It creates new consumer branding interactions that could not exist today.

‍

New technologies enable unexpected offerings

The above isn’t a comprehensive list, nor could one exist. New technologies enable use cases that are hard to see, and if wallet-based technology does indeed become widespread, this author would hope that this article is re-read in a few years time, with criticism for the lack of imagination exhibited by yours truly. New technologies enable unexpected offerings, and “deep” authentication allowed by wallets will too be used in unexpected ways.

‍

Are webAuthn and Passkey competitors?

Above, we briefly alluded to the existence of other public-key cryptography- based authentication technologies that are getting traction. Mainly WebAuthn and Apple’s Passkey (which is based on WebAuthn). Are these then competitors to wallet-based authentication? Well, only partially. Considering their focus on biometric authentication, they will likely be leveraged by wallets as the source to authenticate, a “master” step before interacting with sites.

‍

On the sites themselves though, wallet-based authentication brings the additional benefits mentioned above - enriched data associated with our public key, the ability to gate access by what’s in our wallet, a 1-click payment method, and much more.

‍

What comes next

Wallet-based authentication is in its infancy. It is used today mostly by web3 companies and by web2 companies looking to introduce web3 components into their systems (e.g. Instagram, Twitter, etc). That said, customers that have experienced wallet-based authentication describe a “one-way door”. That is, once you see how powerful wallet-based auth can become, you can’t unsee it. Using it, despite its many flaws, is an indication of its power, not its weaknesses.

‍

Over the next few years, we’ll start seeing two trends - one, more apps integrating wallet technology into their apps, and two, more sites integrating wallet-based authentication into their auth flows.

‍

We’re in early days, but are on the cusp of an authentication revolution.

‍