Table of contents
Web3 authentication, also called wallet-based authentication, is staking its claim as a candidate for the future of how we authenticate with websites and apps. In essence, it lets you click a "log in with wallet" button, triggering a dialog that enables you to approve the login in your digital wallet. Because it uses a private/public key scheme, it is considered more secure than traditional password-based methods and is less susceptible to phishing attacks.
But the real magic of wallet-based auth is that it can be used for more than just authentication. With wallets, you get a login device, as well as a payment and storage device on the blockchain. Wallet-based auth creates a potential for "deep" authentication and new applications across websites.
In this blog post, we will examine the exciting benefits and potential of wallet-based authentication, and how it could become a widespread method of authentication in the near future.
How does it work?
As described above, wallet-based authentication feels a bit like logging in with your Google or Facebook account. Its flow starts when you, the end user, clicks to log in with your wallet. Once you do (and depending on whether you're on desktop or mobile), a popup will appear in your digital wallet asking you to "sign a message". That message validates that you are the owner of your wallet, confirming to the website you are who you say you are.
Wait, then isn’t it the same as logging in with Google?
While similar to social login on its surface, wallet-based authentication has some key differences. At a more technical level, wallet-based authentication involves the use of a digital wallet, such as MetaMask, that runs as a browser extension or mobile app. The wallet holds a user's private key, a unique string of characters that can be used to sign digital transactions, such as sending a cryptocurrency or interacting with a smart contract on the blockchain.
Users who want to authenticate on a website or application that supports wallet-based authentication can simply connect their wallet to the website or application by signing a message. This proves their identity and allows them to access their account or perform certain actions.
Social authentication, on the other hand, typically involves the use of OAuth. When users want to log in to a website or application using their social account, they are redirected to the social identity provider (such as Facebook or Google) and asked to grant permission for the website or application to access their account information. The social identity provider then sends an access token back to the website or application, which can be used to authenticate the user and access their account information.
Sidebar: Connecting vs authenticating
One interesting feature that wallet-based authentication provides is the ability to connect to a website without authenticating. In this flow, a user provides the website with a public address associated with their wallet, without signing a transaction to prove they own the wallet.
While not actually a “login” flow, it allows for lighter interactions, letting websites ease a customer in instead of asking for a signup hurdle to start. You can read more about this functionality in our previous blog post.
Why use wallet-based authentication?
The exciting part of wallet-based auth is its myriad of massive benefits to both users and websites. As mentioned above, one of the main benefits of wallet-based authentication is that it eliminates the need for users to remember passwords or other sensitive information. This not only makes the login process more convenient but also reduces the risk of security breaches caused by hackers stealing passwords or phishing scams.
Wallet-based auth’s benefits expand far beyond authentication. Another advantage is that using your wallet allows for greater control over personal data. A wallet can serve as a key to "off-chain" storage of data which can only be pulled using the user's private key signature, giving the user full control over which data is shared with a website or application. This can be accomplished by something called decentralized identifiers (DIDs) and verifiable credentials (VCs), which you can read more about in this article.
Perhaps the most powerful advantage of wallet-based login is its ability to go far beyond authentication. That is, it can serve as a deep authentication method. We cover this topic in detail in this article, but in short, it means that your wallet is not only a login device but also a payment and storage device, letting you leverage it for things like cross-site one-click checkout.
There are some challenges to solve
Using wallet-based authentication (web3 authentication) can be a great way to protect data and provide users with a secure experience. It can be especially beneficial for applications that require transactions, like decentralized finance, eCommerce, and exchanges. However, it's not all sunshine and rainbows.
One of the biggest challenges with wallet-based authentication is its current user experience. The process of connecting a digital wallet and signing transactions can be confusing for non-technical users and requires a certain level of knowledge and understanding of blockchain technology. Customers are presented with a "sign" message that can be difficult to understand in many wallets.
Another challenge is the risk of signing unknown transactions. Since a user at times is directly interacting with a smart contract, they need to be aware of the transaction they are signing and it's impact. This could be a concern for users unfamiliar with the smart contract and its implications.
Additionally, wallet-based authentication is still a relatively new technology, and there are not yet many widely adopted standards for implementation. This means that the process of connecting a digital wallet and signing transactions can vary between different platforms, making it difficult for users to know what to expect.
While these are all addressable problems, they require coordination between sites, wallets, authentication providers, and others to fully address, and can take a while to evolve.
A promise for a future with wallets in our pockets
Web3 authentication brings the convenience of secure authentication and greater control over personal data. With more sites adopting this form of authentication, users can look forward to a user experience that is both simple and secure. However, there are still some challenges to overcome for wallet-based authentication to reach its full potential. But with the right partnerships and standards in place, we're sure to see great strides taken toward achieving this future promise!
For those who want to take advantage of all the benefits wallet-based authentication offers but are not sure where to start, it's important to understand how web3 wallets such as MetaMask work and what security measures they use. Being familiar with SIWE message format is also essential for securely signing transactions (at least for now, until this is abstracted away from end users). Finally, users should always be aware of the risks associated with signing unknown transactions and messages.
By doing their due diligence, users can look forward to a future where wallets are as commonplace as usernames and passwords, offering secure access to all kinds of services – from online shopping to cryptocurrency exchanges. It's an exciting prospect that we can all look forward to!
This is the future we all want: a world with wallets in our pockets carrying our digital identities for secure authentication—wherever and whenever you need it. By adopting wallet-based authentication, websites and applications will provide users with greater control over their data and how it is shared with the website or application.
Wallet-based authentication is a revolution in waiting, with almost limitless potential to change how we interact with sites and apps, pay for services, and store information.
If you're a developer who wants to offer wallet-based auth to your users, sign up to Dynamic - we'll help you implement wallet-based authentication in minutes.