History of oAuth Open Authorization and Web3-based Authentication
oAuth (pronounced ‘oh-auth’) is one of the most critical, but also hidden, layer of the internet and Web3 wallet-based oAuth could present the next logical oAuth technology for this secular trend.
Authentication or oAuth (pronounced ‘oh-auth’) is one of the most critical, but also hidden, layer of the internet, or rather, it’s structurally important to how everyday users and consumers like you and I interact with the web and mobile services. When is the last time you ‘created an account/log in to a browser-based application or mobile-based application’ with your Facebook, Gmail or Twitter account?
It’s worth noting that oAuth is not the web and mobile application login flow mentioned above (the login flow is the byproduct it) or nor is it an API, but rather, it’s a standard that web and mobile application can use to provide client applications (i.e. Facebook, Twitter, Gmail etc.) with “secure delegated access”. OAuth works over HTTPS and authorizes devices, APIs, database, and applications with access tokens rather than credentials.
Now with the advent of Web3 wallets (Phantom, Metamask, Trust, CB Wallet and the likes) and in tangent, the self-sovereignty nature of investments, ownerships and user credentials data, which philosophically, ultimately provides more flexibility for users to control who, what and how much they want to share with 3rd parties and other web and mobile applications. I don’t believe this would be a one-model fit all concept here as there are some things that might require one or a small handful of parties for accountability and insurance reasons in which we will explore further blow. Before we dive into this, it’s prudent for us to review the history and technology behind Web1 and Web2 authentication layer.
Web1 Authentication - Simple Login
With the advent of Web1 in the 1990’s, end users would access these internet services first by entering into the web application. This interaction is rather a simple login, which requires the user to enter their username and password, and then the web server would then checked these credentials against a database managed directly by the company, or merely a linear bidirectional confirmation of data. If the username and password credentials match, the web application is given a session ID associated with that user’s account that allows the users to enter into the interface.
Web1 oAuth Workflow:
Users enter credentials in web application —> present enter/login —> entered credentials reconciled against the stored credentials in the database —> push back confirmation in web application —> users can enter into the web application
The Web1 authentication layer had worked tremendously well for users back then as it allows both new and existing users to participate in the Web1 ecosystem and economy beyond the 4-walls of their room. User can open up a web application in their browser and log in to a wide range of services from a single-screen on their desktop…the only macro downside here is that users will have to create as many # of unique login credentials to that of the # of unique web1 services they are a participant in.
Web2 Authentication - Delegated Authorization (DA)
With the advent of Web2 B2C products and the early exponential growth of mobile ecosystem with Blackberry, iOS and Android app ecosystem in the early to late 2000’s, the concept of delegated authorization (DA) became popular.
These products paired with strong network effect (i.e. Facebook, Twitter, Myspace and the likes) expeditated the adoption of the DA across all the other products across the Web2 spectrum as it allows other new and existing products to leverage, extract and cross-pollinated value across different Web2 products and ecosystems.
For example, Zynga was one of the early entrants in the DA as they provide a way for users to login into their Farmville and other games with ‘Login with your Facebook’ account option, which allows Zynga to share/post your game progress with your Facebook friends as well as invite your Facebook friends to the Zynga game ecosystem as well (and subsequently, your friends network as well) and vice versa, allows the FB network to grow as well with more touchpoints and interactions.
This authorization i.e. permission to access the user’s contacts and Facebook account still belongs only to the user, and the user may decide to delegate the access to a specific resource (like the profile picture, friend contact list, post to their private/public social page) with the third-party application.
Below is a workflow of on the oAuth infrastructure layer. It’s worth re-emphasizing the important of this oAuth framework as it:
Allows users to have total control on what credentials and information they want to share with the 3rd party
The authorization process between the browser and Web API operates on access tokens rather than credentials, which theoretically and in practice, enhances the relative security management of these user data
All these allows both existing and users to participate in the Web2 economy in a more much scalable manner (instead of creating and managing 15 different credentials for 15 different applications, the users now can manage a lot less # of credentials)
It’s a win for those dominant Web2 companies (Twitter, Facebook, Myspace and the likes) with strong network effect (further increases engagement and stickiness on their core platforms) and vice versa and the up-and-coming Web2 companies (Yelp, Groupon and others who use oAuth login infrastructure) to have a early head start on growing their initial product market fit. Ultimately, the quality of the product and manically passionate about providing service and value to customers will win in the long-term.
OAuth is a delegated authorization framework for REST/APIs. It enables apps to obtain limited access and scopes to a user’s data without giving away a user’s password.
Web2 oAuth Workflow:
Web/mobile application requests authorization from users —> users authorize application —> delivery of proof of successful login back to application —> application presents proof of authorization back to server to get a token —. token is restricted to only access to what the users allowed/authorized for that specific application (i.e. maybe the user only wants to share contact list , but don’t want to share the profile picture, to the 3rd party)
More in-depth knowledge here: The OAuth 2.0 Authorization Framework
However, one of the major downsides with this Web2 oAuth infrastructure is it builds substantial or near 100% dependency on these existing Web2 network effect-heavy applications that are often times heavily reliant on a closed ecosystem of network effects. For example, if 80% of users are accustomed to logging into your application via oAuth Twitter or Facebook implies your main access point is indirectly controlled by another 3rd party.
This presents substantial risks for your company at the access point layer, and equally as important, beyond that, also increases your dependency on these Web2 3rd parties to maintain and continue their own network, after all, your product is utilizing the oAuth because of the depth of Web2 application network, ease of UI for our own users and security and compliance on user credential management via token. These 3rd parties can also shut down your oAuth infrastructure layer overnight for x,y, and z reasons.
As Chris Dixon, an a16z Web3 fund partner, best describes it, the switching cost of Web2 and the consolidated power on data portability comes with an extremely high switching cost.
It’s worth noting that it is probable not in the best interests of the Web2 application networks to do the above as it presents bad optics, legal and their own network effect implications (imagine Facebook discontinuing oAuth login with FB to OfferUp just because FB is actively investing in building up their FB Marketplace and Commerce vertical in 2021/2022 onward. It presents horrible optics to other partners in other verticals as well).
Web3 Authentication - Web3 Wallet oAuth, One-Login, Multi-Sig
With the advent of Web3 B2B and B2C products across a wide range of spectrum continues to grow in the coming years from DeFi, DEX (i.e. Uniswap), cross-chain DEX liquidity pool (i.e. 1Inch), CEX (i.e. Coinbase, Kraken), NFT (i.e. Rariable) tokenized real physical assets (i.e. LEX), cross-chain cross-chain interoperability Protocol (i.e. Chainlink CCIP), art and music NFT and fractionalized and lending capabilities (i.e. NFTFi and Arcade), NFT tech with real estate title and IP asset ownership management, Stablecoin (i.e. USDC, USDF), Central Bank digital currency (i.e. CBDC) and wallet tech (i.e. Phantom, Trust, CB Wallet) and the more Web3 tech continues to get introduced in the coming years, fluid Web3 oAuth experience will help bridge current Web2 investors, owners, asset holders and connoisseurs into the Web3 ecosystem.
I believe cross-chain interoperability infrastructure will become more important systematically in the years to come as we will highly probable continue to live in a multi-chain world, versus the contrast we see in Web2 where early, massive investments in Web2 closed networks allow these players to dominant monopolistically and duopolistically such as Uber/Lyft, Google, Gmail, YouTube, Facebook/Twitter, Expedia/Priceline and more.
If you are building and investing in this space, definitely love to learn more!
The # of crypto wallets and adoption curve is a handful of leading indicators that we are still relatively early in this space, and those companies who can/are building a smooth oAuth Web3 experience will help to add exponents to this adoption curve.
Most Web3 wallets today (2021-2022) are browser plugin-based and is mainly used for for financial interaction between the users and the core protocols, whether it be to spend tokens in a game or stake tokens in a liquidity pool for investment, manage your NFT portfolio or simply to hold hot wallet tokens on hand (i.e. Metamask is mainly designed to access Ethereum protocol while Phantom is mainly designed to access Solana protocol and CB Wallet is relatively more chain-/protocol- agnostic than some).
Many Web2 companies have successful scaled with web browser extension-heavy UI — experience such as Honey (acquired by Paypal for $4.0B) and Loom (one of my favorite, been following along for several years now, 200k businesses using it, including myself and $1.5B valuation) and Web3 wallet is no exception as well.
In fact, Phantom Wallet (Solana protocol) and MetaMask (Ethereum protocol) are currently browser extension-only and scaled considerably well today with 1.8 million users in < 12 months and 21 million active users, respectively. Mobile experience should be coming more in 2022-2023 on their product roadmap.
I believe the application of the Web3 wallets of the future goes beyond these interactions and companies can write user data on-chain such as KYC/AML/Accreditation/investor profile and other data-based indicators collected via browser cookies, with of course, the added cryptographic and multi-sig technologies to protect the users data.
As Qiao from AllianceDAO best describes it:
Imagine a world where you can not only make investment in stablecoin or other mid or early-stage protocols (similar to angel investing in early-stage startups and protocols, with compliance with SEC regulatory framework on accreditation, KYC/AML security check and recordkeeping on-chain, with the wallet holder as the ultimate decision maker on what and how much personal info they want to share with 3rd parties) but also hold NFTs, property records, tokenized physical and digital asset ownership, stake and/or borrow against your holdings to extend liquidity and further the participation and involvement in this space all done via your oAuth, one-login, multi-sig Web3 wallet.
As it the case for any investment theses or rather, any decision making process, should involve thinking about the upside and downside (side note: probabilistic thinking and statistics > calculus should taught in US public education systems) to this oAuth, one-login, multi-sig Web3 wallet concept.
“‘The login with crypto wallet’ concept will become popular with NFTs but then it will be applied in so many different ways. It seems like a small thing to focus on how uesrs access these platforms and where their information/asset/history is stored but it has dramatic implications”
The ‘single point of failure’ and ‘counterparty risks’ useful identity management frameworks
The ‘single point of failure’ and ‘counterparty risks’ are two identity management frameworks that are critical in this one-Web3 wallet login-to-all concept. On the counterparty risks and liability front, there is not a single party (or handful of known parties) that are liable for in the case of intentionally or unintentionally misusage or technical hacks. This is one of the downside of self-sovereignty in the context of Web3 wallet user identity, credential and investment management concept.
One can also make the rationale argument that because of the value-add of the oAuth Web3 concept and the liability on the counterparty risks should be shouldered fully or partially by the 3rd party application themselves. (value add as defined, and under active authorization from the users to the 3rd party applications, such as shortening the time it takes for investors to deploy capital to an investment versus now having to go through a large handful of intermediaries before you the investors can deploy capital into an investment in crypto, protocol and/or early or late stage startup equity or debt play)
To further illustrate what this means, an example here would be warranted. For example, if a Web3 wallet user logs into x,y, and z applications via Phantom Wallet or Metamask Wallet, and the user authorizes to share their KYC/KYB/AML on-chain data with a 3rd party angel investment platforms such as Party Round, AngelList and the likes, and then users can deploy their USDC/USDF/stablecoins and other crypto assets into startup equity and/or debt round almost instantaneously..
The duration and distance between the investment and capital source is way shorter than the status quo (which requires the user investor to wire transfer/ACH from their bank to the company’s bank account, and including all the processes in between, can usually take 7-14+ days to happen. In this case, the company and user both benefit from using oAuth Web3 wallet infrastructure with less friction and quick ability to deploy capital to work, so therefore, both the company and user are require to share the counterparty risks in the case the fund is lost or any or adverse events. In the status quo process, investor would talk directly to the Web3 banks in the cases funds are lost in transition. But it also doesn’t sound reciprocal and impartial if the company has to take part of the counterparty risks.
The other way to approach this ‘single point of failure’ concept would be to substantially enhance the data and credential security layer on the Web3 wallet. One can add all those private and public key cryptographic protocols, multi-sig, Intel SGX and other credential security measures to minimize the ‘single point of failure.’
The downside is that it adds tremendous amount of friction to the Web3 wallet oAuth login process, which bears the thoughtful and prudent question on:
Does the utility the users and company get from using oAuth, one-login Web3 wallet to do multiple things from investment, NFT/crypto/tokenized asset portfolio management, lending and borrowing and more OUTWEIGHS the different layers of security protocols needed to minimize Web3 wallet user credential management risks to better address the ‘single point of failure’ and ‘counterparty risk’?
Web3Auth has an interesting approach to this question which builds on top of existing Web2 oAuth infrastructure combined with Web3 wallet-based login. This is a solid start to onboard Web3 assets and access points onto Web2 rail with existing infrastructure but there are still unaswered questions as to what and how much of the information the user can authenticate (share) with 3rd party. Can a user authorize 3rd party access to the users stablecoin holdings, crypto holdings, tokenized asset holdings, users KYC/KYB/AML/accreditation on-chain and more.
I am pretty excited a handful of companies are targeting Web3 oAuth today including Web3Auth/Torus and others. I am sure we will see more guidance and frameworks on the type of Web3 wallet data that can be shared to 3rd parties without compromising the challenges about user credential management and data security.
oAuth Web3 Wallet Outweighs the Downsides
Unlike Web1 and Web2 centralized services that collect and track your personal information and user profiles to drive token-based/non-credential based oAuth, in web3 we can use blockchain wallets and public key and private key encryption to identify ourselves to 3rd parties, and subsequently, allow the user to have full autonomy on what and when they can share their personal investment, holding and user credential data
…which ultimately provides a high level of data portability as it incentivizes the builders and operators of companies to not just build the best product they can in their space but also operate on continuous improvement of their products due to market pressure and customer demand, and such failure to do so, will incentivze the user side of that platform to move to another platform (and oAuth Web3 wallet lowers friction AND switching cost for the users).
Companies who are still operating on Web2 oAuth (i.e. Login with Facebook, Twitter and Gmail, which is still the overwhelming majority of the market) will not be constraint by another monopolistic 3rd party and lowers the companies’ dependency on 1-2 single 3rd party because of their closed loop network effect.
There have been some lite attempts by the major protocols to create a oAuth framework for their protocols and subsequently, the Web3 wallets that are more catered to their own protocols but to no avail, we have yet to see an industry standard emerge yet. Unlike Web2 oAuth, there are two versions of OAuth: OAuth 1.0a and OAuth 2.0, we need an industry standard that makes sense cross-chain provided that we will live in a multi-chain world for decades to come.
I believe cross-chain interoperability infrastructure will become more important systematically in the years to come as we will high probable continue to live in a multi-chain world, versus the contrast we see in Web2 where early, massive investments in Web2 closed networks allow these players to dominant monopolistically and duopolistically such as Uber/Lyft, Google, Gmail, YouTube, Facebook/Twitter, Expedia/Priceline and more.
All in all, I am passionately following, building and investing in those who are building oAuth infrastructure for Web3 as a whole. It’s not an easy problem to solve, but those who can will be able to set an industry standard, analogous to Web2 oAuth, which is one of the most critical, but also hidden, layer of the internet today.
Feel free to share your thoughts, reach out and more.