We Should Sign On to the Web, Not to Websites

MOSHED-2021-7-12-12-35-23
12 July 2021

I recently moved. This means I’ve needed to go into a bunch of different accounts and update my physical address. This has involved a lot of bouncing around in my password manager and the odd reset for accounts I hadn’t properly logged.

It’s aggravating, but I’m pretty good at this. Members of my family have an existential crisis each time they are threatened with needing to keep track of one more password. And if it were possible to know how much time we’ve all spent logging into websites, it would surely shock each one of us to the core.

This article is excerpted from The Node, CoinDesk's daily roundup of the most pivotal stories in blockchain and crypto news. You can subscribe to get the full newsletter here. 

The next version of the web needs to have a single sign-on (SSO). The vision should be that you sign into the web itself rather than each website. Imagine: You fire up your browser, do one sign-on and then you’re good to go on every website you visit. If you visit a new site, you just give it permission to use the identity you have running already.

How much time would that save?

(Vince Fleming/Unsplash, modified by CoinDesk)

“I think blockchain SSO is the future of identity management for the internet. We have this situation where cryptocurrency, bitcoin, has encouraged everyone to get a private public key pair,” Matthew Gould, the CEO of Unstoppable Domains, which makes crypto-powered web addresses, said in a phone call. “I think it’s a huge opportunity.”

SSO is at the heart of the vision for Web 3.0, putting identity back into the hands of users rather than the centralized services.

Re-orienting identity

Anyone who is a decentralized finance (DeFi) user is already familiar with the concept. You have your MetaMask wallet running in your browser. You can use that to access any of the various DeFi apps. A click or two of verification with your active wallet is all it takes to get inside.

And it’s important to think about what’s happening here. That website is looking at public data about your wallet that’s kept on the Ethereum blockchain. That’s data that you generate and you can see as easily as that app can. This is a completely different framework from the web as we know it.

On Web 2.0, the sign-on is controlled by the website and as soon as you start using it you’re generating data in their servers, not your own. You can’t edit it. You can’t copy it. You can’t even see it.

“Data portability is an important thing for people to understand, being able to bring your own data to an app,” Gould said. Case in point: I’ve used a lot of music apps over the years and wish there were some way I could aggregate all my favorites from each app.

Unfortunately, each time I join a new one I start from zero once again. No doubt I’ve lost track of dozens of bands I’ve liked this way.

You own you

There’s another upshot of this: In an SSO future, it’s harder to kick people off websites. Even if a website does blacklist an identity, it can’t take that identity away.

“It’s fundamentally irrevocable and in many ways unblockable,” Mark Hendrickson, product lead at the developer of a Bitcoin-based decentralized internet, Hiro Systems, wrote in an email. If a pseudonymous Twitter user is known by a handle on Twitter that gets booted, the user is just gone forever. There’s no way to really prove you are you on another site. Not so if Twitter were using an external identity; Twitter could boot the user but he or she could still prove who they were on another site.

“The user is given complete, independent control over their credentials that work over a wide range of sites and apps, as well as control over their public identity as they decide to layer onto those credentials,” Hendrickson said.

Hiro is the new name of the company previously known as Blockstack, which garnered a patent for its SSO product last year.

Inventions

Of course, there are SSO standards on the web right now. The classic is OAuth, but more and more Google, Facebook and (recently) Apple want to be the chief way to sign into websites. Not only does this give those giants more visibility into your online activities, but it allows them to control what can and can’t be built.

A blockchain SSO world cuts out the third parties. “The key difference with this system over a traditional OAuth solution is we move from a three-party system to a two-party system in terms of privacy and tracking of data,” Vinny Lingham, the founder of decentralized identity startup Civic, wrote in an email.

Gould predicts an open-source core at the heart of a few different decentralized SSO standards, and then lots of startups will build applications on top of that core. These applications might do interesting things, like enabling users to prove what age they are or where they live or the fact that they are elite players of Fortnite.

When identity is built in the open, works across the whole internet and no one can stop anyone from building on it, entrepreneurs are likely to get very creative.

“I think there’s going to be a lot of unique inventions,” Gould said.

CORRECTION (July 13, 13:27 UTC): A previous version of this story gave an incorrect first name for Hiro’s product lead.

Disclosure
The leader in news and information on cryptocurrency, digital assets and the future of money, CoinDesk is a media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. CoinDesk is an independent operating subsidiary of Digital Currency Group, which invests in cryptocurrencies and blockchain startups.