web3’s Killer App
It’s not what you think it is.
Whenever a new technology comes along, people usually talk about how it founders and struggles to find its footing until some “killer app” comes along that shows its value. It was true for the internet — in the early 1990s the internet was limited to students and scholars until the Mosaic web browser was developed and web pages were invented.
This development of technology is ongoing. I’ve watched it in the thirty years since I started working for a company that was spun out of that web browser development, and it’s never stopped or slowed down. While we still use web browsers in EVERYTHING, they’re a lot different than the early days when I started working with them.
The current buzzword is “web3”. This term describes a system where blockchains are used for long-term or permanent data storage. A blockchain is nothing more than a really inefficient database that everyone can read or add to, and it’s always guaranteed to have the data that was written to it in an incorruptible form. I’ll go a little further and say that web3 today specifically refers to blockchain frameworks such as Ethereum. Bitcoin is more like “proto-web3” and has very little utility except as a fiat currency.
There’s a lot of talk about web3 right now, and it truly surprises me that not a single one of those hot takes is about THE killer app for this technology as it stands. You see, we have a societal problem baked into the internet that is itching for a solution, and web3 provides it. I’m talking about the destruction of oAuth, the login “solution” that allows Facebook, Twitter, and any other website that enables third-party logins to collect your personal information across any websites that implements oAuth logins via their platforms. oAuth enables the so-called “network effect” that lets all these services monetize their traffic between each other.
Very often, when you are cruising the web, there will be a site that restricts the viewing of information until you’ve logged in. Most of the time, creating an account that lets you do this is a process that includes many clicks and email responses. This sort of thing is proven in studies to reduce engagement with people surfing your website. It was a big problem because it made it hard to retain users and collect their information — until oAuth came along. Now, any website can use Facebook (or Twitter, or Google, or… or just look at this list of services that let you authorize users off of their oAuth databases) to give you a single button that lets you log in to a third-party site.
As you can imagine, this results in Facebook knowing you have an account with X service while giving X service access to lots of information Facebook collects on you. This in turn is given to third-party services such as Cambridge Analytica and allows people with money to game elections in their favor. Well, there probably isn’t as straight a line like that to it, but you can see how this “centralization” is probably not the best idea in the world.
But, you might ask, how can web3 help with this problem?
Well, one of the central mechanisms in web3 is the wallet. A wallet is really nothing more than an address with a public key registered to it on the blockchain and a private key that the end-user (or a wallet service) keeps secret from everyone. When you send a transaction to an Ethereum blockchain, you have to sign it with this private key to make it real. There are a few different types of transactions you can sign. So how can this replace oAuth?
When you visit a site like opensea.io, you have to use a wallet service (the most popular is Metamask.io) to connect to it. This is how you “log in”. I haven’t logged into Opensea for a while, but the last time I did it just connected to your account. Here’s a little secret for you — opensea is NOT as decentralized as you would think. As a matter of fact, it’s an old web2 website that’s been set up to use these wallet addresses as accounts. It stores information on you — it associates a profile picture with your wallet, etc. So it’s a GREAT example of how web3 can be used as an oAuth replacement. The problem is that on the face of it, this isn’t robust enough. To set up a REAL web3 login, you need to verify that the wallet instance isn’t just feeding you bullshit. You do this by having the end-user sign a transaction and verifying it on the blockchain.
As part of the reboot of KinkBNB, our two-sided marketplace for adult playspaces, we’re implementing a one-click login via metamask (or other) wallet. We use django-allauth as our login provider, as part of the Django framework. This required us to write a provider in python and javascript to manage this. The steps to sign in a user with a wallet and verify it requires a back-end — the centralized web isn’t going anywhere anytime soon, folks.
To sign in as a user, your code must do the following:
- determine if the user has a wallet installed via javascript, and onboard them to a wallet if they don’t have one
- grab the user’s wallet info, and store it.
- generate a unique token (called a nonce), store that, and then send that nonce back to the user to sign.
- At this point, the user’s wallet pops up with a message telling them to sign the nonce. There is one button to click.
- The javascript sends the signed nonce back to the backend.
- The backend then uses a library to communicate with the blockchain to verify the signed message. It does this by comparing the stored nonce with the signed nonce and the public key of the wallet.
- When the signed nonce is verified, the user is then logged into the system and can use the site as a user. If the user wants to login again, the system generates a new nonce and the old one is discarded, in case the old session is compromised.
One button login! Easy and verified. This is a killer app, make no bones about it. A one-button login without dependency on third-party websites is one of those UX design holy grails that web3 enables. For that reason alone, my interest in web3 is piqued.
It’s early days yet in web3, so there are a LOT of problems to work out. The biggest is what’s made web3 a giant mess of scams and money laundering to begin with — wallets can be created programmatically, and the possibility for infinite sockpuppets is great right now. It works off Javascript a lot of the time, and malicious attacks from that vector are not unheard of. And so on, but these are all problems that will be solved — if not with the Ethereum framework, then with the next big thing to come along.
So I guess the TL:DR; for this article is that web3 is a Facebook login killer. Go forth and replace your login systems today, if you have the ability.
PS: If you know python and javascript and Django, we are looking for engineers to help build a private sidechain for KinkBNB. We aren’t selling NFTs, and we aren’t laundering money, so come work for us.
