Guide

Web3 Authentication: Complete Guide 2023

Published
January 12, 2023
·

Since 2017, Dock's expert team has been building leading edge decentralized digital identity and Verifiable Credential technology that can be used to provide users with more security, privacy, and data integrity during authentication processes. This article will go over the benefits of Web3 authentication for organizations and individuals and how it works. 

TL;DR

  • Current authentication systems have several problems including the risk of data breaches and users have little to no control over how their information is collected, used, and shared with other parties
  • Web3 authentication is a login process that verifies the identity of a website and app user with their public key
  • Benefits for organizations: Web3 authentication verifies users securely, helps them stay compliant with data regulations, and speeds up the customer onboarding process
  • Benefits for individuals: Web3 authentication enhances the user experience, privacy, and security
  • Developers and organizations can integrate Dock’s Web3 ID on their sites or apps to provide passwordless user authentication, prevent user tracking and avoid data collection 

Problems With Current Authentication Systems

web3 authentication can help prevent hackers

Authentication is the process of proving that a fact or document is genuine. In computer science, authentication is usually associated with proving a user’s identity whether a user is an organization or individual. We currently prove our identity by providing credentials such as a username and password. Almost all applications have some sort of authentication to regulate access to their service. 

Risks and Problems of Current Authentication Systems

  • Usernames, passwords, emails, and other sensitive personal information are usually stored on centralized systems that are often at risk of hackers attempting to steal user information all at once.
  • Personal data is often controlled, collected, and shared with other parties without people’s knowledge.
  • It’s difficult for people to manage and remember so many passwords, which creates a bad user experience.
  • One of the main risks of logging in with social media accounts like Facebook and Google (single sign-on) is if a single account is compromised, the attacker can then gain access to all of the applications and data associated with that account. In 2018, a Facebook security breach exposed the accounts of 50 million users

What is Web3?

Web3 pic

Web3 is the next generation web and a decentralized internet where users are in control of their data. It's powered by blockchain technology which enables users to interact with each other without the need for a central authority. While the Web3 ecosystem is still in its early stages, it's growing quickly.

Some of the key features of Web3 technology include:

  • Interoperability: Web3 technologies are designed to work together which allows different applications to share data and interact with each other.
  • Privacy: Users have more control over their data as they can choose who to share it with and how it's used.
  • Security: Web3 technologies are built on cryptographic principles, which makes them much more trustworthy.
  • Decentralization: There’s no central point of control. Instead, power is distributed among all users, which makes the web more resilient and censorship-resistant.

Key Differences Between Web1, Web2, and Web3

Differences between Web1, Web2, and Web2
Web1 Web2 Web3
1991-2004 2004-present 2014-present
Static, read-only information Shared, user-generated content dominantly through social media Defined by the semantic web which is a system that allows machines to read and interpret web data
Centralized services, servers, and software Decentralized, peer-to-peer technology with no central authority and no single point of failure
Power consolidated among digital giants like Google and Facebook Governance is distributed to governance token holders by decentralized autonomous organizations
Digital giants and providers largely control data Users fully control their data
Companies can earn revenue from using customer data Users can earn rewards directly by supporting or participating in Web3 projects

What Is Web3 Authentication?

Web3 authentication is a login process that verifies the identity of a web-based application user with their public key rather than an email or username. Think of a public key like an account number. 

A user connects their digital wallet to access the application in two possible ways:

  1. Connecting a crypto wallet to use some on-chain data (like a specific coin or NFT) to authenticate.
  2. Using an identity wallet to verify personal information that is not on-chain. This is enabled by tools like Dock’s Web3 ID, is a blockchain-based sign-in system that allows organizations to request private data from users directly from their ID wallet apps in a way that preserves their privacy.  

Rather than taking time to build complex Web3 authentication flows, developers and organizations can simply integrate Web3 ID in the backend.

Benefits of Web3 Authentication

Web3 authentication enables private user verification

Organizations

  • The organization can decide not to store user data during the verification process, which can improve Data Minimisation practices and reduce the risk of being a target for large scale data breaches by hackers
  • Web3 authentication systems can help organizations stay compliant with a growing number of data regulations
  • Verifies users using cryptography and the blockchain which is much more secure than using emails, passwords, and social media logins
  • Creates a more efficient onboarding process as users can access a site or app instantly rather than having to go through a tedious sign up process or login with a less secure social media account

Individuals

  • Enhanced user experience by being able to log into multiple platforms instantly with a passwordless digital identity and without needing to manage more accounts
  • Prevent account takeover through the security of cryptography
  • Users are in control of their data and ID wallets
  • Privacy is protected with the use of Zero-Knowledge Proofs (proving something without revealing the data that supports the proof) and Selective Disclosure (sharing only a specific part of a credential) technology 

Developers

  • Build user-centric apps that remove the need for passwords
  • Ability to verify on-chain and off-chain data
  • Removes inefficient authentication processes

What is Web3 Login?

Web1, Web2, Web3 login comparisons

Web3 login is the same as Web3 authentication.

How Does Web3 Authentication Work?

Blockchain, Decentralized Identifiers (DIDs), Verifiable Credentials, and a Web3 wallet are essential to Web3 authentication that preserves user privacy.

Blockchain Is the Foundation of Web3

A blockchain is a digital ledger of transactions. It's like a spreadsheet that is shared among a network of computers. Transactions are added into "blocks" to the blockchain. Each block is connected to the one before and after it like a chain which makes it very difficult to change or tamper with transaction data. Blockchain technology is the foundation of Web3 where users are in control rather than big corporations.

Web3 Is Powered by Blockchain Technology

Right now, most web applications are centralized which means they are controlled by a single organization like a company. This centralization has led to some major problems including hacks and censorship. With blockchain, we can build Web3 applications that are decentralized and resilient to these issues. Because blockchains are transparent, have no single point of failure, and tamper-resistant, they provide a high level of security and trust for users. 

Web3 logins are becoming increasingly popular as more and more applications are built for Web3. By eliminating the need for passwords and other centralized forms of authentication, blockchain provides a more secure and user-friendly way to login to online accounts.

Web3 Applications (dApps)

Web3 applications are decentralized applications (or dApps) that run on a blockchain. This enables dApps to be more resistant to censorship and tampering while providing users with greater security and privacy. In contrast, traditional apps are centrally hosted and controlled by a single entity.

Every Web3 dApp requires Web3 authentication. Because of their unique properties, dApps have the potential to revolutionize a wide range of industries including finance, healthcare, and education.

Decentralized Identifiers (DIDs)

DIDs are blockhain-based

A decentralized identifier (DID) is like an identifying address that is registered on the blockchain and it can be used to identify a user or organization. In contrast to Web2 digital identifiers like email addresses and passwords, DIDs offer more security and privacy for users.

DIDs:

  • Enable users to prove who they are without needing to rely on a centralized authority
  • Are created, controlled, and managed by users
  • Don’t contain any personal data or wallet information
  • Can prevent device tracking and data correlation 

The Dock Wallet enables users to easily create, manage, and control their DIDs. It’s important to note that with the Dock Wallet and solutions, user data is never stored on the blockchain by default. Rather, their information is always securely encrypted and stored on users’ devices. Only the records of DIDs can be stored on the blockchain in order to enable the efficient verification of credentials. 

When DIDs are stored on the blockchain, this creates a public repository (location where information is stored and managed) where the DID document can be looked up and validated. This provides players in the data exchange with more confidence that the information is valid and unaltered.  

Here is an example of DID created by the Dock Wallet:

Example of a Dock DID that can be used for Web3 authentication

People can create as many DIDs as they want and use different DIDs for various purposes such as:

  • DID 1: Online gaming
  • DID 2: Manage educational and professional credentials like a university degree and training certificates
  • DID 3: Logging into investment services
  • DID 4: Buying and selling NFTs

Also, making multiple DIDs increases security because they help prevent tracking and data correlation. With Web2 identifiers, organizations can track which websites or content users are searching. If you use the same DID for multiple sites that were being tracked by a web analytics tool for example, their system could indicate that this DID was surfing X, Y, and Z websites. Even if they don’t know who you are, they could start drawing a picture of somebody doing various activities that are all linked together. By using multiple DIDs, it’s harder for analytics systems to make the connection of web interactions by a user. 

authorize Dock Certs with web3 authentication

Every DID that is created comes with a private and public key pair and DIDs can have multiple pairs. Web3 authentication involves a public and a private key. 

Public keys are like public user IDs that can be seen by anyone on the network and are used to recognize a specific individual or entity. Think of it like an email address where people can send information to an email but they can’t access that account unless they have a password (like the private key). 

A private key acts like a password that allows users to access their accounts, make transactions, and digitally sign credentials. Like an email password, a private key should never be shared with anyone otherwise they can access all your information and make transactions with your account. The private key is an encrypted code associated with the public key that only the owner has access to.

Employer's DID comes with private and public keys

When you try to log in to a site or service, to ensure that only the rightful owner of an address can access an account, Web3 applications require users to sign a message with their private key. The site then checks the signature against your public key. If they match, this proves you are the owner of the private key and therefore authorized to execute the transaction. 

Signing transactions with a private key is similar to signing a document with a physical signature. It proves that you are who you say you are and that you approve of the transaction. In the case of blockchain, it also ensures that the transaction cannot be changed or reversed once it has been signed. 

How DIDs and Verifiable Credentials work

Web3 Wallet

web3 authentication process

A Web3 wallet is a digital wallet that allows you to connect and interact with Web3-enabled applications. Without a Web3 wallet, users would not be able to login or authenticate with a dApp. Each wallet will have their own features and functions and they are a must-have for developers to build on blockchains.  

Dock’s Web3 Wallet

The Dock Wallet enables users to:

  • Connect and interact with Web3 application by using DID keys
  • Create, manage, and fully control their DIDs 
  • Securely store and manage their Verifiable Credentials

Web3 Wallet Security

A secure Web3 wallet comes with a seed phrase, a list of random words that gives you access to your digital assets and information in your wallet. The seed phrase can generate many private keys and give you access to all of the keys and addresses. 

It is important that you never give the recovery phrase or private key to anyone. Otherwise they could access all of your information and sign transactions from your account. Applications, websites, or even the blockchain won’t be able to tell the difference between you and another person who has your wallet key. Ideally it’s best to keep a paper copy of the recovery phase or even in a physical safe. If you lose your key, you won’t be able to access your accounts. 

Web3 Authentication Flow

Here is a scenario that explains how Web3 Authentication works with Dock’s tech solutions: 

1. Maria is a company owner who uses the Dock Wallet to create a DID that she uses only to access the Dock Certs platform. She uses Dock Certs to issue online course certificates to students as Verifiable Credentials.

A DID is needed for web3 authentication

2. Maria goes to the Dock Certs site and signs in with Web3 ID.

web3 authentication is a sign in option

3. Maria scans the QR code from her Dock Wallet.

Sign into Dock Certs with Web3 ID

4. She approves Dock Certs to connect with her wallet by selecting “Approve.”

Authorize Dock Certs

5. She accesses the Dock Certs platform.

Dock Certs platform

Simple as that!

Web3 ID integration: technical details

Limitations of Early Web3 Authentication Systems

The first Web3 authentication systems made great progress in providing more privacy and security from using centralized identifiers. However, there are still risks and limitations of these earlier solutions.

Even while people could sign in with other types of Web3 crypto wallets like MetaMask, a big downside is that an organization can only verify on-chain data, like the ownership of a token, and not personal data that should never be on-chain for security and privacy reasons. This is why Dock developed Web3 ID to create a system that allows for the secure verification of personal data while preserving user privacy. 

Another issue with early Web3 wallets was that they were less user-friendly than today's wallets. Using them often required users to have a deep understanding of how blockchain worked, which made it difficult for many people.

Dock’s Web3 ID: Web3 Authentication and Sign-In System

That’s why Dock built Web3 ID, a blockchain-based authorization system that enables: 

  • Verification of private user data from their identity wallets and always with their consent
  • Provide passwordless login, prevent user tracking, and avoid data collection
  • User data is verified with the security of cryptography
  • Easy integration with OAuth, a standard protocol that enables people to provide secure access to applications without needing to share login details

Web3 ID is open-source, free, and OAuth 2.0 compliant.

Web3 ID is OAuth 2.0 Compliant

OAuth 2.0 is an industry-standard protocol for authorization that makes it easier for individuals to grant websites or applications access to their information without having to share passwords. OAuth 2.0 provides secure authorization from web, mobile and desktop applications and APIs, allowing users to share specific data while keeping their passwords and other information private.

Let’s say Sally wants to use a social scheduling app for the first time and signs in using Web3 ID. OAuth 2.0 handles authentication by asking the user to approve access from the scheduling app and then redirects them back to the application with an access token that provides secure access to the user's data. All of this is done without ever having to reveal their personal information.

OAuth 2.0 compliant applications follow a specific set of rules when handling user authentication and authorization. This ensures that user data is kept safe and secure, and that users have control over which applications have access to their account data.

How Web3 Authentication Can Help Organization Stay Compliant With Data Regulations

web3 authentication data security: GDPR

Because of the growing problem of data breaches, misuse of user information, and privacy issues, there have been a growing number of data compliance, security, and privacy regulations around the world. General Data Protection Regulation (GDPR) is a European Union law that protects individuals' personal data and sets guidelines for how companies can collect, use, and store this information. It is considered one of the world’s strongest sets of data protection.

By integrating a Web3 authentication system on apps and websites, organizations have the option not to collect user data during verification which can reduce the risk of being a target for data breaches. This Data Minimization practice helps organizations stay compliant with data regulations, especially with systems that provide advanced privacy preserving technology like Selective Disclosure (user chooses which parts of their data they want to reveal) and Zero-Knowledge Proof technology (confirming a claim without revealing the actual details of the claim).

Conclusion

Web3 authentication offers a convenient and secure way to verify users and access data with consent which can help organizations comply with important data regulations like GDPR. Web3 ID, Dock’s Web3 authentication system, is a great solution for organizations that want to request and verify personal user data while preserving users’ privacy.

Whether you are integrating Web3 authentication into your own apps or services, or looking for a solution that is already compliant, Web3 authentication can help you achieve your goals while keeping users safe and protected.

Learn More

About Dock

Dock is a Verifiable Credentials provider that offers Dock Certs, a highly secure and scalable no-code platform, and Certs API to enable organizations to efficiently issue and verify digital credentials using blockchain technology. The credentials are tamper-resistant and instantly verifiable, and the technology is easy to integrate so users can provide Verifiable Credential support quickly. 

“We’ve looked at a lot of the systems that allow you to issue DIDs and VCs and generally what we’ve found is that Dock is far easier to use than many of the existing tools out there. It can deploy very quickly and it will be very easy for our developers to use the tool.”
Amber Hartley
Chief Strategy Officer, BurstlQ

Start issuing Verifiable Credentials today

Dock Certs is an all-in-one suite of Verifiable Credential (VC) tools built for organizations to issue digital credentials and certificates that are automatically and instantly verifiable, fraud-proof and auditable.