How does authentication/authorization work in web3

Web3 offers immense potential to make the internet valuable, immersive, open, and accessible for everyone to learn and grow from it. However, if a user wants to interact with DeFi protocol or dive into the metaverse through blockchain gaming, web3 authentication is essential. Web3 apps are most likely to fail if they do not have the ability to log in users into the blockchain. So, to successfully implement web3 apps or next-generation dApps using blockchain, it should be able to use web3 authentication. Web3 allows users to view their browser as more than a web browser. It also includes DeFi tools such as a wallet that can provide strong user identification for web applications. Web3 allows users to use public key encryption and blockchain wallets to identify users, unlike centralized services that track and collect users’ personal information. Users can choose to tie their identity to the address using protocols such as IDX and ENS or to have multiple addresses to suit different types of applications or use cases. To prove ownership of an address, the cryptographic signature can be used. These signatures can be used to sign transactions to a blockchain and decode messages on a web3 library like web3.js and ethers.js. This technique enables us to perform web3 authentication and authorization in just a few lines of code.

This article will discuss how to perform web3 authentication and authorization using a web3 wallet.

• What is web3
• Why is web3 authentication necessary?
• What are web3 wallets?
• Types of web3 wallet
• How to perform authentication and authorization in web3 using a wallet?
• Importance of keeping keys secure
• How to store and validate the roles in the web3 ledger?

What is web3

The web1.0 version was the beginning of technological innovation. Web2 is a step closer to a more user-friendly internet. However, web2 gave a handful of capitalists the power to control data and information. This led to increased dependencies and limited potential of the internet. After Web2, Web3 was innovated based on the concept of a decentralized internet, where power does not rest with a few people, entities or organizations. Web3’s core infrastructure is built on blockchain technology, which offers users unparalleled security, transparency, and immutability. It is a network of many peer-to-peer nodes which work independently from anywhere in the world. Technology experts believe the decentralized internet will transform the way the world works. It will transform organizations, money, and the internet. This will create a liberal democratic infrastructure. So, blockchain understanding is necessary to understand web3 technology better. Web3 is based on blockchain platforms, cryptocurrency, and non-fungible tokens. This allows people to regain ownership rights. Moreover, web3 is about reading, writing and owning.

Salient features of web3 technology are:

• It is decentralized
• Permissionless
• Uses cryptocurrency
• Trustless
• Secured and reliable

Why is web3 authentication necessary?

Web3 authentication sounds fancy, but it is, in reality, a login tool. Web2 websites use email and passwords for user authentication, but web3 apps use crypto addresses. Web3 websites, applications, and other services run on specific blockchains. Users must have a way to connect to these crypto networks securely. Web3 authentication allows users to connect to a specific network. After authentication, users are allowed to connect to the network and interact with authenticated users. So, this authentication is required for every web3 dApp. 

Here are some reasons web3 authentication is better than email/password or social logins.

• Enhanced security – Property proof with public key encryption is more secure than proof of ownership via email, password, or third party. Web3 wallet or authorizing tools can store credentials locally on the device instead of on servers. This makes the attack surface smaller.

• Increased privacy – No email is required, and no third parties are involved.

• Simplified user interface – It is a login flow that the user can do with a single click within a few seconds. They don’t need to remember or write any passwords.

An authorization flow using web3 authentication is perfectly compatible with traditional login methods. Additionally, the mapping should be done between each account’s public address and the web3 authentication authorization flow. However, this authorization flow may not be a good choice for everyone. Because to perform the authentication –

• Users must have an authentication app – This authorization flow does not work without the web3 authorization application like MetaMask. This application is not easy for users to download and can be very expensive to develop.

• The back-end side needs work – Though web3 authentication implementation is very simple, it will require some modifications in all areas of authentication, including signup, authentication routes, databases, etc.

Cryptography to protect users and blockchain networks is more complicated. Also, manually logging in would involve dealing with public-private key pairs, which can be difficult to use. Fortunately, many trusted hot crypto wallets are available in browser extensions or mobile apps. These wallets can also be used to store and manage cryptocurrencies.

What are web3 wallets?

Web3 wallets are setting a new standard in the internet industry by introducing innovative ways to manage and monetize content, assets, and identities. Web3 wallets allow users to use hardware or software to access cash but also to connect to decentralized apps, collect NFTs and build on-chain. They are far more flexible than traditional wallets. Although wallets don’t hold cryptocurrency, they have the information to access digital currency money.

A cryptocurrency wallet is made up of three components:

• Public key – This is an address where a transaction can be sent to and received. This is like an email address.

• Private key – This key must be kept secret. This key allows users to access money and can be used for new transactions. This is used as the user signature in a transaction.

• Seed phrase – This is a phrase used to generate many private keys. This serves as the wallet’s root code, giving access to all keys and addresses. This can also be used to generate new private keys.

There are many types of wallets available in the web3 domain. Each one has its advantages and can be useful depending on how user manage their finances and data. Users should experiment to find the best wallet for them.

Types of web3 wallet

There are two types of web3 wallets – Hot wallet and Cold wallet. Each wallet has many subcomponents.

Hot-wallets

Hot wallets can be stored on a device that has internet and cryptocurrency network connectivity; that’s why hot wallets are also known as software wallets. Because they can store, transmit and receive tokens. They are more versatile than other types of wallets. Hot wallets are the most popular web3 wallets. However, hot wallets can be hacked more easily than cold ones because they are connected to the internet. Here are some examples of hot wallets:

• Desktop wallets can be downloaded to the desktop or laptop. This means the wallet can be locally installed and run on the computer. These are the safest form of hot wallets.

• Web-based wallets can be installed on a server or PC of a third party. It allows interaction through a web interface. It is not necessary to download or install anything on a device. It uses the same block explorer and blockchain to search transactions and blocks and has the same capabilities as desktop wallets.

• Cellular/ Mobile wallets are similar to desktop wallets and work similarly but are intended as mobile apps for smartphones. Consumers have immediate access to their funds. Mobile wallets are simpler than desktop programs due to their limited space and need for simplicity.

Cold-wallets

Cold wallets are safer than hot wallets. Because the keys can be saved offline on physical media. This strategy improves hacker resistance to cold wallets (also known as cold storage). This strategy is especially beneficial for long-term investors. Here are a few examples of cold wallets.

• Hardware wallets- Hardware wallets can be described as tangible electrical devices that look like USB devices. They produce private and public keys using a Random Number Generator (RNG). Because it can store both private and public keys, which is considered one of the best options as it stores the keys without an internet connection. Hardware wallets are used for cold storage, which increases security and protects consumers from hackers. Hardware wallets are better suited for long-term storage and investments because they are less easily accessible. It provides high levels of protection for large amounts of money not intended for regular use.

• Paper wallets – A paper wallet is a tangible paper piece on which a private key and blockchain address are written. These keys can be printed with QR codes. Anyone can scan a QR code to donate money. Paper wallets are no longer used and often discouraged due to their inherent flaws. Paper wallets can’t transmit money in partial amounts and can only send the entire amount at once.

How to perform authentication and authorization in web3 using a wallet?

Web3 wallets can be used to authenticate web3 transactions. Some of the most trusted solutions are MetaMask, WalletConnect, Web3Auth and Formatic. Each option offers a great user experience. MetaMask, WalletConnect and Formatic are perfect for native crypto users, whereas Web3Auth and Formatic are more accessible to all users. MetaMask is perhaps the greatest solution for online users, while WalletConnect is a must for mobile users. We will consider MetaMask as a wallet solution here, so it is necessary to know an overview of MetaMask before describing the technical steps of web3 authentication through it.

MetaMask is a browser extension that acts as an app and crypto wallet. It is a gateway to the blockchain and browser extensions. MetaMask can be downloaded as a browser extension and installed. MetaMask allows user to manage private key that controls the Ethereum address and facilitates transactions with blockchain apps. MetaMask includes the Ethereum network and the most popular Ethereum testnets by default. So it is easy to add EVM-compatible networks. Logging in using MetaMask is quick and convenient, so it is a preferable choice for authentication in web3. Also, MetaMask makes it much easier to create dApps.

Wallet authentication strengthens application security by eliminating risky password management practices and reduces the overhead of managing the passwords in DB. When we connect to the wallet, we get a public key/public address/wallet address that we can use to map and manage the user’s data. 

The following sequence diagram can help to understand the flow better.

Prerequisite

First, the user needs to install the web3 wallet and connect to the wallet.

For example, if the user is using a MetaMask wallet, he needs to install it first from the MetaMask website into the browser. This will provide a unique Ethereum address that the user can use to send and receive ether or tokens.

To verify if the browser is running MetaMask, copy and paste the code snippet below in the developer console of the web browser:

if (typeof window.ethereum !== 'undefined') {
  console.log('MetaMask is installed!');
}

Here are the steps to follow for web3 authentication using web3 wallet.

1. Connect the wallet from the client end and get the public address/public key/wallet address ( we can get this by using web3 or ether library).

let web3 = new Web3(window.web3.currentProvider);
window.ethereum.enable();
await web3.eth.getAccounts().then(async (accounts) => {
if (!accounts || !accounts.length) {
alert("Please login to wallet extension");
return;
}
this.setState({accountAddress: accounts[0]})
});

2. Send the public address to the server side.

3. Find the user in DB based on the public address. If the user does not exist, create a new user.

4. Now, generate an access token based on the user’s id/public key/public address.

5. Return the access token to the front end.

6. Use the access token from the front end to interact with other resources in DB.

Importance of keeping keys secure

We can store private keys locally by encrypting them using a password.

When we create a new account or generate a new key in a wallet, we get a list of code words (generally twelve words). This list is our private key. It is crucial to keep it safe, usually with a password on our system.

• If we lose the key, we will no longer have access to an account that the key protects.
• If someone else has access to our key, that person will have all the access to our account. There is no way for applications, or the blockchain itself, to distinguish between you and another person who has this private key.

Wallets do not expire. So we do not need to change our word list periodically. But if the key has been disclosed, it is critical to create a new key/account and transfer everything to the new wallet.

Similarly, we can store the public key in the database and map it with other users’ attributes to store and retrieve the information. We can secure it using the JWT (Json Web Token) access token.

The following steps need to execute to store and map the public key.

1. Send the public address to the server side.
2. The backend tries to find a user in DB based on the public address/key. If the user does not exist, it creates a new user. We can now map other users’ attributes based on this stored public key.
3. The backend app then generates an access token based on the user’s id/public key.
4. The backend returns the access token to the front end.
5. The front end uses the access token to interact with other resources in DB.

How to store and validate the roles in the web3 ledger?

Roles in a system can be managed by storing them in the web3 ledger against the public keys/public address/wallet address.

• We can use smart contracts to store the roles against the public keys in the web3 ledger.

• We can pre-define the roles according to the system/application.

• For example:- In any gaming application, there can be a PLAYER, GAME CREATOR, ADMIN etc.

• Now, according to the user’s requirement, we can store their role in the web3 ledger and use public key/wallet address mapping.

Here is a code snippet for storing and validating roles in the web3 ledger.

contract User {
struct signUpDetails {
string[] roles;
string profileName;
string description;
address walletAddress;
}

mapping(address => signUpDetails) private signedDetails;
address[] public profileAddresses;

event CreateProfile(
address walletAddress,
string profileName,
string description,
string[] roles
);

/* 

Create Profile
we will use address to map details of particular wallet address

*/
function createProfile(
string[] memory _roles,
string memory _profileName,
string memory _description,
address walletAddress
) public {
signUpDetails storage details = signedDetails[walletAddress];
details.profileName = _profileName;
details.description = _description;
details.roles = _roles;
details.walletAddress = walletAddress;
emit CreateProfile(
_logoImageUri,
_bannerIamgeUri,
walletAddress,
_profileName,
_description,
_roles
);
profileAddresses.push(walletAddress);
}
}

End note

Web3 authentication is important when building decentralized applications. Though the concept of web3 authentication might sound complex, with the help of reputable web3 wallets, we can do authentication without complexity. Many cryptocurrency wallets are now available as browser extensions or mobile apps. They offer a user-friendly UI/UX and come in various formats. They can be used for web3 logins, and their primary purpose of storing and managing cryptocurrencies. Web3 wallets make it possible to store, send, and receive fungible and non-fungible tokens. These wallets allow users to access DeFi platforms and the NFT marketplace. So, web3 wallets are a must-have for blockchain developers. With web3 authentication, users get to interact with other authenticated users and features of the network.

If you are planning to create a web3 wallet for your web3 app’s authentication, connect with our web3 experts for further guidance and seamless web3 development services.