Most websites require your email address for creating an account. Email-based authentication allow the website to 1) contact you and 2) uniquely identify you.
Email does a good job at enabling contact - you can retrieve forgotten passwords just as easily as you can email your Grandmother - but it does a pretty poor job at identifying you. Given your email address, there's no understanding nor context about you, the user. Because of this, companies like Clearbit have built large businesses around enriching email addresses with data sourced from around the web, to make them more useful as identities.
OAuth
This lack of context & understanding is in contrast to other common mechanisms of identifying users, such as OAuth. Login with Google, Twitter or Facebook are a few examples of OAuth-based logins that go beyond just an identity - they let 3rd party developers tap into the closed data these companies have (for better or for worse).
This helps identifiers moves beyond just an identifier, and toward becoming a user, with interests, friends, contacts, followers, profile pictures, genders, birthdates, and more.
This is powerful. As a developer, supporting “Login with [social platform]” lets you tap into this enriched data for numerous things:
Bootstrap network effects (eg prompting users to subscribe to all their Twitter followers immediately after registration)
Provide mechanisms of virality (eg automatically crosspost content they create to Facebook)
Provide better onboarding (eg pre-populating user accounts with avatars, interests and more)
There are several downsides to this method of OAuth based authentication, for both developers building atop these platforms and for users that authenticate with them:
Platforms can change the rules. Developers are constrained by what platforms allow. Google and Facebook are not credibly neutral open protocols - they're closed platforms with everchanging functionality. There have been many different instances in the past where platforms changed the rules and crippled developers building atop of them.
Developers get an incomplete picture. A user's audience is commonly split across multiple platforms. OAuth'ing with Facebook isn’t very beneficial to myself or the developer's app if 90% of my social graph exists on Twitter. It's unrealistic for developers to request or expect users to manually link with every single social platform to get a full picture.
User's can't exit with interoperability. If I decide I want to exit Twitter after the Elon Musk acquisition, it’s not possible to export my Twitter followers and use it elsewhere. Even worse - if Twitter decides to ban me, that’s it: there’s no way 3rd party developers building atop Twitter can make use of this data anymore.
Wallets
Using cryptowallets alongside crypto-enabled social protocols are an alternative that I believe will bridge the gap between an identity and a user and improve upon the aforementioned issues:
They are credibly neutral. Building atop sufficiently decentralized protocols, not platforms, guarantee that the underlying functionality won't change after I, as a developer, built a sustainable business.
It's easier to get a full picture of a user's social graph. As a developer, I can permissionlessly ingest the full social graphs of all web3 social platforms, just given a user's wallet address with no intervention from the user needed. If a user has never used Farcaster but is active on Lens, no problem -- I can still programmatically ingest both to get the complete picture.
Users can exit with interoperability. If users dislike (or are banned from) a specific client built atop a certain social graph, they can move to another client and continue interacting with the followerbase they've built at the protocol-level. Similarly, developers can continue making use of all the underlying data.
Though, crypto wallets are not without downsides. Adoption is currently low - everyone has an email but not everyone has a crypto wallet. Additionally, emails allow for easy message exchange but wallets currently do not (though many protocols are trying to fix this), so it's challenging to reach users strictly by their wallets. Lastly, privacy controls are non-existent: if I didn’t want to share a list of my on-chain followers with a certain platform, there’s no current method of preventing this (in contrast to the granular, user-controlled permissions that OAuth uses).
At Paragraph, we've built several integrations involving wallets-as-an-identity and it’s been a very positive experience. For example, when a user connects their wallet and signs in, we detect if they have a Faracaster account. If so, we permissionlessly pull in their avatar, name, & users they’re following, and bootstrap their Paragraph account by prompting them to subscribe to their followers. No gatekeeping, no OAuth, no action needed from the user - nothing beyond just a wallet address & credibly neutral social protocols.
Collect this post as an NFT:
V. good post!
Great one, Colin! I'm not sure will this be relevant or not, but... if you have time, please have a read on the newest Andre Cronje's article below. He talks about Account Abstraction, and I quote, "We will no longer differentiate between contract and EOA accounts, everything will become a contract. Contracts can initiate transactions and pay for gas. An “EOA” simply becomes an authority allowed to instruct the contract (wallet) to initiate an action. This means an “EOA” can become an email address & password, social auth, face id, etc, further allowing for social recovery and an overall better dapp experience." What do you think about this? link: https://andrecronje.medium.com/letter-to-fantom-foundation-team-eb3d870c6be8
Thanks for this. It helps me to understand the issues of Identification on the web. I also found this article pretty helpful: https://www.bulbapp.io/p/640c80c5-2852-47d9-96a1-341fcbfacf61/decentralized-identity-101