Web3 and IAM: Marching toward disruption

Identity and access management (IAM) embraces a broad swath of IT practice.  This practice is subject to two forces pushing it towards greater prominence: increasing threat actor activity and increasing infrastructure complexity.  In response, we see increasing sophistication of the tools used to deal with both.

Web3 technology has unique characteristics that lend it to dealing with IAM.  To begin with, Web3 is built upon cryptography, with an unprecedented level of inherent privacy.  The validity of the blockchain is predicated on encryption; every piece of on-chain data is by its nature protected to a degree.

Here’s a look at where the worlds of Web3 and IAM intersect and possibilities for the future.

Blockchain basics

The way to look at blockchain applications—at least in an idealized form—is as a universal, distributed datastore.

This datastore has two kinds of nodes:  One participates in the network by making claims (this is known as a wallet); the other is called a full node and participates in the network by collaborating to verify claims.

A wallet node submits transactions to the database.  If the network of collaborating full nodes determines it’s valid, that transaction becomes part of the shared truth of the datastore.  Wallet nodes can then make a claim about the transaction.  The most fundamental claim is the ownership of a given piece of data.

This is all achievable because a wallet is fundamentally a private key (in the cryptographic sense), and every transaction a wallet performs is signed with its key.  The key, therefore, is the mathematical proof that the actor who made the claims before is the same actor making claims now.

Wallet as identity

We can see, then, that the notion of a blockchain wallet is a kind of identity.  This identity can be used for authentication. There is nothing mysterious or surprising about that in the sense that private keys are already widely used in conventional security for establishing secure communication between parties. 

In another sense, though, it is rather revolutionary. 

As Auth0 labs notes, “The most significant byproduct of blockchain adoption is the organic distribution of private keys to end-users, i.e. wallets.”  That is to say, internet users have undergone a massive adoption of public-key cryptography via their personal cryptocurrency wallets.

By understanding the nature of their wallet, its use, and security implications, a new kind of user is introduced.  As this new kind of user becomes more common, a potential sea change may occur to authorization. 

In short, the convergence of the security of private keys and the convenience of blockchain wallets is a potential disruptor to authentication. I’ll emphasize potential as this is still quite speculative and there is a lot to be sorted out from the technical and infrastructure standpoints. In addition, it’s worth noting that wallets are not very user friendly for non-technical folks. The potential to lose your ID—really and truly lose with no possible recovery, ever—exists. So, the emergence of the new kind of user described above is far from a foregone conclusion.

Nevertheless, using wallets for authentication is happening now in Auth0 (via SIWE, sign in with ethereum) and other providers.  Basically, the barriers to using wallets in off-chain auth are being drastically lowered.

When you consider that popular wallets like Coinbase have associated with them rigorous KYC (know your customer), a picture starts to form of a single, technologically secure ID that is well integrated with traditional identification. 

In this sense, wallets could possibly become an official digital ID, something like the digital equivalent of a social security number.  This last speculation is a long way off, given that it implies the interaction of not only technical, but governmental actors.

Introducing DID (decentralized ID)

The name given to this overarching idea is decentralized ID, or DID.  In general, we are talking about folding together the universe of other identification data points into a single number.  It’s an idea that has not gone unnoticed by even large players like Microsoft.

This holds out the possibility of preserving anonymity and control for the user.  That’s because, in theory, the relationship between the wallet and the blockchain creates a layer of abstraction between the user and the database.  In practice, this is more a pseudo-anonymity—the user still is a human being sitting at a device that is physically connected to the internet.  Put another way, the ability to associate a user to a wallet—one way or another—diminishes anonymity.

The user (wallet holder) can be said to remain in control because the information is stored in a decentralized way  and the user can decide if and when to use or share the data.

Zero knowledge proofs

A related idea is that of zero knowledge proofs.  Here the idea is that something is proven as true, while the rest of the context remains private.  This is feasible again because of the magic of public-key cryptography.  Once a fact is established as valid through some mechanism and is committed to the blockchain, thereafter, the owning wallet can make the claim without any other revelations.  We could establish our right to operate a motor vehicle, for example, without exposing our driver’s license and the other information it contains. 

So, the possibility exists for users to control their information and share only what they want with a high degree of granularity.

These ideas have become mainstream enough that the W3C consortium has undertaken to formalize them into a standard, called verifiable credentials (VC).  The effort there is to codify modern DID into a standardized format that incorporates privacy protections.

Token gating and authorization

The other reason broad wallet adoption may represent a game changer for IAM is the nature of higher order blockchains like Ethereum.  Web3 identity has the ability not just to authenticate to conventional applications but participate in other on-chain activities that also have IAM implications.

An important concept that is gaining traction is token gating.  Token gating in a sense builds upon NFTs, but goes a step further by adding access control.  Token gating can be seen as a kind of Web3 authorization, and therein lies its relevance to our current IAM discussion.  Token gating is seen by proponents as introducing a new kind of economy by commoditizing digital content. 

This means is that content creators and users can participate in an economy that is built on the notion that owning an NFT grants access to the content.  This granting of access can be seen as a novel kind of authorization based on DID authentication, which may find use cases outside of digital content. 

This idea could be applied to accessing assets as we currently use solutions like access control lists in databases, making for a more universal authorization system.  United with something like verifiable credentials, you can begin to see the potential of a more standardized and universal IAM mechanism—one whose benefits may cause it to gradually supplant existing approaches.