[theplumber]

I think it depends much of expectations. It actually exceeded my expectations. I recently built a small and useless program in solidity and deployed it within few hours. It's definitely better than what we had available years ago (i.e. on bitcoin platform) and I see a future for it. I think it has chances to survive in this age of censorship and surveillance.

Something that really surprised me was the signing/metamask integration(a kind of webauthn). I would definitely use that to login into various websites instead of the invasive facebook/google login plugins we see all over the web. There is even something akin to oauth2 but without the requirement to have "developer keys".

[Uehreka]

> I think it depends much of expectations.

Agreed (and I agree that ENS and the SSO stuff looks interesting). The problem here is that the crypto community are the ones setting the high expectations.

[serverholic]

"Sign-In with Ethereum" will be huge. I purposefully avoid "Sign-in with Google" because putting too much power in a centralized authority terrifies me.

I'd much rather have the convenience of "Sign-In with X" but backed by something I have control over.

[UncleMeat]

What is the difference between "Sign-in with Ethereum" and the signature-based auth that has been available for decades without blockchains?

[vbuterin]

1. Has an actual path to adoption (because people have keys and have a motivation to try hard to retain their keys because they have crypto assets)

2. Once smart contract wallets properly gain adoption, you'll be able to do recovery (see: https://vitalik.ca/general/2021/01/11/recovery.html )

3. Lots of built-in anti-sybil techniques (eg. verifying that the address has nonzero balance is a pretty simple and effective one)

[somebodythere]

1. A lot more people are using Sign In With Ethereum than other kinds of signature-based auth to log into websites. The UX, while not perfect, is a lot more figured out.

2. SIWE lets the user share a cryptographically verified shared state of the user. For example, digital asset collections, reputation in a group etc.

[captn3m0]

Isn’t sign in with U2F exactly the same guarantees and issues? (Cryptographically proven pseudonymous identities, but no recourse if you lose your keys)

Why does ethereum need to come into the picture?

[maccolgan]

You can't assign value or tokens to public keys without a blockchain, we've come full circle.

[deltaeerie]

People are actually using it.

[api]

IMHO this could be the "killer app" and is something I might actually use if it got sufficient traction and support.

OpenID gives a few organizations like Google, Okta, and Microsoft "root on the entire world." It terrifies me.

[twic]

There's no technical reason it has to be a few organisations. Anyone can set up a provider. The only OpenID i use regularly is from Stack Exchange:

https://openid.stackexchange.com/

HN could be a provider! You could be news.ycombinator.com/api, which admittedly would be a very confusing name to the casual observer.

The reason it all ended up being centralised is that almost nobody really valued it being decentralised.

[knownjorbist]

A key "ah-ha" moment for me was realizing that your wallet is your login on every dApp that's ever existed or ever will exist. It's pseudonymous and developers sort of get various things for free out of it as a result(payments, authorization, authentication)

[TigeriusKirk]

There's also the potentially interesting idea of wallet-as-resume. IE allowing different types of access depending on what sorts of things you've done with your wallet in the past. Certainly not for all applications, but a certain level of implied competency might be appropriate in some cases.

[shagie]

I've heard that one before... I've yet to hear a "how is it better" set down in a way that describes the architecture in a way that can be explored with more than handwavium.

How does "wallet as resume" solve the implied competency better than a GitHub repo with signed commits?

How does the wallet-as-resume solve the "I copied a project" or "I followed the tutorial line for line?" One can create a NFT or whatever equivalent for code you wrote just as easily as code you copied (be it with cp or typing it all in yourself). Can only one person would be verify a particular implementation of FizzBuzz? If the code is copied, can the original author usurp the "I wrote this" from a pretender?

Does anyone reading resumes actually think that this is a problem that needs solving?

[UncleMeat]

"Service X preemptively bans me because I signed up for service Y with my wallet" sounds like the opposite of censorship resistance and decentralization.

[dane-pgp]

It should be possible for each person to create multiple digital identities and have them linked using zero-knowledge proofs. If we can solve the messy problem of giving everyone (arbitrarily many uncensorable pseudonymous) IDs with their own key pairs, it should be relatively simple to layer on top of that all the functionality and privacy guarantees we would want from an ID system.

For example, once a reasonable digital ID system exists, we can start to build trust systems, such that your good reputation among one community can be used to bootstrap your reputation in a new community. Again, zero-knowledge proofs should be a viable mechanism for conveying trust relationships without having to reveal your social graph.

Some of this data would have to be stored off-chain, or only in encrypted form on-chain, but I don't think there are any practical limits of blockchain technology which prevent this.

[knownjorbist]

I'm all for services making that kind of decision as opposed to government, but this is also a bit of a misnomer because you can have multiple wallets.

[yepthatsreality]

Like OpenID?

[Uehreka]

I’m a long time blockchain skeptic (check my comment history) but I recently came around on the SSO stuff and can vouch for it enough to say the magic words: it is in fact a novel thing that cannot be done without blockchain using pre-existing crypto or auth tech.

The reason is: With private key auth alone, you don’t have identity, just a non-human readable public key, and no universally known exclusive association with a particular username. With OpenID or WebAuthn or any of that, you would still need a company or org to keep a centralized database of everyone’s credentials and user info. With Blockchain you don’t: As long as the Ethereum blockchain keeps going, your info (username: “johndoe.eth” public_key: “420abc” avatar: “some HTTP or IPFS url”) will stay stored. This is the exact precise thing blockchains are unusually good at doing, and given how much people these days are hating on big tech companies managing their identities and harvesting data in the process, “SSO with no company attached” seems like a thing people actually want.

I’m still highly skeptical of art NFTs and crypto as currency and lots of other blockchain stuff, but in this one case they’ve won me over. This seems legit.

[shagie]

The potential for doxing in this is... so here's your identity so that you can be the same individual on multiple sites.

Someone else posts into the blockchain that jondoe.eth public_key "420abc..." is {this real data about the person}.

And now that identity and every login it is associated with has been doxed in a permeant, public, and unalterable way.

If someone doxes my gmail account, I can go through the process of dissociating myself with that identity and hopefully the provider were that doxing is stored could be persuaded to delete that content (yes, the internet has a long memory).

This would seem to be much harder if not impossible with an identity stored on a public blockchain (that also allows for other data to be stored).

[serverholic]

To be clear, signing-in doesn’t trigger a transaction. So people can’t publicly see where you have logged in.

Also it’s up to you how you use the system. You could have a number of online persona’s each with it’s own login.

[shagie]

This isn't about transactions or being able to see where you're logged in from.

This is about having a public, centralized source of identities that cannot be erased.

Yes, you can have multiple identities on it - but if an identity on that chain is doxed, it is forever doxed.

If you are maintaining one identity per application... then what is the advantage of having the identity in a place where it can be accessed by multiple applications?

I have difficulty seeing the advantage of a public, append only, identity provider compared to say... setting up your own auth server on AWS and managing your identities out of there.

[UncleMeat]

I don't see how this is beneficial compared to signature-based auth. Didn't people all recoil in horror at the real-names policy that Google performed ages ago? Making it fundamentally difficult to separate my identity on various platforms is bad. And further, I really don't see the benefit of having my username stored on a blockchain rather than in an application database. Is the goal to prevent other people from making an account using the same username that I use on other platforms?

[serverholic]

Who said you need to use your real name?

[UncleMeat]

The overlap here is the centralization of identity, not the actual real name part. Is it desirable to have my hn handle also match my wow character name?

[theplumber]

OpenID is a closed system both to the end-user and the website owner based on secrets(`state` `code`, developer keys) from identity providers(google/facebook) not cryptography.

[Sohcahtoa82]

What's the recovery if your private Ethereum key gets deleted, or worse, stolen?

If you're signing in via some other 3rd party, you can change your password.

I'm just trying to think of how "Sign in with Ethereum" would work if you're trying to get your technophobic grandma that clicks on phishing links and responds to the County Password Inspectors [0] when they call to use it.

[0] https://www.smbc-comics.com/comic/2012-02-20

[knownjorbist]

Social Recovery is one of a couple methods people have proposed:

https://vitalik.ca/general/2021/01/11/recovery.html

[serverholic]

I think smart wallets will help with that. You’ll be able to create a set of recovery tokens such that you only need a subset of the tokens to recover your wallet.

For example, you can generate 7 tokens and only need 5 to reset your wallet keys. You can give 3 to your relatives, 1 in a safe-deposit box, etc.

Grandma’s kids can help her set it up.

Edit: Or, for people who really prefer centralization, you can give all 7 tokens to Bank of America. The point is you have a choice and can design the security system you want.

[mNovak]

Surprised actually this doesn't exist in a more general sense -- just X of N decryption of arbitrary files. Could be your private key recovery, or just mundane corporate documents with provable "two man rule"

[xur17]

And I imagine the "recovery tokens" part being abstracted away. There will be a bunch of apps that work this, and there's no reason it couldn't be as simple as checking a few boxes to select the people you want to be able to help you with recovery, with some default rules that you can change.

[Whike]

Visit www.prudentrecovery.com they offer recovery services for phrases and lost bitcoin and ETH

[aditya]

this already exists, just not widely deployed on web2. 'Connect Wallet'.

[serverholic]

Fyi “Sign-In with Ethereum” is just standardizing the “Connect Wallet” button.

[justicezyx]

Don't you need to pay someone to deploy the program?

[theplumber]

ETH is expensive but there are other "cheaper" blockchains compatible with ETH whose "gas" price is negligible. You can also deploy for free on the "testnet"

[UncleMeat]

A major reason why those blockchains have lower fees is because speculators have not driven up their token price. Unless there is some fundamental reason why the fees will stay low, you've got a time bomb on your hands as soon as people decide that this blockchain is a major speculation vehicle.

[cqwrtiq]

This is an interesting topic that I feel like doesn't get discussed often. Vitalik Buterin posted today about Ethereum's expensive gas fees and the reasoning for it. It boiled down to decentralization vs. more operations per block. Blockchains like Algorand and Solana have large block sizes, so they can keep fees low per block (which they both do a very good job of doing so far, although exactly how cheap they'd be with Ethereum's adoption numbers is still uncertain). Tezos has had more adoptions through NFTs and they've managed to keep transaction fees low as well (although arguably running a Tezos node now requires better hardware specs than it did a few years ago). The tradeoff is that beefy hardware is needed to run a node, which hurts decentralization, as the average participant without deep pockets can't compete. This is part of why Ethereum has high gas costs.

[jazzyjackson]

It got discussed a lot - years ago - and is sometimes referred to as the "Block Size Wars"

https://en.bitcoin.it/wiki/Block_size_limit_controversy

[lukeramsden]

On the testnet you can get free ETH to deploy contract(s).

[TigeriusKirk]

Or run your own private chain/node for trying things out.

Recently I've been working at converting an existing web business to web3 (at least my interpretation of web3), with the goal of making it all decentralized. My impression at this point is that it's mostly possible but not all that practical.

It might make more sense if I reimagine what the business is, which is part of my exploration here.