[Uehreka]

I’m a long time blockchain skeptic (check my comment history) but I recently came around on the SSO stuff and can vouch for it enough to say the magic words: it is in fact a novel thing that cannot be done without blockchain using pre-existing crypto or auth tech.

The reason is: With private key auth alone, you don’t have identity, just a non-human readable public key, and no universally known exclusive association with a particular username. With OpenID or WebAuthn or any of that, you would still need a company or org to keep a centralized database of everyone’s credentials and user info. With Blockchain you don’t: As long as the Ethereum blockchain keeps going, your info (username: “johndoe.eth” public_key: “420abc” avatar: “some HTTP or IPFS url”) will stay stored. This is the exact precise thing blockchains are unusually good at doing, and given how much people these days are hating on big tech companies managing their identities and harvesting data in the process, “SSO with no company attached” seems like a thing people actually want.

I’m still highly skeptical of art NFTs and crypto as currency and lots of other blockchain stuff, but in this one case they’ve won me over. This seems legit.

[shagie]

The potential for doxing in this is... so here's your identity so that you can be the same individual on multiple sites.

Someone else posts into the blockchain that jondoe.eth public_key "420abc..." is {this real data about the person}.

And now that identity and every login it is associated with has been doxed in a permeant, public, and unalterable way.

If someone doxes my gmail account, I can go through the process of dissociating myself with that identity and hopefully the provider were that doxing is stored could be persuaded to delete that content (yes, the internet has a long memory).

This would seem to be much harder if not impossible with an identity stored on a public blockchain (that also allows for other data to be stored).

[serverholic]

To be clear, signing-in doesn’t trigger a transaction. So people can’t publicly see where you have logged in.

Also it’s up to you how you use the system. You could have a number of online persona’s each with it’s own login.

[shagie]

This isn't about transactions or being able to see where you're logged in from.

This is about having a public, centralized source of identities that cannot be erased.

Yes, you can have multiple identities on it - but if an identity on that chain is doxed, it is forever doxed.

If you are maintaining one identity per application... then what is the advantage of having the identity in a place where it can be accessed by multiple applications?

I have difficulty seeing the advantage of a public, append only, identity provider compared to say... setting up your own auth server on AWS and managing your identities out of there.

[UncleMeat]

I don't see how this is beneficial compared to signature-based auth. Didn't people all recoil in horror at the real-names policy that Google performed ages ago? Making it fundamentally difficult to separate my identity on various platforms is bad. And further, I really don't see the benefit of having my username stored on a blockchain rather than in an application database. Is the goal to prevent other people from making an account using the same username that I use on other platforms?

[serverholic]

Who said you need to use your real name?

[UncleMeat]

The overlap here is the centralization of identity, not the actual real name part. Is it desirable to have my hn handle also match my wow character name?

[Uehreka]

Who said you need to only have one ENS name either? You could have one that you use for personal tech-related stuff, one that you use for work stuff, one that you use for gaming-related stuff, etc. (although for that kind of usage to really take off, Gas fees will need to come down).

[UncleMeat]

Then why aren't you just using old school signature based auth? What does having your public key stored on the ethereum blockchain accomplish?

[Uehreka]

It’s not about storing your public key, it’s about storing your username and the fact that you (the owner of that key pair) exclusively own that username (for any system that federates with ENS).

[Sargos]

Your public key is available to everyone on the internet so anyone can verify your signed message. You can't do that without a blockchain unless a trusted third party is used.