The Paradigm of On-Chain Social Account Authentication
Converting Off-Chain Social Account Authentication into On-Chain Verifiable Proofs
Background
Web3 developers have made significant advancements in improving user experience to onboard Web2 users to Web3. With the introduction of new standards like Account Abstraction (AA) and the growing adoption of Multi-Party Computation (MPC), wallets and DApps are able to utilize features such as social login and two-factor authentication (2FA) for social accounts. These advancements create a seamless and user-friendly environment that mirrors the Web2 experience, thereby easing the adoption process for users.
Current Issues with Web3 Social Account Authentication
In the current Web3 landscape, the authentication process for users’ social accounts often relies on off-chain verification methods to kick-start on-chain transactions. This method sees a significant portion, ranging from one-third to half, of the on-chain signatures sourced from third-party entities, typically wallets. These include various types of wallets, like AA, Multi-sig, and MPC wallets that provide social authentication. However, the results of these wallets’ off-chain user authentication processes aren’t independently verifiable. This reality is the remaining centralized element in an otherwise decentralized system.
A further pressing concern related to the use of social accounts in the Web3 ecosystem is privacy. When a user authenticates their social account to a Web3 wallet, the wallet gains access to the user’s information, inadvertently becoming a centralized collector of user data. This access also leads to a merging of user information between Web2 and Web3. Such widespread collection and consolidation of user data can potentially expose users’ identities and assets, putting the security and privacy inherent in the Web3 world at risk. These challenges highlight the critical need for truly decentralized and privacy-focused solutions in Web3’s user authentication processes.
Decentralized Provers for Social Account Authentication: A New Paradigm
Given the aforementioned challenges, a mechanism in the authentication process that generates a proof in a decentralized manner would be able to remove the dependency on a single centralized entity for validation. The proof it generates can be independently verified on-chain, aligning with Web3’s principles of trustlessness and on-chain verifiability. This approach of employing a decentralized prover strengthens aspects of privacy, speed, and reliability in the authentication process, all of which are pivotal for enhancing user experience and security within the Web3 ecosystem.
Principles of Social Account Authentication in Web3
Several principles emerge that should guide the design of a Web3 native social account authentication protocol, particularly in its capacity as a Decentralized Prover (Fig. 1).
- On-chain Verifiability: The authentication process must yield outcomes that are verifiable on-chain. Once successfully verified, these outcomes should directly initiate on-chain transactions, ensuring a closer alignment with the principles inherent in Web3 native systems.
- Privacy: The authentication result should obscure or hash the user’s Web2 account, such as their email or Google account. Since this account acts as the link between Web2 and Web3 identities, it will safeguard the user’s personal and financial security.
- Speed: Social login and social 2FA should be quick to minimize any substantial impact on the user experience.
- Trustlessness: The authentication result and the corresponding proof generated should be decentralized, eliminating the reliance on any single authenticator.
DAuth Network as a Decentralized Prover
DAuth revolutionizes social account verification by leveraging Hybrid ZK (Zero-Knowledge) proofs, ensuring decentralized and anonymous authentication while allowing users to verify their accounts without revealing them to any entity. Additionally, DAuth provides on-chain verifiable proofs, enabling smart contracts or third parties to confirm the verification results. This approach creates a system that is trustworthy, verifiable and respects user privacy.
Let’s take Google account verification as an example.
- The user starts a transaction within the wallet’s application, which includes a unique Request ID. This transaction interacts with the Wallet Contract but is not immediately executed because it requires a 2FA approval.
- The user is guided through the 2FA verification process by the DAuth SDK, which operates on the DAuth Network. The network currently supports email OTP, SMS OTP, and OAuth verification.
- The DAuth Network redirects the user to Google for verification, and the user completes the verification process.
- The DAuth Network processes the corresponding access token or IDTokens using Hybrid ZK technology. Based on this, DAuth generates two proofs: the TEE-based instant proof and the ZK-based final proof. Both proofs include the Request ID.
- The proofs generated by the DAuth network are then validated on-chain.
- Once the on-chain proof verification is successful, a transfer approval is triggered, and the user’s transaction is successfully sent and executed.
Conclusion
DAuth introduces decentralized OAuth and SMTP protocols specifically designed for Web3. This protocol retains the familiar user experience of social login and social account 2FA while removing the need to rely on authenticators such as wallets. Moreover, this decentralized approach safeguards user account privacy and effectively prevents the leakage of information between Web2 and Web3. As a result, DAuth enhances the overall security and privacy of the user’s digital interactions in Web3.