Intro to crypto wallet authentication

A blockchain enabled cybersecurity future is coming fast, with crypto wallets set to become a central authentication mechanism.

Modern application development has wrestled with numerous shortcomings in the security paradigm.  Blockchain can mitigate several of those shortcomings, but it requires devising means to integrate with conventional applications. 

Mainstream cyber security businesses are already working on this, accelerating the blockchain-enabled security landscape.

This article will give you an understanding of how crypto wallets work and the role they play in authentication.

What is a crypto wallet?

A crypto wallet is, at its heart, a software client that manages cryptographic keys. 

In asymmetric cryptography, which blockchain is built on, two keys are generated that are known as a key pair.  The public key is able to create encrypted cipher text that only the private key can decrypt.  The pair can also be used to sign data, proving the sender holds the private keys (without revealing the private key).

This arrangement is the result of ingenious mathematics first (publicly) devised by Diffie-Hellman using one-way functions.  The outcome is that private keys allow for accessing confidential information while public keys allow for creating it.  A public key is something like a magic envelope.  When a letter is put in it, only the holder of the specific private key can open and read it.

In the case of blockchains, the magic envelope exists on a publicly available datastore.  Anyone can send data to a public location, but only the holder of the private keys for that location can access it.  Blockchain addresses are also cryptographic entities.  They are created in association with a public key.  These addresses hold the cryptocurrency or other sensitive information.  It can only be accessed with the private key that created the address.

The upshot of this arrangement is that users need a convenient and secure way to hold their private and public keys for given blockchains.  Wallets do this by making it easy to interact with the chain based on the private keys it holds.  The wallet itself is secured with a password.  The wallet also manages the public keys, giving users access to it when an address is needed for accepting transactions.

Bridging applications and wallets

Crypto wallets represent a user-friendly and familiar means of dealing with asymmetric key pairs.  This is interesting to us in the context of authentication because a wallet can therefore be seen as a holder of identity.  That identity can be used to authenticate users.  All that’s needed is a bridge between applications and wallets.

Such a bridge is being explored by projects like Sign In With Ethereum (SIWE).  Already companies like Auth0 are using technology like SIWE as an alternative authentication mechanism.  It’s surprisingly easy to use SIWE as a drop-in replacement for conventional logins like username/password or single sign-on (SSO).  This low bar to adoption means the path to widespread usage is easy to foresee.

The advantages to this kind of wallet-based authentication are two-fold.  First, the cryptographic nature of the identity makes it very secure compared to something like plaintext passwords.  Second, federated SSO-like functionality is achievable without all the extra complexity and vulnerability that it implies.  Put another way, the wallet can act as a single source of identity truth, usable across any number of applications.

Even if you are not interested in cryptocurrency, your users may well be using wallets as a central authentication mechanism soon.

How to use a crypto wallet

Wallet-based authentication is an important idea with potent implications for the future of security, so let’s get our hands on one and see how they work in general.  This helps give a concrete sense of the user experience.

One of the most popular wallets is the Metamask browser extension, which recently surpassed 30 million active monthly users.  It is easy to use and supports several blockchains, most prominently Ethereum and its universe of tokens.  Wallets generally come in two flavors: hardware and software.  Software wallets like Metamask are often browser extensions and/or mobile apps.  We’re going to explore it briefly as it’ll give a taste of the general characteristics of all wallets.

To get Metamask, go to metamask.io and click the download button for your browser.  Once installed, open the metamask extension and click past the welcome screens.  You’ll be presented with a choice like Screenshot 1, between creating a new wallet or importing an old one.

Metamask: import or create Matthew Tyson

Screenshot 1. Metamask: import or create

I’m going to pause here and introduce the concept of a seed phrase.  A seed phrase is a set of words (usually 12 or 24 words) that act as a recovery mechanism for a wallet.  If you had one, you’d click “Import Wallet” and use it to regain access to your wallet.  The seed phrase is something like a more human-usable alternative to the private key. The biggest message here is that a seed phrase must be kept secure, just like the private key.  It can be used to access everything in the wallet.

If you select “Create a Wallet” from the import or create screen shown in Screenshot 1, you will first be asked for a password.  That password will be used to access just this instance of the wallet.  If you lose this wallet and recover it (on another device, for example) with your seed phrase, you will be asked to put in a new password to access that instance.  In other words, the password is not something you can use to recover your wallet.  Only the seed phrase can do that.

Next in the Metamask wallet creation process, you’ll get a look at your seed phrase.  Again, this phrase is very important to keep secure.  After this moment of creation, there is no way to recover this phrase.

After confirming you have your seed phrase saved, you’ll be presented with the main screen for Metamask, similar to Screenshot 2.

Metamask main screen Matthew Tyson

Screenshot 2. Metamask main screen

The first thing to make note of is the string below “Account 1,” in my case here, it says “0xa65…9321.”  That is the public key.  If someone were to send you Ethereum, for example, you would use this as the address for receipt.  To find the private key, you can click the ellipses at the upper right, then “Account Details” and finally “Export private key.”  Remember, the private key is sensitive information giving access to everything stored at that address on the chain.

There is a lot of capability in Metamask and other wallets, but these are the fundamental properties.  Let’s get a look at logging in with the wallet.

If you go to the Ethereum app explorer, you can see a wide range of apps that support Metamask.  To see an application that is not financial, let’s visit the Ethereum domain name app here.

Click “Go to App” to get to the actual entry point. Metamask will automatically launch and you’ll get a screen like Screenshot 3.

Log into Eth domain with Metamask Matthew Tyson

Screenshot 3. Log into Eth domain with Metamask

Metamask will inform you exactly what permissions the app is asking for (“See address, account balance, activity and suggest transactions to approve”) and once you accept everything and hit “Connect” on the main screen, you’ll see that you are now logged in.  For example, there is now a “My Account” link in the upper right nav bar.

(For another non-financial app, look at GitCoin, a project that lets users earn ETH for writing open source code.  This app combines typical authentication (via GitHub) and wallet-based.)

Looking ahead

Although we are just skimming the surface of things, we are getting a look at how authentication works in a blockchain wallet enabled app (often called dApps or distributed apps).  The future of the web will include a large number of apps that are integrations between conventional apps (web2) and blockchain apps (web3).  In general, these are all dApps, and authentication is the primary point of contact.

Put another way, by supporting web3 authentication, otherwise unchanged traditional apps can tap into a central feature of the blockchain.  Right now, decentralized identity is somewhat nebulous.  As you have seen it’s easy to create an identity out of thin air.  Once that wallet contains important information (like currency holdings) that becomes important to the applications.  In short, the wallet creates a highly secure and standardized mechanism for associating a user, the app, and the data the user chooses to share.

This means the wallet becomes a two-way authentication mechanism, allowing for the two-way permissioning of information (as you saw when the user accepts what is shared).

These use cases are already quite powerful but just scratch the surface of what may be down the road as governments, institutions, and businesses move to integrate with blockchains.  For an interesting look at several identity and auth projects in the space, look at this post and when you do, bear in mind that many of these projects will soon be available for active use in the upcoming Auth0 marketplace web3 category.

Copyright © 2022 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)