Is DID a wallet? Let's talk about the Web3 identity myth

Author: Wei Duan, Next.ID Open Source Community Manager

Recently, the topic of DID (decentralized identity) has become particularly popular, with financing news coming in one after another. There is considerable controversy over how to clarify the concept of DID. Although many ideas are not yet fully clear in this early stage of development, it is necessary to list some of the more obvious confusions that have already emerged and try to see through the technical fog of Web3 identity together.

This article invites everyone to discuss:

1. What kind of DID do users actually need, or what kind of DID system;
2. What migration costs do Web2 users face when moving to Web3;
3. What can Web3 DID offer users that cannot be obtained in Web2.

Is MetaMask a DID?

According to incomplete disclosures, the leading wallet MetaMask currently has at least 30 million monthly active users. This has led most dApps to naturally hope to use MetaMask for identity layers. However, this idea clearly faces many challenges, as MetaMask is primarily intended to be just a wallet.

Regardless of whether MetaMask has the motivation and drive to maintain such a massive public API for dApps to call, a major problem that users cannot avoid is: as an EOA (externally owned address) wallet, if I lose my private key or mnemonic phrase, I will lose all the assets in my corresponding account.

As long as MetaMask-like wallets cannot solve this huge pain point, it will be difficult for Web2 users to suddenly have the courage to jump into the Web3 rabbit hole.

So what is the current experience of Web2 users?

If we make a simple analogy, the unique IDs like names and ID numbers (or driver's licenses, passports) in Web2 correspond to public key addresses and private keys in Web3.

We can see the first problem: even if a Web2 user loses their ID, which is analogous to a private key, they can still reapply for a new ID through one of the centralized authentication agencies, such as the national public security authority. Their corresponding assets will not be lost.

By analogy, Web3 also needs to achieve this: if I lose my private key, can I recover control of this account through a decentralized authentication network, and in what way? If this goal is achieved, the cost for Web2 users to migrate to Web3 would be zero.

Now the second question: I have a MetaMask wallet, I have wallets from various exchanges like Binance, and I also have wallets generated by various dApp services. With so many private keys and mnemonic phrases, do we need to wait for Web3 to recreate a decentralized version of 1Password or LastPass for custody? The user cost increases significantly, as they have to add and manage an endless list of potential future accounts. It's simply unbearable.

So where is the problem? Let's go back to the Web2 world and think about it, and it will become clear.

Wallets like MetaMask are essentially bank accounts, just like our accounts at Industrial and Commercial Bank of China, Citibank, etc., allowing us to conduct financial transactions. We can only use unique IDs like ID numbers (or driver's licenses, passports) to open a new bank account. If we hold an account at Industrial and Commercial Bank of China and go to China Construction Bank to request an account opening, it is easy to imagine that we would be asked to leave by the staff.

Because "identity" and "bank account" cannot be directly equated.

This viewpoint is not only held by the Next.ID community; many communities and DID products share this belief. For example, the Ethereum community formally proposed the concept of abstract accounts through proposal EIP-2938 to develop smart contract wallets. Another popular new DID product, UniPass, adopts a similar approach.

In other words, by decoupling identity (public-private key pairs) from bank accounts (abstract accounts, wallet addresses), we attempt to establish some new mechanisms, providing solutions to the aforementioned problems:

The loss of a private key does not mean the loss of assets; I can bind the assets associated with a lost private key to a new private key.

• Method one: social recovery, where good friends with whom you have established connections in the past and have left high-quality interaction records on-chain can provide guarantees for you;
• Method two: a series of privacy security questions equivalent to the level of a private key can be used to assist in account recovery. For example, what was the name of my childhood pet? Who was my English teacher in high school? etc.;

All relevant abstract accounts (Web2 IDs, Web3 abstract accounts) can be directly bound and managed under a single digital identity (public-private key pair), which we refer to as a digital avatar in Next.ID. Remember the classic movie "Avatar"? The paralyzed human Jake controls a healthy Na'vi body through a neural connection. Isn't it similar to how we will control a digital avatar in a metaverse in the future? As shown in the diagram:

Alright, up to this point, we have roughly outlined the idea that "the fundamental definition of DID identity is the public-private key pair." Of course, the issue of private key management for DID still requires the entire Web3 community to explore together, aiming to lower the usage threshold in the future through social recovery and personal privacy questions equivalent to key levels.

Have we considered DID from first principles?

Recently, the regulatory storm brought about by Tornado Cash has made many Web3 practitioners feel apprehensive. Directly freezing addresses, and even banning all addresses that have had transaction records with them, is a practice reminiscent of "punishing the whole family," raising doubts about the censorship resistance of Web3 and shaking faith.

At the same time, many DID projects on the market are simply aggregating services, regardless of whether they involve on-chain or off-chain accounts, and whether there is a risk of leaking personal information, they are all lumped together. Does this mean that, in today's world where privacy protection technologies like zero-knowledge proofs are not yet fully mature, we are directly handing ourselves over to allow regulatory agencies to sweep us all up?

Quite awkward.

Is it possible that DID projects are too focused on the needs of the project parties and have neglected the real needs of users?

From the user's perspective, an overall implementation plan for a DID system not only includes the "defining DID identity as a public-private key pair" we discussed in the previous section but also includes at least two higher levels:

• On one hand, within this plan, any DID identity should safely meet the concurrent call traffic of all dApps that require authorized information while providing a smooth experience comparable to Web2's OpenID/OAuth, making user operations "foolproof" and easy, allowing login to be completed with just a click or two;
• On the other hand, all Web2 accounts bound to that DID identity, such as Twitter (of course, your Twitter must also be actively depersonalized, with no real name or real avatar, like the famous NFT OG 6529, who never reveals their true identity even when attending conferences), and Web3 abstract accounts like smart contract wallets, can be aggregated together while protecting user privacy. Even if "doxxed," it would be impossible to know who the user is in the real world; ultimately, it would only lead back to an online virtual identity, a string of numbers.

What would a "one-click login" look like for users in Web3?

In the Web2 era, every user is familiar with one-click login in apps. The user experience is convenient, and there is no need to enter annoying passwords.

Benefits of logging into apps for users:

• A password is required during the first registration;
• Subsequently, users can always log in using QQ, WeChat, or Alipay.

At the same time, the downsides for users are:

• Data sovereignty is not in their hands. They use the account systems provided by platforms (QQ, WeChat, Alipay);
• They passively accept various ads based on privacy information, with no choice.

Web3 accounts, while helping to reclaim data sovereignty, still face the question: can account authorization and usage be as seamless as Web2's one-click login?

The Next.ID community has proposed the idea of AuthService to attempt to solve this engineering problem. Its design process is as follows:

1. Users use Next.ID's AuthService SDK to perform account authorization operations for dApps, with data sourced from sub-user bindings to ProofService;
2. The authorization operation is verified through a VPS (Virtual Private Server) deployed by the user;
3. Upon successful verification, the user specifies which scope of their account's related privacy information can be opened.

The key first step is to log in to the dApp using Next.ID:

The third step is to specify which account's data to open during authorization:

Finally, in the fifth/sixth steps, specify which data of the account to open:

This concludes the content of this article. In future articles, we will continue to discuss topics related to "privacy" and "security," and further explain the VPS (Virtual Private Server) concept behind AuthService.

Thank you for reading, and feel free to comment and share. The open-source community Next.ID sincerely invites you to join us in advancing the DID ecosystem.

About Next.ID

Next.ID is the world's first protocol providing services for decentralized identity (DIaaS) and is about to launch public testing. It is a decentralized identity aggregation protocol that integrates all Web2 and Web3 digital identities, providing a comprehensive and verifiable identity database for open-source developers and projects to facilitate innovation and development of dApps.

As the world's first protocol providing services for decentralized identity (Decentralized-Identity-As-A-Service, DIaaS), Next.ID has created an identity infrastructure that securely aggregates users' identities into Avatars (user digital avatars generated based on cryptographic keys). In the Web3 ecosystem, Next.ID will become the identity aggregation gateway for various decentralized social protocols and dApps.

Official Website

Open Source Code