The complete guide to Web3 authentication
Authentication is hard. Sessions, JWT, 2FA, Single Sign-on... Solving this challenge is so hard that companies it has made the companies solving it worth billions. At the core of this difficult coding problem, we find something of great value: user data.
Your data as a user is worth a lot of money. This is the foundation of the web2 economy: interacting on the different platforms allows companies to tailor advertising and fuel the consumption economy. Web3 technologies embrace a different mentality, one based on owning your own data anonymously. This means we have to rethink authentication when it comes to Web3.
This post will explore the building blocks of Web3 authentication and explore the best practices around it.
Building Blocks
Web3 authentication moves the location of user-based data in the open. Most user data lives on the blockchain, let's examine the different parts:
Wallets: The termwalletis confusing for a number of reasons. It leads us to think that we own coins and assets inside it. This wallet is instead software that is built to let you interact with the blockchain. These assets are instead managed on the blockchain itself.- Your
Address: is the way that the blockchain publicly identifies you. It is created by the wallet using aprivate keythat only you should own. This key is used to derive youraddressand approve transactions. Approvingtransactions: approving a transaction means that your wallet will use your private key to perform a cryptographic signature. In simple terms, you are signing that you agree to a transaction to happen. This is almost the same as using your PIN at the ATM. When you approve a transaction, it will be submitted to the blockchain.Signinga message: this is really similar to approving a transaction but you are simply digitally signing a message that can be safely validated. Nothing actually happens on the blockchain when signing a message.
Phew! That's a lot to think about. Armed with this new information, we come to an understanding:
In Web3 authentication is fully controlled by the user's wallet.
In order to create a good Web3 site, we will need to focus 100% of our development effort around respecting their privacy, users have full control over their wallets and we will need to constantly listen to the state of it to provide good UX.
Any interactivity with your application will mean getting permission from the user to connect, approve or sign data. This means we have to understand the different wallets that we will need to interact with. The different wallets providers are all different but there is a growing effort to standardize the API they offer. Let's explore the main ones.
Popular wallets
- (Metamask)[https://metamask.io/] is the most commonly supported
wallet out there. It works by injecting an
ethereumobject in the globalwindow. Most popular npm packages support it. - (Wallet Connect")[https://walletconnect.com/] is a protocol that allows wallet applications to establish a secure connection to applications. the most common way to use it is by scanning a bar code to link to mobile phone wallets.
- (Coinbase Wallet)[https://www.coinbase.com/wallet] is the official wallet of a really popular cryptocurrency exchange. They are available either as a browser extension or a mobile application.
The more wallets you support the more users can get!
Typically, popular applications will look to support all of these wallets. More experienced web3 users will typically be happy with connecting via Metamask but it is better to support the most wallets you can.
Connection flows
Now that we know which wallets are popular and that we should support them, we can try and understand what will be useful for our applications. Typically we will need to make sure about a couple of things before we allow a user to interact with our web3 application:
- Users approve connecting their wallets
- They are using the right Blockchain network
- Have them sign a message allowing them use our services (optional)
Let's explore a full React hook doing the first two steps using the Wagmi Library:
import { useEffect, useState } from "react";
import { useAccount, useConnect, useNetwork } from "wagmi";
import { utils } from "ethers";
import { usePrevious } from "./usePrevious";
export function usePrevious(value) {
const ref = useRef();
useEffect(() => {
ref.current = value;
}, [value]);
return ref.current;
}
export const useUserState = (route?) => {
// wagmi hooks that handle talking to metamask
const [{ data }, disconnect] = useAccount();
const [{ data: connectData, error: connectError }, connect] = useConnect();
const [{ data: networkData, error: networkError }, switchNetwork] =
useNetwork();
// states that are used to control the UI
const [state, setState] = useState("notConnected");
const [loading, setLoading] = useState(false);
const [isSwitching, setIsSwitching] = useState(false);
const previousWalletState = usePrevious(data?.address);
const prevUserState = usePrevious(state);
const shouldSwitchNetwork =
state === "wrongNetwork" && loading && !isSwitching;
// effects watching wagmi state to reflect the UI
useEffect(() => {
if (!window.ethereum) {
setState("noMetamask");
return;
}
// wagmi starts undefined, so we need to wait for it to hydrate
if (previousWalletState && !data?.address) {
setState("notConnected");
return;
}
if (data?.address && networkData.chain?.name === "Rinkeby") {
setState("connected");
return;
}
// if we're connected the next step is to check if we're on the right network
if (data?.address && networkData.chain?.name !== "Rinkeby") {
setState("wrongNetwork");
return;
}
}, [data?.address, networkData.chain?.name]);
useEffect(() => {
if (connectError || networkError) {
setLoading(false);
}
}, [connectError, networkError]);
// effects controlling flows after the login
useEffect(() => {
if (shouldSwitchNetwork) {
handleSwitchNetwork();
}
}, [state, prevUserState]);
const handleSwitchNetwork = async () => {
if (switchNetwork) {
setIsSwitching(true);
await switchNetwork(4);
setIsSwitching(false);
}
};
const handleConnect = async () => {
setLoading(true);
if (state === "notConnected") {
try {
await connect(connectData?.connectors[0]);
} catch (e) {
setLoading(false);
}
}
if (state === "wrongNetwork") {
await handleSwitchNetwork();
return;
}
};
const handleDisconnect = () => {
disconnect();
};
return {
handleConnect,
handleDisconnect,
userState: state,
loading,
};
};As we can see, even implementing a simple 1 click button to handle the network and connection request is quite heavy code!
In this snippet, we encourage the user actively to switch to the Rinkeby test network. Test networks are a great place to develop your applications.
They provide you with free test cryptocurrencies in order to ensure your applications are working well.
UX best practices for web3 authentication.
We might now have a single function to connect and disconnect our users! This is great but we should still ensure our users have a great experience when it comes to using our website and connecting to it.
Don't force your users to connect too quickly!
Some sites tend to separate the app and landing page part of their Web3
sites, forcing users to authenticate before even interacting with the
application. This should be avoided! Web3 is meant to be open and inclusive.
Do not aggressively request your user's to authenticate. Wait until they
want to interact with the site!
A few other cues to provide a great user experience while authenticating users:
- Make your connect button visible and accessible. Users cannot request on their own a connection.
- Avoid layout shifts. Use skeletons and loading states while your users are connecting.
- Be active in catching authentication errors, wallets are a recent piece of technology, errors happen often!
- Communicate and explain what you are requesting from your users. Web3 users value their privacy.
User experience matters a great deal even in Web3!
Wrapping up.
Web3 authentication is a big topic. It's evolving every day. This is why I created this blog. I am dedicated to making it easy to work in the web3 field.
You can always support this effort by following me on Twitter!