Web3 Identity and Web3 Security: What you need to know!

For this new episode of #Braavosianstalk, our host Motty Lavie, Braavos’ Founder & CEO, and Bertrand Blancheton, Head of Marketing, are joined by Fricoben, CEO of StarkNet.ID. This Q&A series clarifies the concept of Web3 Identity and explains why combining it with a Smart Contract Wallet is important. They also discuss technical concepts and explore the evolution of StarkNet.

Questions overview

• Can you give an introduction to Web3 identity in general?
• Is the concept of web3 identity important when building a wallet?
• What are the elements that can constitute a crypto identity?
• When creating a new domain name, should I consider having multiple handles?
• Are domain names another layer of security in addition to the Account Abstraction Security Pyramid?
• How can we differentiate what is true two-factor authentication and what is not?
• Can you explain how hackers operate when they try to hack user accounts?
• If someone finds my seed phrase, can they steal my funds when I have the Hardware Signer enabled?

Bert:

Q: Many people aren’t aware of how important the concept of identity is in crypto. Can you give us an introduction to Web3 identity in general?

Ben:

Web3 identity is currently one of the biggest product-market fits in the crypto space. This is because the recent bull run has demonstrated that people are interested in usernames via domain names and NFTs to use as their profile pictures, as well as credentials tied to soulbound tokens. All of these elements comprise your Web3 identity, as they represent data that you want to include in your profile. Our goal at StarkNet.ID is to enable users to create an ID or passport that unifies all of the data representing their on-chain identity. Our current focus is primarily on StarkNet’s naming service, and we plan to subsequently focus on enabling users to feature their NFT profile pictures on all of StarkNet’s protocols, including wallets.

In essence, Web3 identity refers to all the data that you want to share with the world and all the data that qualifies you as a user. This includes the name and image that represent you, as well as all of your activity on the blockchain.

Bert:

Q: Motty, what is your point of view on what Fricoben explained? Is Web3 identity important when building a wallet?

Motty:

Web3 Identity is incredibly important when building a wallet, especially for us at Braavos. As Fricoben can attest, I was a big proponent of having an ENS on StarkNet because at Braavos, everything is about providing the best possible user experience. We pour our heart and soul into ensuring that our users’ funds are safe, and that they are protected against phishing attacks or malicious software, while also helping them avoid making mistakes.

To be frank, transacting with protocols or other wallets using 62-character addresses on StarkNet is not user-friendly at all. On the other hand, using a domain name is much more user-friendly because it’s easier to remember and less prone to typos or errors. That’s why we’re big fans of the StarkNet.ID project, and why we recently decided to give each and every Braavos user a free subdomain.

Bert:

Q: We discussed domain names and profile pictures, but identity is a much broader concept. What are the other elements that can constitute a crypto identity?

Ben:

Several other elements can constitute a complete crypto identity, but I’ll focus on four that we’ll be working on in the coming months and years. The first one, as you already know, is the domain name. This feature is already live on mainnet, and we’re still working on improving it. The second element is the profile picture, which was a huge hit during the last bull run and remains popular today as the biggest NFT collections are still profile pictures. This is a major aspect of web3 identity, and StarkNet.ID will soon integrate profile pics linked to your domain name, so every time someone searches your domain name, your profile picture will also appear.

For example, if you visit your Braavos wallet right now, you can see the image of that identity on the left-hand side. Our goal is to enable users to change this image with a StarkNet NFT. If you have, for instance, a duck from the Briq collection, you’ll be able to set up your duck as your profile pic on StarkNet.ID, so all the protocols that already use .stark names will also display the profile pictures of StarkNet.ID users.

Thirdly, we aim to add credentials with Soulbound Tokens (SBTs) that can serve as rewards for quests, as well as diplomas, attestations, and so on, similar to what you do in the Braavos community.

And last but not least, we want to add proof of humanity and KYC because we believe these two features will be significant in the next few years. This is because of regulation but also due to the StarkNet.ID DAO and our desire to incorporate Sybil resistance to votes.

So, in summary, we’re working on four elements for a complete crypto web3 identity: domain names, profile picture NFTs, credentials with SBTs, and proof of humanity.

Bert:

Q: When buying or creating a new domain name today, should I consider having two different handles – one for my crypto Web3 identity and one that is more professional?

Ben:

You can do whatever you want; there are no hard and fast rules. You could even use subdomains to create multiple identities. For example, I have three wallets, so I have ‘fricoben.stark’ as my public wallet, ‘deployfricoben.stark’ for my development wallet that deploys all the contracts I’m calling, and a private wallet for all my risky investments. So, you can have multiple identities through different domain names or subdomains.

Bert:

Q: Let’s talk about security. Are domain names another layer of protection, in addition to the Account Abstraction Security Pyramid?

Motty:

These two features are complementary. Domain names are excellent for establishing Web3 identity and interacting in a human-readable way. For instance, if I need to send money to Ben, I can easily send it to ‘fricoben.stark’ instead of requiring him to send me a lengthy address. This dramatically improves the user experience and reduces the number of errors.

On the security front, we’ve used the power of Braavos as a smart wallet to introduce true multifactor authentication to the crypto space. While wallets like Gnosis and others have multiple signers, they only use one factor – “something you know” – as two different authenticators.
However, there are three main categories of authentication:

• “Something you know”, like a password or seed phrase.
• “Something you have”, such as a physical device or USB key and so on.
• “Something you are”, related to your physical being so your face or fingerprint.

This is becoming more common in the traditional Web2 and TradFi world, but it doesn’t exist in crypto because most blockchains cannot verify these things on-chain.

Nonetheless, we were able to introduce genuine multifactor authentication with the assistance of account abstraction, low gas prices, and clever cryptography at Braavos. Instead of relying solely on “something you know,” we offer all three authentication categories to crypto users. This is a groundbreaking change for the space, and when combined with a smooth user experience, meaning that when the Hardware Signer with two-factor authentication is activated, signing transactions is the same as paying with Apple Pay or Google Pay. I believe it has the potential to be a real winner and certainly improve the overall crypto user experience.

Bert:

Q: How can users make a difference between true two-factor authentication and what is not?

Motty:

When it comes to differentiating between types of authentication, users should ask themselves, “Is it something I know, something I have, or something I am?” This is the easiest way to distinguish between the various types of authentication. For instance, if it’s a password or a seed phrase, it falls under “something you know” rather than “something you have” because someone else could potentially know it too. If it’s a physical device, then it falls under “something you have” because if you have it in your possession, no one else has it in their possession. And if it’s “something you are,” like your face or fingerprint, it’s unique to you, making it “mission impossible” grade for someone else to have it. By using this approach, users can better understand the different types of authentication and advocate for true two-factor authentication that includes at least two of these categories.

It’s important to note that the Hardware Signer is already two-factor authentication, as it uses “something you have” (the security chip on your mobile device) and “something you are” (biometric approval with face ID or fingerprint recognition). This makes the Braavos crypto wallet 2FA. When laptop signing is added to Braavos, it will introduce another factor of authentication (something you know), and users will have a 3FA crypto wallet – three-factor authentication in a fully decentralized way.

Bert:

Q: We never mentioned the hackers themselves. Can you explain how they operate when they try to hack user accounts?

Motty:

In the crypto world, hackers use different tactics to steal users’ funds. The most common methods used are social engineering and malware attacks. Social engineering attacks are often referred to as “seed phrase phishing” where the attacker creates a fake website that mimics a popular dApp like Uniswap or Sushiswap. When the user logs in, they are asked to enter their seed phrase, and sadly, many users fall for this trick. This mistake is not the user’s fault; rather, it’s a failure of the crypto industry to provide better security solutions for users.

The second most common attack vector is malware. The user may unwittingly download malware from a fake program or a file that an attacker sends them. Once the user opens the file, the malware runs in the background, searching for the wallet and stealing the seed phrase.

With Hardware Signer and Multi-Signer (2FA and 3FA), these attacks have no way to succeed. As the user doesn’t even know their private key, they cannot be tricked into giving it to attackers. Even if the user gives their seed phrase, the attacker needs the user’s mobile device and biometric Web3 identity to complete the transaction.

Bert:

Q: So if someone finds my seed phrase, can they steal my funds when I enable the Hardware Signer?

Motty:

They still couldn’t steal your funds even if they have your seed phrase. They would need to get a hold of your physical device + biometric identity to sign transactions, which are verified on the blockchain. This means that the Hardware Signer provides an additional layer of security, making it extremely hard for hackers to access your funds. 

The only action a hacker could take with the seed phrase is to request the removal of the Hardware Signer from your account. However, this request comes with a time delay of four days, during which you will receive notifications that someone is trying to remove the Hardware Signer from your account. If this happens, you can cancel this request and transfer your funds to a new wallet. The purpose of this request is to enable you to recover your funds if your device is lost, stolen or damaged beyond repair. The time delay will be configurable in the future.

To join the Braavos Nation and share your feedback, we encourage you to connect to our Discord, and Twitter to get in touch and catch the latest news.

Get Braavos crypto smart wallet with 2FA (2-factor-authentication) or 3FA (3-factor-authentication) and benefit from the Hardware Signer and Multi-Signer by downloading the Braavos smart wallet for StarkNet on mobile: Android and iOS, and on multiple browsers:Braavos Chrome extension,Braavos Firefox addon, and more.Again, a huge thank you to Fricoben, CEO of StarkNet.ID for coming to this exciting talk.