Back to blog

Introducing Web3 Authentication

Category
Engineering
Published

Clerk is saving Web3 developers from the greatest evils of the Web2 platform: cookies, multifactor authentication, and profile enrichment

Clerk is launching our first Web3 authentication factor - Sign in with Metamask!

This launch is the result of dozens of developer interviews, focused on understanding if and how Clerk can contribute to the Web3 ecosystem.

It didn't take long before we discovered three common challenges that we can help Web3 developers with immediately: securing sessions, multifactor authentication, and profile enrichment.

Securing Sessions

First and foremost - we found a near ubiquitous challenge around securing sessions. It's a two-part problem:

  1. How do you verify a user is owns of a Web3 account?
  2. How do you safely create a session to persist the users account information?

Verifying the owner of a Web3 account

It's easy to insecurely determine the Web3 account address of a user visiting your website with Metamask connected, just run the following Javascript:

await ethereum.request({ method: 'eth_accounts' })

Verifying that the returned address is accurate, however, is significantly more challenging. Developers must ask users to sign a transaction, which is a process that undergone several protocol revisions and is hard to keep up with.

This is where Clerk steps in - all the work of signing a transaction and verifying the signature is abstracted away, and wrapped in a <SignInWithMetamask/> button.

Persisting a session

Let's be honest - persisting a session isn't a Web3 challenge at all, but it is one that Web3 developers must endure by virtue of operating in Web2 browsers.

We know Web3 developers don't want to think about things like httpOnly cookies, XSS attacks, and session revocation. Web2 developers don't either, and that's why built-in session management is the foundation of every authentication product at Clerk. We use stateless JWTs that enable authentication in under 1 millisecond, and revocation in under 1 minute. We follow all the best practices so you can focus on building your application.

Multifactor authentication

Sign in with Metamask uses the same abstraction as our other authentication factors like passwords or magic links.

Because of this, Clerk's multifactor authentication works with Metamask users out-of-the-box. Users simply need to navigate to their user profile and opt-in to multifactor authentication. There's no extra work for the developer beyond mounting a <UserProfile/> component, or redirecting to the Clerk-hosted component.

Profile enrichment

Off-chain profile enrichment is a topic of much debate in the Web3 community. Ideally, data like email addresses and phone numbers could be retrieved on-chain following the principles of self sovereign identity.

But as of today, there are no standard protocols for retrieving this data. As a result, top Web3 companies like OpenSea still collect and verify email addresses off-chain.

Clerk enables developers to easily do the same. We provide simple helpers for collecting and verifying phone numbers, email addresses, and even OAuth accounts. Beyond that, we accept structured data likes names and profile photos, as well as provide a generic metadata field for bespoke profile enrichment.

In the future, we look forward to enriching profiles in a more decentralized manner. Today, we hope this mechanism can help bridge the gap from Web2 to Web3.

Try it out!

Try out our guide for installing Web3 authentication. The guide will get you started with a new Next.js application with Metamask authentication.

Future roadmap

This launch is the first of many upcoming Web3 launches. Our rough roadmap ahead includes:

  • Sign in with Ethereum - we know that Metamask alone is a little limiting and will add generic Ethereum support soon
  • Authorization via Token Gating - In the Web2 realm, our team is actively building authorization via Roles and Permissions. We see many corollaries to Web3 authorization via token gating are approaching the primitives in a way that will support both.
  • Multi-chain support - Because we fully anticipate a multi-chain future

Need something we didn't mention? Please reach out through any of our support channels - we're still defining this roadmap and very interested to hear how we can better meet your needs.

Author
Colin Sidoti