Web3 access controls: How zero-knowledge encryption can secure user access

Web3 is the much-anticipated “next generation” of the internet. 

But while its concrete definition — and indisputable arrival — remain pending, one for-sure consensus is that this next iteration of the World Wide Web will effectively eliminate the password. No more coming up with unique passwords containing a confusing mix of upper and lowercase letters, numbers and special characters. 

So, then, how will we access it? And how will we know that that access is secure? 

The key, according to experts, is next-level authentication methods enabled by zero-knowledge encryption and proofs. 

“Zero-knowledge encryption is a fundamental technology for realizing the potential of Web3,” said Alex Pruden, CEO of privacy platform provider Aleo. “This is the most important new technology that no one is paying attention to. From identity to machine learning, from commerce to gaming, (zero knowledge) will change the way we interact online.”

But what is zero-knowledge encryption?

With zero-knowledge encryption, data is secured with unique user keys. Admins and developers do not know them or have access to them, meaning that no one but the user can access their encrypted files, Pruden explained. 

This is enabled through zero-knowledge proofs, which can “verifiably prove” that a statement is true without disclosing the underlying information. Unlike more familiar forms of encryption — such as end-to-end models used in private messaging apps, by which only users and senders can view information — zero-knowledge cryptography allows for information to be “private and usable at the same time,” said Pruden. 

He offered what he described as a “trivial example” of the concept: You can prove that you know the solution to a sudoku puzzle without revealing just how you know it. Or, you can simply give a “yes” or “no” answer to the question of whether you are over age 18 — without having to reveal your actual age or birthday. 

This allows for a “more granular set of use cases” than traditional encryption, said Pruden; it can answer the question, “How can I prove a fact about something without revealing the something?”

“With a zero-knowledge proof, you can verify that you’re a trusted individual without exposing any information about yourself,” he said. 

Pruden ultimately called the method “extremely well suited” to identity verification in Web3, because it protects individuals and the various systems that organizations must keep secure. 

And…what exactly is Web3?

While the Web3 framework is still a work in progress, its premise was coined by Gavin Wood, cofounder of Ethereum. It is what is known as “read-write-own,” according to the decentralized open-source blockchain, “embraces decentralization and is being built, operated and owned by its users.”

Gartner similarly identifies Web3 as “a new stack of technologies built on blockchain protocols that support the development of decentralized web applications and enable users to control their own identity, content and data.”

These include privacy-preserving protocols, decentralized governance and decentralized application platforms, explained Avivah Litan, Gartner distinguished research VP.

“These innovations will eventually support a decentralized web that will integrate with the current Web 2.0 we use every day,” she writes.

Ultimately, Web3 supports user ownership of data and algorithms through decentralized identity (DCI) constructs, tokenization and self-hosted wallets, she explained. DCI uses decentralized computing, which leverages zero-knowledge proofs and “least privilege.” 

This means that users “can assert aspects of their identity” without sharing data. “This will increase the focus on and awareness of privacy,” Litan writes, “with users having control and making conscious decisions about which identity attributes are being shared with service providers.”

Several disruptive benefits

And, in the long term, a “portable and reusable” DCI that enables privacy and security “will be a required building block of the transition away from Web2 toward Web3 and to enable interoperability across emerging metaverse environments,” writes Litan. 

Ultimately, Gartner predicts that by 2027, social media platforms will shift from a “customer as product” to a “platform as customer” model of decentralized identity. 

“The current paradigm of users having to prove their identity repeatedly across online services is not efficient, scalable or secure,” Gartner stated in its report on top predictions for IT organizations and users in 2023 and beyond. 

Web3 enables new decentralized identity standards with “several disruptive benefits,” according to Gartner, including giving users more control over what data they share, ultimately removing the need for repeated identity proofing across services and supporting common authentication services. 

Zero-knowledge encryption in Web3

Pruden pointed to pervasive database hacks that compromise login information, financial information and other personally identifiable information (PII).

It’s these “honeypots” of valuable data that decentralized identity aims to eliminate, he said. Transforming this existing model, logins can simply require zero-knowledge proofs that verify credentials; and payments can be completed without handing over credit card or other sensitive banking or financial data.

In the end, the user maintains ownership of their credentials and only provides proofs when they need to authenticate themselves for a given service, Pruden said.

This is also a better model for organizations, he pointed out, because they no longer have the potential liability of maintaining and securing “user secrets.” 

And, by incorporating zero-knowledge encryption into the infrastructural level of the decentralized internet, any applications will be able to incorporate privacy into their functions.

In the same way that transparent layer security (TLS) encryption enables web commerce, “this is a key unlock,” said Pruden.

Zero knowledge does this for Web3, he said, “but also makes it possible for Web2 and Web3 to interoperate seamlessly.”