Authenticated comms between wallets & apps

June 26, 2024

Written by: Bruno Martins

Overview 

Digital wallets are a critical component of the Web3 ecosystem, enabling users to interact with decentralized applications (dapps) and manage their digital assets. 

Wallets can be used for a variety of purposes, including identity and credential management, payments, authentication, holding digital assets, and interaction with distributed ledgers where account and transaction management is required. 

Communication between wallets and apps 

One of the key challenges in the Web3 ecosystem is enabling secure and authenticated communication between wallets and apps. This is essential for ensuring that users can interact with dApps securely, privately, seamlessly, and in a manner where they retain control over their data, assets, and keys. 

Critical infrastructure inflow of information 

Digital wallets lack standardization, and each ecosystem has its own custom standards for authentication and/or communication between apps and wallets. In the context of Web3, products are often adopted rather than open standards. 

Any party in the middle of the flow of information between wallets, apps, and verifiers has a lot of power and can potentially abuse it. 

WalletConnect

WalletConnect is a centralized and permissioned solution that requires a server to relay messages between wallets and dapps. Over the years WalletConnect has become the de-facto standard for connecting wallets to dApps in the web3 ecosystem. However, WalletConnect is a product that is part of the flow of information between wallets and apps, and therefore should be considered critical infrastructure, and should be standardized and open. 

We should avoid it because it is: 

  1. Centralized: WalletConnect is a centralized solution that requires a server to relay messages between wallets and dapps. 
  2. Permissioned: Apps need to be whitelisted by WalletConnect to use its service. Ecosystem developers need WalletConnect's acceptance and permission to build on top of their protocol and add functionality to apps and wallets communicating with each other. 
  3. Unauthenticated communication: WalletConnect does not provide authenticated communication between wallets and apps. 
  4. A signal of the lack of maturity for Web3: While other industries that need digital wallets have adopted open standards, the Web3 community has not. This signals a lack of maturity for Web3 and adds friction points for this technology to be adopted by the mainstream. 

WalletConnect has actually proven that it fails to comply with the principles of decentralization. An example of this was the banning of certain IPs by the relayer

For the industry to mature and to be more attractive to serious integrators we should move away from centralized and permissioned solutions and adopt open standards for authentication and communication between wallets and apps. 

Blockchain technological bubble 

Web3and specifically the blockchain industryis in a technological bubble where custom standards, protocols, and products are being adopted rather than adhering to open standards. This is true for key management systems (which I've written about previously), authentication techniques, communication protocols, hardware wallets, etc. This is a problem because it signals a lack of maturity. Some of those components should be considered critical infrastructure and should be standardized and open. 

Standardization and interoperability of digital wallets 

In the broader context of digital wallets, the industry and open working groups are working on adopting open standards for authentication and communication between wallets and apps. An example is the work currently being done by the Open Wallet Foundation, of which the Algorand Foundation is an associate sponsor. It is compiling a set of open-source tools, using open standards and protocols to build interoperable wallets. Part of this work is to define a set of standards for authentication and communication between wallets and apps. 

Relevant open standards 

Authentication

  • FIDO2 / passkeys: These are open standards for authentication and are widely adopted by several industries. They are also supported by most modern browsers and native APIs are available for in most operating systems.
  • WebAuthn: This is a web standard for authenticating users to web-based applications. It is supported by most modern browsers and is a W3C recommendation. 

Communication 

  • DIDComm: This is a secure and private communication protocol that enables secure and private communication between wallets and apps. It is based on the decentralized identifiers (DIDs) and verifiable credentials (VCs) standards. 
  • WebRTC: This is a free, open-source project that provides web browsers and mobile applications with real-time communication via simple application programming interfaces. It is supported by most modern browsers and is a W3C recommendation. 

LiquidAuth 

And this is where we introduce LiquidAuth. 

LiquidAuth is a decentralized and open-source solution that enables authenticated communication between wallets and apps in a peer-to-peer (P2P) manner. It leverages open protocols and standards such as FIDO2 / Passkeys, WebRTC, STUN & TURN servers. 

Design principles 

  • Context agnostic: LiquidAuth is designed to be context agnostic and can be used in any Web2, or Web3 application. It can be used for identity, payments and/or any other type of wallet. 
  • Decentralized: LiquidAuth is a decentralized solution that does not require a central server to relay messages between wallets and apps. 
  • Open source: LiquidAuth is an open-source project that is free to use and modify. It is licensed under the MIT license. 
  • Secure: LiquidAuth is designed to be secure and uses open standards such as FIDO2 / passkeys for authentication. 
  • Privacy: LiquidAuth is designed to respect user privacy and does not store any user data. 
  • Interoperable: LiquidAuth is designed to be interoperable with other web3 technologies and standards. 

Conceptual architecture 

The conceptual architecture of LiquidAuth is designed to achieve authenticated communication between wallets and apps in a peer-to-peer (P2P) manner. It leverages open protocols and standards such as FIDO2/ passkeys and WebRTC.

 

The architecture consists of the following main components: 

  • App/server: This component represents a web (d)app and its infrastructure. It includes a FIDO2 compliant server, a server that is compliant with the FIDO2 standard and responsible for registering and authenticating users. 
  • WebRTC client/server: This component establishes a P2P connection between the app and the wallet, enabling real-time communication. 
  • Signaling server: A server that facilitates the establishment of the WebRTC connection between the app and the wallet

To establish a P2P connection, LiquidAuth utilizes a STUN server by default. The STUN server helps clients discover their public IP addresses and ports, enabling them to establish a direct connection. However, in cases where firewall rules block incoming traffic on the negotiated port, a TURN server is introduced. A TURN server relays traffic between clients that cannot establish a direct connection, making it useful for clients behind symmetric NATs or firewalls. 

  • Liquid client: The liquid client package is a reference implementation of the adopted standards and protocols. Wallets built with LiquidAuth will support FIDO2 and passkeys, webRTC P2P comms, and a fallback method for when P2P comms are not possible through a TURN server (configured, default or the one the app will provide). 

LiquidAuth agnosticism 

Even though this was built initially for the Algorand ecosystem, LiquidAuth is designed to be context agnostic and can be used in any Web2, or Web3 application. It can be used for identity, payments and/or any other type of wallet. 

An invitation to other Web3 ecosystems 

We have a common enemy in centralized infrastructure and first-mover products that have become critical infrastructure in the place of open standards and protocols. We invite other Web3 ecosystems to join us in the development of LiquidAuth and to adopt it as a standard for authenticated communication between wallets and apps. 

LiquidAuth is fully open source, with no custom standards. We currently have Algorand wallet, app samples and demos, but we are looking to expand it and make it open to be used in any context and any Web3 ecosystem. 

How to get involved 

If you are interested in contributing to LiquidAuth, please visit: 

  • LiquidAuth Services & Sample apps 
  • LiquidAuth Android Client 
  • LiquidAuth JS Client 

And let us know that you are interested in adopting, and developing in LiquidAuth. We can help you with the integration and provide support. 

Also, feel free to reach out to bruno.martins@algorand.foundation if you want to have a discussion around LiquidAuth. 

Conclusion 

In conclusion, LiquidAuth is a cross-ecosystem proposal for a decentralized and open-source solution that enables authenticated communication between wallets and apps in a peer-to-peer (P2P) manner. And a proposal for us to live by the ethos of decentralization and open standards in the web3 ecosystem that we claim to support.