Identity and authentication in the metaverse
This article is part of a VB special issue. Read the full series here: The metaverse – How close are we?
“Metaverse” emerged as one of the major buzzwords of 2021, alongside other notable tech terms such as “NFTs.” While the metaverse concept is not exactly new, having first been coined three decades ago, its surge into the public consciousnesses this year was driven in large part by Facebook and its intrepid CEO and cofounder Mark Zuckerberg.
The company was already investing heavily in virtual worlds through its VR offshoot Oculus, but in October 2021 Facebook revealed that it would start breaking out revenues from its Facebook Reality Labs unit as part of its quarterly earnings report, while it ramps up its AR/VR spending to $10 billion annually. Shortly after, Facebook announced that it was changing its corporate name to Meta to reflect its newfound purpose; then, over the recent holiday period, the Oculus VR app became the most popular app on Apple’s App Store.
So it’s clear that the metaverse is something we’re going to be hearing a whole lot more of in the coming years. But what, exactly, is the metaverse — isn’t it just everyone sitting at home with a VR headset? Not quite. In truth, the metaverse doesn’t really exist yet in any meaningful way. There are games such as Fortnite and Roblox that hint at what the metaverse will look like, replete with avatars, currencies, live events, and big-brand marketing, but they exist in siloed spheres. You can’t hop between Fortnite and Roblox.
Virtual reality in its current form also gives a glimpse, but it’s really just one way of interacting with the metaverse. The metaverse, ultimately, is intended as a synchronous series of interconnected, interoperable worlds that people “live” inside and move between.
The 2nd Annual GamesBeat and Facebook Gaming Summit and GamesBeat: Into the Metaverse 2
“The defining quality of the metaverse will be a feeling of presence — like you are right there with another person or in another place,” Zuckerberg wrote in October. “Feeling truly present with another person is the ultimate dream of social technology. In the metaverse, you’ll be able to do almost anything you can imagine — get together with friends and family, work, learn, play, shop, create — as well as completely new experiences that don’t really fit how we think about computers or phones today.”
Coming from a man who has played such a defining role in shaping social interactions in the 21st century, Zuckerberg’s words carry weight. And given the countless other big-name brands working toward a magical metaverse, from Microsoft to Epic Games, this helps explain at least some of the hype.
But pivotal to the metaverse’s success will be the concept of identity, with people able to traverse between different worlds while retaining the same avatar and individuality — just like they would moving from town-to-town or country-to-country.
In the real world, identity is probably our most important asset — it’s quite literally who we are. And much in the same way as identity and authentication play such an integral part in today’s brick-and-mortar and digital worlds, the metaverse will also require people to claim an identity and permit businesses, organizations, and other virtual citizens to authenticate who they are.
But what lessons can the metaverse creators take from today’s online world when designing their identity and authentication systems, and what will some of the unique challenges be? VentureBeat conversed with some of the people currently considering this very question.
Sean Li and Jaemin Jin are cofounders of Magic, a “blockchain-native” decentralized identity platform that offers infrastructure to help companies ditch password-centric authentication. And although the metaverse — as many envisage, at least — may still be some time off, Magic has at least one eye on this future. “We are already making considerations towards how we can support the metaverse,” Jin told VentureBeat.
According to Jin, the concept of identity is presently siloed in closed systems. In the gaming industry, for example, Valve’s Steam has its own identity ecosystem, as does Blizzard and Riot Games. But the rise of new technologies such as non-fungible tokens (NFT) hints at how things may change in the future.
While NFTs have become somewhat aligned with gimmicky digital art and similar virtual assets, the truth is that NFTs are still in their infancy. NFTs, for the uninitiated, are tokens stored on the blockchain which represent a unique entity — so far, that might mean Jack Dorsey’s inaugural tweet or a viral YouTube video from 2007. However, NFTs could conceivably be used to represent just about any digital “thing” — including someone’s online identity.
“The concept of open interoperability has only started to surface up with the rise of NFT adoption,” Jin noted. “Open interoperability means identities are portable, [and are] able to move across ecosystems. Using gaming as an example, this means you can have your game assets and game track record to be ported across different gaming dapps [decentralized apps]. We’ve just scratched the surface here; the possibilities are endless with open interoperability. It’s important for metaverse creators to have this in mind when developing.”
The metaverse will come with its own unique challenges regarding identity and authentication, meaning that verification systems will also have to evolve.
“What if you own a cryptopunk [an Ethereum-based NFT collection] and you render yourself in a metaverse as that cryptopunk, but then someone else renders themselves as your cryptopunk?,” Li said. “One way to check is to find their wallet address and then check if that wallet owns that cryptopunk. But it would be cumbersome for a user to do that every time they interact with another user. This would require a systemic way to check provenance and trustlessly police the system to prevent impersonation.”
Furthermore, if a single company owns both identity and authentication, it ultimately means that the identity is really only available in that company’s ecosystem. So a Steam account owner will only be able to interact with apps on Steam, and the same for Meta (Facebook) and Oculus.
“Users need to be on a more decentralized form of identity that is beyond the limitations of one particular company or ecosystem,” Li continued. “Web 3.0 is the perfect example here — an identity wallet can be used across multiple completely different dapps. For example, someone can buy NFT art on SuperRare and sell it on OpenSea, then use the earnings and deposit it to make yields in DeFi [decentralized finance].”
Identity theft also permeates today’s physical and digital worlds — passwords can be compromised, passports faked, and biometrics hacked. While NFTs are certainly not foolproof, given that NFT encryption keys can also go amiss, the metaverse offers potential solutions for addressing today’s identity-related security shortcomings. When a user wears AR or VR headsets or glasses, for example, this opens the door to a broader array of authentication tools.
“The metaverse brings new sensors that could offer a richer set of biometric authentication techniques such as gestures, hand motions, body motions, and so on, that are uniquely identifying,” noted Jasson Casey, CTO at passwordless technology company Beyond Identity.
But while Casey agreed that the metaverse will provide an opportunity for a “more federated” approach to identity and authentication, it doesn’t necessarily mean that this is how it will play out — we only have to look at the current big tech platforms for evidence of this.
“The interest of the individual in privacy may not be aligned with their interest in the metaverse provider,” Casey explained. “We have plenty of history of this through current social media. It’s not obvious how these misaligned, structural interests will yield much different results in the metaverse.”
As the various big-name players jostle for control of the metaverse, there’s little question that certain big names stand out, including the mighty Meta, which has set about controlling our online social identities for the past 15 years.
“Rather than letting a single mega social provider take the lead, the metaverse could be an opportunity for a more federated, or even a ‘bring-your-own-identity’ or ‘self-sovereign’ approach, in which individuals own their identities and get to choose what attributes about their identity they reveal on a service-by-service-basis,” Casey added. “However, it’s not really in the interest of the incumbent social providers to allow this to take place.”
Backing the blockchain
It’s important not to understate the role that the blockchain will play in the burgeoning metaverse industry, with Goldman Sachs recently opining that it will be central to the metaverse and web 3.0 development. The multinational banking giant added that it is the only technology that can “uniquely identify any virtual object independent of a central authority,” powering the ability to identify and track ownership.
With that in mind, Tal Elyashiv — cofounder and managing partner at Spice VC, a venture capital firm that has backed numerous companies in the blockchain and tokenization realm — told VentureBeat that he has seen plenty of evidence that blockchain companies are already benefiting from the convergence of NFT and virtual worlds. One of those is Blockdaemon, which serves dozens of blockchain networks with secure and scalable enterprise-grade infrastructure. The company closed a series round of funding just a few months back at a $1.3 billion valuation.
Another one is Otoy, a cloud rendering company that enables distributed GPU rendering on the blockchain. “The NFT boom last year, and the rise of the metaverse, produced significant increase in the demand for their service, and as a result a major appreciation of their token (RNDR) price — 4,506% in 2021 alone,” Elyashiv said.
From an identity and authentication perspective, Elyashiv says the first step toward understanding the role that blockchain-based technology such as NFTs might play in the Metaverse is to understand the critical need for a digital identity.
“Imagine a future where an AR / VR / MR (mixed reality) and an AI-rich digital environment (i.e. the metaverse) merges with our physical world and becomes part of our daily experiences — shopping, work, studies, sports, play, entertainment, and so on,” Elyashiv said. “Our current forms of identity, such as an ID, a driver license, or a passport are no longer appropriate for smoothly navigating through multiple personalized experiences in this new hybrid multilayer world. There is a need for a digital and virtual identity that will be able to uniquely and safely identify us in the physical, virtual, and overlaid worlds.”
While NFTs are already being used to uniquely identify and prove authenticity for digital goods by registering them on the blockchain, it doesn’t require a great deal of imagination to understand how this utility could be extended.
“Why not do the same to your identity?” Elyashiv said. “The uniqueness of each NFT is specifically defined by the information stored within the NFT’s metadata — pointing to valuable digital resources that are updated in real-time on the blockchain. NFTs provide an immutable record on the ledger — allowing for a ‘single source of truth’ — especially when it relates to identity and personal information.”
How identity ultimately unfolds in the metaverse remains to be seen, but early evidence suggests that it will bring our real-world and online identities closer together. PhotoCromic, for example, is a framework for creating and managing identities on blockchain networks, software services, and decentralized apps — it serves to aggregate “biometric proof of life, government-backed identity verification, social media attestations, and unique personal attributes” into a single blockchain asset that can be used for identity verification.
PhotoCromic is just one potential shared protocol for achieving this, but it highlights how users might go about creating a unique identity for themselves via NFTs, while simultaneously allowing third-parties to “decode” the identity and establish that someone is who they proclaim to be.
“This domain is still in its infancy and there are no commonly adopted protocols or standards — or many services adopting them,” Elyashiv said. “Therefore, examples like the PhotoChromic protocol — which is very early stage — are beginning to pop up. But the ecosystem will need to start adopting these in order for it to really be useful.”
And what about security? Does Elyashiv think that the blockchain will bestow a more robust security posture upon the metaverse?
“The reality is that no technology can ever perfectly protect identity,” he said. “In the case of NFTs, encryption keys might be stolen, for example. At the end of the day, most hacks are based on the weakest link — us humans, and how we use the technology. But the robustness of blockchain security, transparency, immutability, and decentralization makes it much harder to fake or steal your identity.”
David Lucatch is CEO at Liquid Avatar Technologies, a blockchain-based platform that helps individuals manage and control their digital identity and data. The platform links the offline and online worlds, starting with verifiable credentials to support age verification, travel and health documentation, and government identification, through to online account verification and the metaverse.
“We believe that individuals have a right to own and manage their identity and personal data, and they should control and manage it offline and online,” Lucatch said.
While Lucatch affirms that a user should only ever have one identity, whether that’s in real life, on the internet, or in the metaverse, he said that there is scope within that to have separate representations depending on the context. A user might have an avatar or “character” that displays or hides certain profile characteristics in a professional setting, for example, and convey a different persona in a social scenario.
“One person and identity may have an educational avatar and a gaming avatar — one functions as a student in a virtual space, and the other functions as a game character,” Lucatch said. “While the student avatar may hide some credentials that the gaming avatar includes, both avatars represent and are tied to the same verified real-world identity.”
Many people may be uncomfortable with the prospect of having to prove who they are to enter a virtual world. In the physical world of today, people can wander freely and attain a reasonable degree of anonymity wherever they roam (though, of course, technology may be eroding this). The same is true for the online world of today, as people are able to browse and consume content without always having to divulge who they really are.
So, what about the metaverse — should people be able to wander freely as an anonymous entity? Lucatch believes that the metaverse presents a new opportunity to create a “one user, one account” system from the outset, one that helps separate good actors from the bad ones. So authentication will be a necessity, even if users do have some control over what others see.
“Anonymity isn’t necessarily the issue — it’s uncertainty,” Lucatch explained. “If folks want to have their real identity remain anonymous, these users still have to be verified as real persons before entering the metaverse. Verifiable credentials make that process easy and simple. While different playable universes may have varying constraints on how much anonymity is allowed to take place, the concept of multiple accounts, bot accounts and fake trolling accounts will become a thing of the past.”
And so if nothing else, the metaverse could be a fresh start — a chance to reset identity for a new technological era.
“Allowing for authentication in the metaverse at the beginning will accelerate its security and digital identity, while providing a cohesive solution to minimize ‘bad actors,’ fakes, and multiple accounts, which have plagued the online world for more than two decades,” Lucatch said.
VentureBeat’s mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Learn More
Discover Past Posts