Comment on page
As Web2 Giants Enter the Web3 Space, Security Will be Make-or-Break
By Wade Wang
It is not a question of if, but when and how mass adoption of blockchain technologies will take place. Asset security will be vital to driving wide-scale adoption with confidence.
Global tech giants Amazon and Alibaba. Payments behemoths Mastercard and Visa. And even lifestyle heavyweights Gucci and Prada. Many Web2 companies are dipping their toes into the Web3 waters. Their industries differ vastly, but their Web3 concerns are not too dissimilar.
Organizations enjoy many of the same benefits of decentralization as individuals. Autonomy and control over your own assets and data; this is a highly appealing offer for retail brands and retail investors alike. Yet the security of those assets and data remains one of the most significant bottlenecks, even headwinds, facing mass Web3 adoption, especially among Web2 enterprises.
Cryptography relies on a private key-focused asset security model. This model is distinct from traditional security approaches, and this unfamiliarity creates potential risks for anyone eyeing the Web3 space. Yet, asset security is key to driving mass adoption, allowing companies and their customers to confidently conduct their business in Web3, without getting distracted by the minutiae of security concerns.
Until we get this right, and build firm trust in Web3’s security credentials, blockchain technologies cannot achieve their ultimate promise.
Web3-curious Web2 firms, compared with their Web3-native counterparts
Let’s consider the differing focuses and concerns of these groups, before diving into the details of their Web3 security approaches.
Starting with compliance, Web2 firms entering the Web3 space have a relative advantage in securing licenses, insurance and third-party certifications. Meanwhile Web3-native players generally prefer to operate in open source environments, with a focus on decentralization and verifiable technology. There is also a notable difference in how Web2 and Web3 organizations control or delegate decision-making, with the former preferring to issue shares and voting according to equity rights, while Web3 organizations tend to rely more on DAOs or tokenomics.
This leads to differing approaches to asset management as well. Whereas in Web2 the organizations are responsible for securing their customers and/or clients’ assets and/or data, Web3-native players will usually delegate that responsibility to users. Thus, in Web2 the platforms essentially share users’ risks. But for Web3 users, they usually have to take charge of their asset ownership directly. As such, Web2 firms will likely take a bigger reputational hit from any Web3-originated attacks on their users.
As blockchain technologies have driven the creation of a new market, so have new security risks emerged. Whether centralized or decentralized, organizations face much the same security risks. They also aim for the same goals: securing customers’ assets from loss, theft, fraud, and any other types of attacks.
Bad actors will inevitably target all kinds of organizations at some point. Typical security risks faced within Web3 include:
- Thefts conducted during private key generation
- Manipulation/falsification during asset transfers, such that assets are transferred to the wrong addresses
- Social engineering attacks (primarily phishing) and fraud.
For Web2 firms especially, their users lack security awareness within the Web3 world. It’s unrealistic to expect that users are equipped to contend with the often sophisticated security risks facing them in a new environment.
Private key-focused asset security is the foundation of almost all Web3 applications, a security consensus that has developed over the past decade. However all conventional digital wallets (hot or cold) suffer from a single point failure and single-person management of private keys. In fact, hundreds of attacks have proven the vulnerability of this security model to date.
This is where MPC & TEE enters the story.
Multi-Party Computation directly generates numerous key shards – with the private key never existing as one single unit. The shards are then distributed among multiple signatories. This approach eliminates the single point of failure. If a single shard is accessed by external bad actors such as hackers, they cannot access any assets without all of the key shards. MPC even helps to restrict the access of internal attackers such as disgruntled employees or bad actors within cloud vendors.
As for TEE, a Trusted Execution Environment ensures that from key generation to transaction signing, all operations are performed adhere to the MPC protocol and transaction policies, always remaining tamper-proof and encrypted. Meanwhile, users retain 100% control of their private keys.
And to truly ensure trust in these novel security approaches, open sourcing is one key to building confidence in Web3 security. Open-sourcing facilitates the development of Web3 security technologies and applications in a more open and transparent manner, and ultimately accelerates innovation by increasing efficiency.
Security is the cornerstone of any technological innovation. And technology should always be developed with users’ interests in mind. This priority is even more prominent as Web2 companies foray into the unfamiliar Web3 landscape.
One way native Web3 companies can help drive adoption among Web2 giants is by contributing to the building of secure, open-sourced infrastructure that’s ready to welcome these new players. In turn, adoption among Web2 giants will be beneficial to the Web3 ecosystem, bringing more resources and attracting more talents to contribute to its growth.
(Published on TechNode Global)