12 words that replaced your username and password

Explaining the magic behind the seed phrase.

web2 authentication was like this:

then web3 came along and replaced it with this:

How is it possible to combine 2 things (username and password) into 1 thing (seed phrase)? After all, you need an identity (username) and proof that you own this identity (password). How can the seed phrase serve as both, the identity and the proof? We will find out soon.

Seed phrase is just a pretty random number

Really. It's just a random number. Of course, it does not look like one. It's prettified.

Don't believe me? Here is how a seed phrase is generated:

The reverse process to convert the seed phrase back to its "ugly random number" form is straightforward: just invert each step in the process.

See? The seed phrase is just a prettified version of a random number.

If it's just a random number, can we pick 12 arbitrary words?

Not really. Typing your own 12 words will not work, because the words require a particular structure.

As we saw in the visualization above, the last word contains the hash (which can be thought of as the summary) of the previous words. So you could probably pick the first 11 words but the 12th one will have to be picked in a way that satisfies this constraint.

If you want to learn more about what the hash functions (like SHA256), then read this:

What's the purpose of the seed phrase?

Humans are terrible at big numbers. Try remembering one with 128 digits. Or even communicate it over the phone. The only thing people do with these big numbers is just copy and paste.

But what if you could turn a 128-digit number into a human-readable form (12 words) without any loss of information? Now it's much easier to communicate it over the phone. Easier to write it down on a piece of paper (for a backup). Or even memorize it.

Or as the original creators of the seed put it:

...it's meant to be a way to transport computer-generated randomness with a human-readable transcription. It's not a way to process user-created sentences (also known as brainwallets) into a wallet seed.

Origins of the seed phrase

It was introduced by the Bitcoin community in BIP-39 (BIP stands for Bitcoin Improvement Proposal).

Before seed phrases, people would manage their private keys (long random numbers) manually which was a pain in the butt. If you're interested in the 3 BIPs that formed our modern crypto wallets, read this:

Other ways the seed phrase is called:

  • It's called a "mnemonic" because it's easier to memorize.
  • MetaMask calls it the "secret recovery phrase" to emphasize to its users that it should be kept in secret and that it can be used to "recover" your funds.

Okay, now that we know that seed phrase is just a pretty random number and how it's generated, let's see how it can be used as authentication in web3.

Authentication in web3

So, the 12 words combine the identity (username) and the proof that you own the identity (password) into 1 thing (the seed phrase). How can the seed phrase serve as both, the identity and the proof? It doesn't.

Well, the correct answer is that it does, but not because of its own properties. It's because of the cryptography that is used further down the line in digital signatures. If you're confused by these words, read on.

The seed phrase just allows us to use human-readable words to represent long random numbers. Machines can take these 12 words and turn them into a long number. This long number serves as the "master" private key from which lots of "child" private keys can be generated.

Child private keys are used to digitally sign your transactions. It's actually the cryptography behind the private keys and digital signatures that allows us to combine the identity and the proof into one thing (the private key). If you're interested in how it's done, read this:

If you're interested in how the "master" private key is used to generate lots of "child" private keys, read this: