When signing in to popular internet services today (particularly non-blockchain services), users typically use the identity providers (IdPs), which are centralized entities with ultimate control over users’ identifiers, such as giant internet companies and email providers. Often the incentives are misaligned between these parties. Sign-In with Ethereum (SIWE) offers a new self-custodial option for users who wish to assume more control and responsibility for their own digital identity.
Since Ethereum has been in use for some time now, many services have started supporting workflows to authenticate Ethereum accounts using message signing. Such as establishing a cookie-based web session that can manage privileged metadata about the authenticating address. SIWE is an opportunity to standardize the sign-in workflow and improve interoperability across existing services while also providing wallet vendors with a reliable method to identify signing requests as SIWE requests for improved UX.
Who is Behind this Initiative?
Ethereum Foundation and Ethereum Name Service (ENS) sponsored this work. Spruce Systems will develop the SIWE standard, and it was co-founded by former ConsenSys staffers that won a recent development proposal from the Ethereum Foundation and Ethereum Name Service. The initial goals are modest, which is a good sign for a new initiative like this.
The idea is to go beyond the sign-in process and turn existing Web2 accounts into an opportunity for crypto adoption more generally.
What are the Expected Benefits?
Users will sign in with their Ethereum wallet supporting WalletConnect to a Web2 service installed with Sign-in With Ethereum Server SDK.
Understand what information the Web2 service needs to verify and from which sources to complete the sign-in process.
Select which claims to present to the server from within the Sign-in with Ethereum Client SDK to retrieve and verify the information from various sources, including Ethereum Name Service (ENS), Interplanetary File System (IPFS), HTTPS, and more.
While Web2 Service Hosts Will Be Able To:
Integrate the or specification into popular web frameworks and authorization libraries to support Sign-in with Ethereum, either directly or through an authentication method aggregator such as Auth0 or Passport.js.
Specify Sign-in with Ethereum requirements. As part of the sign-in process, services can retrieve and verify claims presented by the user and aggregated by ENS, such as Web3 account balances, NFT ownership, W3C Verifiable Credentials, and more.
Link Web2 accounts to Ethereum addresses. Services can retrieve and verify claims presented by the user and ENS to augment their Web2 accounts with new functionality. This will be like special portals or downloads for NFT owners only, private off-chain admin panels for DAO members, or other determinations made from on-chain data or off-chain signed Credentials.
Integrate the Sign-in with Ethereum workflow to an existing OAuth 2.0/OpenID Connect relying party using configuration only. This workflow relies on a trusted Identity Provider, which supports the Sign-in With Ethereum authentication method and can establish an OAuth 2.0/OpenID Connect session.
Final Words
The initial release will likely include lower-security uses like-gating content for non-fungible token (NFT) holders. But, eventually, by integrating secure off-chain storage, SIWE could also offer “strong” options such as government ID. Users will control access to that data on a case to case basis and remove or disassociate it at will.
One crucial hurdle for SIWE is the inherent risk of reusing any identifier, particularly an address that can likely get linked to wallets used for financial transactions. While the idea of using many or disposable wallets as a security measure is accustomed to crypto users, it’s possibly a bridge too far for traditional users, at least for now — one more reason SIWE is starting with baby steps.
About the Author:
Vinoth is a cybersecurity professional by heart with over two decades of experience in Information Technology and Cybersecurity. He is an Australian Computer Society (ACS) Senior Certified Professional in Cybersecurity and holds various industry-leading cybersecurity credentials. Vinoth loves to write about the latest cybersecurity happenings and blockchain-related articles.
