0
0
Article

Sign-in with Ethereum

How crypto may have accidentally fixed one of the internet's most annoying problems
0
0
Aug 18, 20218 min read

Dear Bankless Nation,

Ever lose your login info? Ever get tired of creating yet another username and password for the new app you want to use?

I’ve collected over 400 username and passwords accounts over the years.

It’s exhausting.

Is this just the way the modern world works? Why can’t we just have one universal login for everything?

There are some non-sovereign identity solutions—social sign-in is one. If you already have a Google, Facebook, or Twitter account, a lot of services will allow you to sign in with them. No need to create a new account!

The problem? Your identity is owned by those corporations. You don’t get to own your profile as property. The big tech companies do.

Guess what though? Crypto fixes this.

The power of public and private keys, enabled by crypto technologies, allows users to own their username, profile data, and use their account across multiple services—all while providing you with secure authentication.

Sounds like a fantasy?

It’s here today.

Many of us have experienced it already. You can use the same Ethereum account to swap tokens on Uniswap, trade derivatives on Synthetix, vote on governance decisions, join a DAO, collect crypto culture, and everything else in between.

What if this propagated to the real world?

It would feel like a new, self-sovereign internet.

This is how it might happen.

- RSA


Ethereum Single Sign-On: What, Why, and How

👉 This article is an expansion of a Twitter thread I previously posted on this topic.👈

The Ethereum community has accidentally stumbled upon a solution to a long-standing problem of the Internet: Single Sign-On.

Web2 services require users to create a new username and password combination for each new service, but web3 flips the script: the user can own their username, profile data, and secure authentication method and use that same account across multiple services.

I call it Sign-in with Ethereum.

The Problem

The Internet doesn’t have a user authentication and identification model built-in. IP addresses identify devices, not people; and DNS was never meant to name people, only services.

But services need to know who you are. So they created the username and password paradigm. It works fine, especially for the tech-savvy, but there are problems we all know about: people re-use weak passwords and get sign-up fatigue (“I have to create yet another account to use this service?”), not to mention hacks and data dumps (haveibeenpwned.com).

And finally, each account is siloed from your other accounts.

A new social media network springs up? Better race to get your favorite username.

One solution to this that caught on in the last decade was Social Sign-On. You probably already have an account with Google, Facebook, Twitter, etc, so why not sign-in with one of those? This seems like a win-win: users don’t have to create a new account, and services don’t need to manage a username and password system for their users.

While an improvement, Social Sign-On still has some significant drawbacks. It can’t be neutral since it depends on private corporations—those corporations become failure points for the system, and we wouldn’t even want a private company to completely win out and own sign-in for the whole Internet.

What we need is a neutral, decentralized, secure, user-controlled username and authentication protocol that all services can use.

Enter Ethereum

To have a decentralized single sign-in system, you need three things: 1) a widely adopted standard for users to generate private keys, 2) tools to make it easy for people to manage those private keys, and 3) a decentralized naming and profile data storage system.

A private key for everyone

Bitcoin got the ball rolling in solving the first and second issues. Bitcoin uses public/private keypairs for users to control their bitcoin. Ethereum does the same with Ethereum accounts.

The high value of cryptocurrency, and the usefulness of the Ethereum ecosystem in particular, has sufficiently incentivized two things for the first time: First, for large numbers of people to obtain a private key, and second, for an industry to develop to help people manage their private keys (what we call “wallets”).

There’s still lots of room for improvement, but just in the last few years we’ve had an explosion in private key management innovation: think hardware wallets, MetaMask, WalletConnect, social recovery, etc.

In other words, what cypherpunk ideology about privacy and freedom couldn’t convince people to do over several decades, cryptocurrency incentives have done in just a few years. Once you get a private key to hold cryptocurrency and use Ethereum dapps, you can use that same private key for other things, including signing messages for authentication.

Solving Zooko’s triangle

Key pairs can be automatically generated by software, but to have a human-readable username won’t you need a trusted-third party to store it somewhere and manage the namespace?

This is Zooko’s triangle: The triangle says that naming systems can't be decentralized, secure, and human-readable all at the same time.

Blockchains solved this problem. Namecoin, launched in 2011 as its own blockchain, was the first attempt at using blockchain technology for decentralized naming, but never got significant adoption. But ENS, launched in 2017 as a dapp on the Ethereum blockchain, has successfully gotten wide adoption as the web3 standard.

Users can register a .ETH name on ENS without touching a single centralized service (you can also import DNS names you already own for use on ENS), then hold custody of it themselves with their Ethereum account.

You can then use your ENS name as your portable web3 username, store profile data such as an avatar image, use it to simplify cryptocurrency payments, and even set up a decentralized website.

You can use this right now

This isn’t just an idea, this is currently the norm in web3. Want to use a dapp? Connect your wallet, and it can use your ENS name as your username.

Note that while some dapps simply have you connect your wallet, others also ask you to sign a message. In the former, you’re just connecting your wallet to a web app running locally in your browser. In the latter, you’re authenticating yourself to the servers of the service—which one a service asks you to do depends on the needs of the service.

Examples include Uniswap, Showtime, Aavegotchi, Cryptovoxels, OpenSea, SnapShot, Etherscan, and many more.

Objections

This already exists elsewhere

One of the most common responses I got to my original thread on Twitter was along the lines of “this tiny blockchain community already has this” or “this Internet standard no one uses already attempted this years ago”.

Of course, Single Sign-On is not a new idea, and yes there have been many attempts.

The key thing to understand is that Sign-in with Ethereum has evolved naturally to real-world use, it was not created by a committee in a vacuum and then pushed as a solution nobody wanted, it is already used in web3.

Yet another standard

I don’t expect traditional username and password systems or Social Sign-On to go away anytime soon. But Sign-in with Ethereum is already the standard for the growing web3 ecosystem, and demand from heavy web3 users will lead to web2 services adding this as an option alongside their current ones. If a user wanted to use their Ethereum account and ENS username and profile everywhere, they could.

What makes this qualitatively different from the existing options is that it’s credibly neutral and user-controlled.

Ordinary users can’t manage private keys

Worried about users losing access to their online accounts?

How about them losing access to their cryptocurrency!

The cryptocurrency industry already has a higher incentive to deal with these problems. As a result, there is a large, highly competitive industry built around simply making it easier for ordinary users to manage their private key, or “wallets.”

The fact we can then use those same private keys for authentication is a happy side effect.

What about privacy?

Privacy is indeed an issue when it comes to blockchains.

While there are technologies like zero-knowledge proofs and mixers that can help here, the best thing for a person to do right now is simply to have more than one Ethereum account: at least one that is public-facing, and at least one that is private (e.g. for your main stash).

Note that you can easily generate new Ethereum accounts, and that ENS names can be pseudonyms if you’d like.

You’re just shilling Ethereum and ENS

Yes, I hold ETH, and yes I’m on the team that develops and manages ENS.

I’m sure that makes me biased, but the facts aren’t biased: Ethereum is where nearly all of the dapp innovation is happening, and ENS has more ecosystem support than all other blockchain-based naming protocol attempts combined (and times three).

For the record, the organization that manages ENS and for which I work is a non-profit, and it has mostly lived off of grants from the Ethereum Foundation, and all funds raised from .ETH name registrations goes to an Ethereum community multisig.

Those funds are so far mostly unspent, with the lone exception being a $700k donation to Gitcoin Grants. The plan has been for the money to eventually fund long-term ENS development, the ENS ecosystem, and maybe even Ethereum protocol development, but we’ll see.

RFP: Stay Tuned

ENS and the Ethereum Foundation are co-sponsoring an RFP for standardizing Sign-in with Ethereum.

We need someone or a team to assess what developers are already doing and compile it into a standard with best practices, as well as create an Oauth implementation and Javascript library, to make it easier for web2 services to add it as an option.

The extended deadline recently passed and we’re working on sorting through the applications. Stay tuned!

Conclusion

Once you've gotten used to the web3 model in which you own your portable account and username, the old web2 sandboxed username and password model genuinely starts to seem antiquated, even annoying.

I think we’ll look back on the era of siloed usernames and user-generated passwords as a bizarre period of the early Internet. “Users would make up their own private key - you called them passwords - for each service? Nuts. Incredible that people survived!”

Ethereum has finally enabled the neutral, decentralized single account for the Internet that we always wanted. This is a massive breakthrough in its own right, though it may seem small compared to everything else Ethereum is doing!

Let’s keep building.


Action Steps

  1. Get an Ethereum account. You can use Rainbow, MetaMask, Coinbase Wallet, or any of a number of Ethereum wallet providers. The nice thing about it is that since they all use the same protocol, you can easily import your Ethereum account from one to another one if you want to change wallet providers.
  2. Register your ENS name. You can learn more about ENS at ens.domains and register your own ENS name at app.ens.domains.

Not financial or tax advice. This newsletter is strictly educational and is not investment advice or a solicitation to buy or sell any assets or to make any financial decisions. This newsletter is not tax advice. Talk to your accountant. Do your own research.

Disclosure. From time-to-time I may add links in this newsletter to products I use. I may receive commission if you make a purchase through one of these links. Additionally, the Bankless writers hold crypto assets. See our investment disclosures here.

Account Light mode Log Out