Sign in with Wallet

I spent the weekend spinning up an experiment.

I wanted to see if I could build something that lets you login to a standard, web2 site using a crypto wallet.

I ended up calling the thing Auth3

because, you know.. it's authentication, with a wallet.. like on web3.

You can try it out here: auth3

It just verifies you own a wallet, and issues an auth token for you to view. (You'll need a MetaMask wallet)

For those that haven't played around in the web3 space, there's not really logins there. Apps just seamlessly connect to your wallet.

This has been the dream for cryptographers forever. Users now hold their own private keys. Something not reasonable until the intro of crypto wallets.

A private key is much stronger than passwords that are often short, reused, and passed around.

Auth3 uses a common method from web3, message signing.

It performs this in a method similar to a handshake, except the user must accept to sign to login.

A signature is a cryptographic method that proves someone owns a wallet. The public address can be derived from the signature if the input is known.

The challenges and checks of the handshake can be summed up by this diagram:

After the server verifies that the user owns a wallet, it issues an auth token to them and can use the public address as an ID.

It works pretty well, well enough where I'll try implementing it in HiddenLogin, letting users sign into web2 sites with aliases, while never having to use an email of their own.

I could see an implementation of this being used as an SSO provider. In my opinion, alongside "Sign in with Google", you'll be seeing a "Sign in with Wallet" button very soon.

This is so important, it lets you easily and securely authenticate without a provider of authority (like google). We, as users, should hold the power to our own web accounts.

-hew