Username or email address and password are required when a user logs into a web2 service. However, Sign-In with Ethereum will change this approach.
Usually when logging into a "web2" service, we need to use a username or email address and password. The service can then look up our username or email address in their internal database to see if the corresponding password matches the password we provided. Generates a random key for further authentication, usually stored in a cookie. This method of submission to [Big Login] (Big Login refers to using the same login method on many Internet services (for example: Facebook, Google, Weixin, etc.)) often relies on large Internet companies and email providers. They are the centralized entities that have ultimate control over user identities.
The emergence of Ethereum Login (EIP-4361) changes this game, providing a new self-hosted option for users who want to take more control and responsibility over their digital identities. Users no longer need to compromise with some large middleman and can now log in directly (without going through a middleman) using the same private key that controls their blockchain account. Large companies can no longer deny users access to services or monitor their behavior.
Logging in with Ethereum promises to return user power.
Part.1 What is EIP-4361? What is EIP-4361: Login using Ethereum?
它是以太坊账户建立会话(sessions)的链下认证。
Ethereum Login (EIP-4361) describes how Ethereum accounts can authenticate to off-chain services by signing a standard message format parameterized by scope, session details, and security mechanisms. The goals of EIP-4361 are to provide a self-hosted alternative to centralized identity providers, improve the interoperability of off-chain services based on Ethereum authentication, and provide wallet providers with a consistent machine-readable message format, To enable better user experience and consent management. In other words, the purpose of EIP-4361 is to change the way we log in to web2 services by using methods commonly used by web3 services such as wallets and dapps.
There are already a number of services that support workflows for verifying Ethereum accounts using message signatures, such as setting up a cookie-based web session that manages privileged metadata about the verified address. This is an opportunity to standardize login workflows and improve the interoperability of existing services, while also providing wallet providers with a reliable way to identify signing requests as Ethereum login requests to improve user experience.
Ethereum login works as follows:
The wallet provides users with a structured plaintext message or equivalent interface for signing using the EIP-191 signature data format. Before signing, the message prefix is \x19Ethereum Signed Message:\n as defined in EIP-191. The message must contain the Ethereum address, the domain requesting the signature, the version of the message, the chain identifier chain-id, the uri used for the scope, a nonce acceptable to the relying party, and the timestamp of the issue. The signature is then submitted to the relying party, which checks the validity of the signature and the content of the message. Other fields, including expiration, not-before, request id, statement, and resource, can be incorporated as part of the login process. The relying party may further obtain data associated with the Ethereum address, such as from the Ethereum blockchain (e.g., ENS, account balances, EIP-20/EIP-721/EIP-1155 asset ownership), or other data that may or may not be Allowed data sources.
case news
Ethereum Login (EIP-4361) defines an open Creative Commons (CC) signature format for Ethereum accounts. Users do not need to use a combination of username and password to log in. They only need to sign the message with their own private key. finished. And any web-based service can be authenticated securely. EIP-4361 was created by the community with direct support from the Ethereum Foundation and ENS.
Part.2 Is Ethereum login important to Web3?
For all the builders of Web3, the Ethereum login means much more than the Connect Wallet. Connecting wallets is currently the main way to get into Web3 dapps. By connecting to the wallet, users can start interacting with the blockchain, but connecting to the wallet does not cause the application to record any of your information, it just creates a front-end display for simple interactions. Ethereum login allows users to establish sessions with applications, allowing for richer scenario interactions and secure reading and writing of their data.
We use the two examples of Connected Carl (using connected Carl) and Session Sam (using session Sam) to illustrate.
"Connected Carl" uses dapp. He can trade on Uniswap, lend on Aave, and even buy NFTs on OpenSea, just by connecting his wallet. For a while, things went smoothly for Carl, until one day, he encountered a problem: he wanted these dapps to remember him, so that when he used these dapps for the third, fourth, and fifth time, he could Give him a better experience.
Carl is thinking that his experience would be much better if Uniswap could automatically import his liquidity preferences, if Aave could remember his favorite lending markets, or even if OpenSea could remember his name instead of 0x2Fe1a3...'s account. But these have to be started from scratch each time his wallet is connected.
"Session Sam" does not have this problem. This information is saved after authenticating and establishing a session with the dapps. Even if Sam disconnects and authenticates again, Sam will continue where he left off and everything about him will still be remembered in the application. His information may even be stored in a remote database he controls.
The function of connecting to the wallet is very simple. It just notifies the dapp to let it know which account you are using. The dapp has no memory of you and just builds a platform for simple interactions. But Ethereum login authenticates users in order to establish a session with them, and the various situational interactions between you and the dapp will be securely read and written.
Part.3 Create Ethereum login interface
The wallet creation Ethereum login interface is as follows:
Wallet implementers must display the following terms in Ethereum login signing requests to users by default and before signing: domain, address, statement, and resource. Other existing terms must also be made available to users before signing by default or through the extension interface. When wallet implementers display a clear text message to the user, they should require the user to scroll to the bottom of the text area before signing. Wallet implementers can build custom login Ethereum user interfaces by parsing ABNF terms into data elements for use in the interface. The display rules above still apply to custom interfaces.
In terms of user experience, the wallet can present a friendly and stylized interface to make the user experience better. For example, the signature information usually prompted to the user is LOGIN. In comparison, the information of "Log in using Ethereum" is more complicated, but we can use it to make requests to users in a generally accepted way. With an agreed upon signature message format, applications and wallets can speak the same language. When an application makes a signature request to the user, the wallet can inspect the request, check whether it is appropriate as an EIP-4361 message, and let the user know they are signing into a website (which also results in a cleaner interface).
The specification also introduces additional security requirements for wallets, such as domain name binding to prevent phishing attacks and nonce settings to prevent replay attacks, so users are further protected throughout the entire experience. For example, if a wallet discovers a valid Ethereum login but the user signed for example.com but is actually at exampie.com, the wallet can warn the user of this situation.
Part.4 Parsing ENS data
EIP-4361 is neatly integrated with the Ethereum Name Service (ENS).
Relying parties or wallets can also parse ENS data as this can improve the user experience by displaying human-like information related to the address. If an address has a primary ENS name, the service can look up the primary ENS name and parse the data based on it. For example, you can store your preferred username, avatar, email address, or any other information in your ENS name. This way you control your own data and don't need a web2 service to store this information about the user. This may lead to future use of authenticated, signed EIP-191 messages to log in to authenticated applications becoming standard, eliminating the email/password combination entirely.
Parsable ENS data includes:
Primary ENS name. ENS avatar. Any other parsable resources specified in the ENS document.
If ENS data is parsed, implementers should take precautions to protect user privacy and consent, as their addresses may be forwarded to third-party services as part of the parsing process.
Part.5 Tokenview Popular Science Time
What is an EIP?
An important process used in Ethereum governance is the proposal of Ethereum Improvement Proposals (EIPs: Ethereum Improvement Proposals). EIPs are standards that specify potential new features or processes for Ethereum. Anyone within the Ethereum community can create an EIP. For example, none of the authors of EIP-721 (the EIP for Standardizing NFTs) were directly involved in Ethereum’s protocol development. Assuming an EIP is approved, tested, and implemented, it will be scheduled as part of a network upgrade. Because network upgrades are costly to coordinate, EIPs are often bundled together for upgrades. After the network upgrade is activated, EIP will be launched on the Ethereum network.
We have previously introduced the four EIP series that will be activated in the Ethereum Shanghai upgrade, including EIP-3651 (reduce the gas cost of accessing the COINBASE address); EIP-3855 (added operation code PUSH0); EIP-3860 (give the size of the initcode setting limits and introducing gas metering for this field) and EIP-4895 (beacon chain push withdrawals as a system operation). Click to review.
参考文章
https://ethereum.org/en/governance/#what-is-an-eip
https://eips.ethereum.org/EIPS/eip-4361
https://blog.spruceid.com/sign-in-with-ethereum-is-a-game-changer-part-1/
https://blog.mycrypto.com/sign-in-with-ethereum-an-alternative-to-centralized-identity-providers/
