Sign-In with Ethereum

Authentication is in a renaissance period right now, with strong cryptographic credentials becoming available to a wider set of people more quickly than ever before. The traditional web is rolling out WebAuthn, while the emerging Web3 and blockchain communities are innovating with wallet-based interfaces that let people control their online identity and other digital assets.

It is now possible bring blockchain-based credentials to off-chain Node.js apps with Passport and the initial release of passport-ethereum-siwe. This strategy allows people to sign in using their Ethereum wallet and implements the Sign-In with Ethereum specification, which is formally defined in EIP-4361 and authored by Spruce and ENS.

People who use Web3-based services are familiar with signing in using wallets such as MetaMask. Under the hood, this is made possible by EIP-191, which is a mechanism for signing messages. A couple of community-developed strategies brought EIP-191 support to Passport years ago.

However, while EIP-191 defines how to sign a message, the contents of that message are an unspecified detail which is crucial to secure authentication. This is where where EIP-4361 picks up, as it defines a structured yet human-readable message.

This message contains all the information needed to build a secure, cryptographic authentication protocol. A nonce allows websites to prevent replay attacks. Domain binding will enable phishing resistance as wallets support the message format.

To get started, install the strategy and read the documentation and example:

npm install passport-ethereum-siwe