Why We Should Care About SIWE

Intro:

In today’s digital world, our personal information is being collected, stored, and (ab)used by various organisations and institutions. This information is central to our lives, including our online activities, financial transactions, and even our personal relationships. Unfortunately, the current systems for managing digital identity often lack security, privacy, and control, leaving users vulnerable to fraud, cyber attacks, and misuse of their personal data.

The concept of self-sovereign digital identity seeks to address these challenges by providing a decentralised and secure system for managing digital identity, in which individuals have control over their personal information and data.

In this article, we will dive into why we need a better way to manage identities on the internet, what is EIP 4361 (Sign-In-With-Ethereum (SIWE)), and some considerations about the future.

The Internet and Identity

You might have heard before that the internet was not built with native identity primitives. This refers to the fact that the early designers of the internet did not initially include mechanisms for managing and verifying user identity in their designs. When the internet was first created, it was primarily used for exchanging text-based information between researchers (who knew each other, and hence no need for id verification) and was not envisioned as a platform for conducting transactions, accessing personal data, or engaging in social and commercial activities.

As a result, the internet was not designed with the robust security and privacy features necessary to protect user identity and information. Instead, identity verification and management has been added piecemeal through the development of third-party applications and services, such as passwords, usernames, and online forms.

This has resulted in a fragmented and siloed system for managing digital identity, where personal information is scattered across different platforms, services, and applications, making it difficult to manage and control. Additionally, the centralization of identity management has led to numerous security and privacy breaches, where personal information has been stolen or misused by malicious actors.

The Current Solution

The average person has over 100 passwords, which can lead to security risks, difficulty in managing them, and an increased likelihood of password reuse. Or, as is the case for many internet users, they delegate password management to a 3rd party company such as Google or Facebook. This mechanism offers a number of benefits, including convenience (since the user only has to remember their Google account credentials), reduced friction (since the user doesn’t have to create a new account), and improved security (since Google uses its secure infrastructure to manage the user’s credentials).

The “Sign in with Big Tech” mechanism uses the OAuth 2.0 protocol to allow users to securely sign in to third-party websites and applications using their Google account credentials. When a user clicks the “Sign in with Google” button on a third-party website, they are redirected to Google’s authorization page, where they enter their Google account credentials and grant permission for the third-party website to access their Google account information. Google then generates an access token, which the third-party website uses to retrieve the user’s Google account information, such as their name and email address. This allows the user to securely sign in to the third-party website using their Google credentials, without having to give their credentials to the third-party website or create a separate username and password for each service.

One major downside of this status quo is the loss of control over personal data. By using “Sign in with Big N,” users are effectively handing over control of their personal information to the tech giant, raising concerns about privacy and data security. Big tech doesn’t exactly have the best track record for protecting user data. To put the spotlight on Google, the past few years has been at the centre of several major user data scandals:

• Google Plus: A security vulnerability in Google Plus was discovered, which exposed the personal information of hundreds of thousands of users. Google initially chose not to disclose the vulnerability, but it was later revealed in a report by the Wall Street Journal.
• Location tracking: It was discovered that Google was tracking the location of Android users even when they had turned off location services and were not using any apps. This was done through the use of cellular tower data and Wi-Fi hotspots.
• Google Home devices: It was revealed that Google Home devices were recording and storing audio clips of users even when they were not interacting with the device. This raised privacy concerns and led to increased scrutiny of Google’s data collection practices.

And it’s not just Google, Meta was fined $275M after personal info of 500 million Facebook users was leaked, after a $400M fine in September for mishandling children’s information on Instagram.

Another criticism is the centralised system’s potential for failure. If Google’s servers are down or hacked, users may be unable to access their accounts on third-party websites, making it a single point of failure. Additionally, a compromised Google account could give an attacker access to a user’s personal information across multiple websites and applications. The requirement to share one’s real identity also detracts from anonymity and privacy. Many also argue that the dominance of a small number of sign-in options in the market can stifle competition and innovation.

As a result, for some time there have been calls for alternative, decentralised systems for digital identity management that put users back in control of their personal data.

Enter SIWE

EIP-4361 (SIWE) is an the Ethereum improvement proposal (EIP) that outlines a standardised way of signing messages in Ethereum. The goal of SIWE is to provide a secure and user-friendly way of signing messages and transactions in the Ethereum network. This standard would allow for a more streamlined and secure interaction between users and Ethereum-based applications and services.

SIWE hopes to provide a decentralised alternative to traditional sign-in methods. Instead of having to create a username and password and store their personal information in a centralised database, users can authenticate themselves using their Ethereum wallet and private key. This eliminates the need for intermediaries, such as centralised databases, and provides users with greater control, security, and privacy in the management of their digital identity.

SIWE can be used in a wide range of industries to improve the security, efficiency, and user experience of digital identity management processes. By leveraging the benefits of the Ethereum blockchain, “Sign in with Ethereum” is set to become a powerful tool for various industries to improve the way they manage and control digital identity and data.

Great graphic from Bappaditya Mallick’s article on SIWE

Benefits of SIWE

One of the key benefits of SIWE is the ability for individuals to own their data. With this system, users would have full control over their personal information and the ability to decide how it is used and shared. This gives users the power to make informed decisions about their data and avoid the risks associated with having their information stored and managed by third-party organisations.

EIP-4361 would also provide greater security and privacy, as users would have full control over their keys and access to their data. This would reduce the risk of fraud, cyber attacks, and data misuse. Additionally, EIP-4361 would give users the ability to manage their digital identity directly, without the need for intermediaries, reducing the risks associated with centralization and giving users greater control over their online presence.

In addition, if you control your own data, you can take advantage of new opportunities and services that emerge, without being locked into a single company or platform. This gives you greater flexibility and control over your online identity and presence.

Moreover, if you control your own data, you can potentially monetize it, either by selling access to it or by using it as a way to earn rewards or compensation. This gives you greater financial power and control over your personal information.

In summary, EIP-4361 has the potential to revolutionise the way we think about digital identity and give individuals the ability to own their data and control their online presence. This would have far-reaching implications for privacy, security, and freedom in the digital world.

As Alexandros Pappas notes in his article, one potential avenue for increasing the usefulness of SIWE is incorporating decentralised identifiers (DIDs) and verifiable credentials for even more user control and privacy. Another possibility is cross-chain support, enabling use of EIP-4361 across different blockchain networks for increased interoperability. Additionally, EIP-4361 may support SIOPv2, an update to Simple Identity Onion Protocol (SIOP) for enhanced privacy and security. Finally, EIP-712, a more complex data format for message signing, is a potential future support for EIP-4361.

Implementation:

EIP-4361 holds the promise of a new and more secure approach to digital identity management, but its implementation is not without challenges. In addition to the technical requirements for both wallet providers and relying parties, there is also a coordination game problem to consider.

For EIP-4361 to be successful, both wallet providers and relying parties must implement the necessary changes in a coordinated manner. If one party implements the changes but the other does not, the user experience will be compromised, and the potential benefits of EIP-4361 will not be fully realised.

This coordination game adds an extra layer of complexity to the implementation of EIP-4361, but it is a challenge that can be overcome with careful planning, open communication, and a commitment to improving the security and privacy of digital identities. Thankfully there is great work being done in this field by Spruce, a company that is working to grow SIWE adoption to make the internet more user-first.

Additionally, the regulatory landscape for digital identity management is still evolving, and there may be limitations on the use of SIWE in certain jurisdictions. This could impact its ability to gain widespread acceptance and be adopted on a global scale.

Conclusion

To sum up, the current system of digital identity management is fragmented, centralised, and lacking in security and privacy. Big tech companies that manage users’ personal information and credentials have a questionable track record of protecting user data.

SIWE is a proposed standard for signing messages and transactions in the Ethereum network that aims to provide a secure and user-friendly way of interacting with Ethereum-based applications and services. The adoption of a decentralised system for digital identity management could bring greater security, privacy, and control to users,

It’s important to note that this is a vast subject with many potential captivating new applications for the internet, and we plan to keenly monitor this space as we anticipate a plethora of intriguing projects to emerge as a result of this transformation. For more information about SIWE, I recommend checking out this Bankless podcast, as well as the SIWE website.

Please reach out if you have any thoughts on the article, and make sure to follow me on Twitter for updates on all things web3 & ZK.

Also, if you found this article helpful please follow and check out this other article on “Why AI Needs Zero Knowledge Proofs”.