From EIP4361, explore the transformation of Web2 to Web3 account system

23-03-31 22:00

Read this article in 66 Minutes

AI summary

View the summary

原文标题：《万物研究院：从 EIP4361，探索 Web2 到 Web3 账户体系变革》

Jason, Institute of All Things

MetaMask announced its support for IP-4361 to the civil service last week. Many friends are confused about this agreement. On the surface, it is not much different from the ordinary signature.

EIP4361 is a proposed technical specification standard related to Ethereum logon. Ethereum Logon SiwE (Sign-in with Ethereum) is a decentralized authentication method that enables users to use their Ethereum account to achieve unified logon and control identity. Rather than relying on traditional username/password authentication used by centralized companies, Vitalik has previously identified three of the biggest opportunities for Web3 in 2023, including Ethereum logins, He said any technology that helps Ethereum wrest login rights away from centralized monopolies like Facebook, google and twitter would eventually give it more market dominance in Internet applications, So the login system is Vitalik's vision for the next billion.

In fact, I can feel the anxiety inside Ethereum now. Although Ethereum's current position seems unshakable, it is also facing great competitive pressure, especially the new high-performance public chains such as aptos and sui, and the application chain industry chain represented by cosmos. Therefore, this is also the reason why Ethereum must be so resolute in such actions as POS, Layer, and sharding, so as to optimize and increase chips in terms of consensus and performance. On the other hand, it also makes deeper efforts in the entry level fields such as ENS and login of the C end, and creates its own moat by deeply binding with the C end. In addition, it is worth noting that there are three supporting parties behind EIP4361, namely Ethereum Foundation, ENS and Spruce. In addition to Ethereum Foundation, the other two companies are all DID companies. To some extent, it can be said that two DID companies jointly establish industry standards with Ethereum Foundation, so the standard cannot be completely neutral. It can be seen that the document is also deeply bound with ENS, including the ability to resolve ENS domain names.

Spruce is relatively new to Spruce. Its mission is to enable users to control their personal data. It is supported by a number of star capitals, including A16Z and YC. SSI self-sovereign identity, which falls under the category of DID, enables individuals to control their own identity data, including deciding which third-party applications can use it, how to use it, etc. So if we often understand that DID is to prove who you are after data collection, SSI focuses on authorization, usage, and management at the data level.

Before we can talk about Ethereum login to SiwE, we need to understand the differences and advantages of SiwE by talking about the traditional account login system and the existing connected wallet signature.

The traditional account login system uses the mobile phone number, email, password and other forms to centrally save the user's account for login and verification. The user's account is completely stored in the centralized database, so there are problems such as number cancellation, number transfer, data leakage and so on. It has gone through two stages of development. Before the emergence of giant Internet companies with their own ecology represented by Tencent and Ali, the User account system was maintained independently by each company or even each product. Generally speaking, there would be a user table used to store all the account information of the user, including the user's name, password, mobile phone number and mailbox. Each time a User registers, a piece of data is stored in the user table. The user name and password are matched for subsequent logins.

It is very troublesome for users to manage a lot of accounts and passwords by themselves, which is easy to lose and forget. For convenience, many users will set the account and password of all products to be the same. As long as the database of a product is leaked, hackers will use database collision attack to log in all products in batches. Later, however, I started to use a lot of mobile phone verification, and then I had to change my mobile phone number every time.

Later, after Tencent and Ali have their own product matrix and ecosystem, it is very troublesome for users to log in between their own products and switch different accounts. Moreover, the biggest problem is that the accounts of each product are isolated, which makes Tencent and Ali unable to make full use of user data. For example, I bought bed sheets through Taobao. Then I ordered a takeout from Ele. me. Through data analysis, I could actually be labeled as a "working single youth". However, since these two products have their own account system, it is completely impossible to know the relationship between the users of these two products.

For example, mobile phone number registration is used, so that all products using the same mobile phone number is the same person, or single sign-on or unified login, such as the most commonly used wechat login, the following figure is the flow chart of wechat login. When users use wechat as the login method, the redundant process of re-registration and account management is eliminated, and the user's threshold for third-party products is lowered to gain customers better. For wechat, more users and third-party products use wechat as the account login entry, which can greatly improve its competition barriers.

toC login system can use Tencent Ali such ecological enterprise solutions, toB login system is also faced with more trouble, because with the development of the enterprise internal use of products will be a variety of sources, including third-party customized procurement, SaaS manufacturers, self-research, coupled with a large number of employees involved in a large number of rights, data security and other issues, Therefore, how to let tens of thousands of employees use hundreds of internal products smoothly and safely is also a problem that needs to be solved. For example, Authing, Okta and other companies provide single sign-on solutions for enterprises.

The above is the main evolution of the traditional Web2 account identity system in the past 20 years. The intuitive difference of Web3 experience for ordinary users is that they can use all Web3 products with a wallet, which is the most direct way to let users feel the meaning of the block of the global network. Or, indeed, the "connected" web.

However, due to the characteristics of assets on the chain, everyone should be responsible for their own security, and there is no longer a third party platform that can have the responsibility and obligation to ensure the security of users' funds, as in Web2. As a result, users will be exposed to a large number of phishing websites, and assets may be stolen as long as relevant signatures and authorization are carried out. In particular, at present, the wallet represented by metamask has too little information disclosed in the interaction, and the readability is very poor. People with non-technical background can't even understand what the pop-up content requiring signature and authorization means in most cases. Therefore, strict standards should be formulated for the action requiring user signature and authorization, and users should be fully informed of the content to be implemented.

EIP-4361 specifies the standard process for how an Ethereum account authenticates through an off-chain service by signing a standard message format structured with session details, security mechanisms, and scope, that is, presented as standard field parameters, Developers are provided with the infrastructure to create a unified identity layer for Web2 and Web3 applications. The process is free for users, requiring only signing messages, no transactions with the blockchain, and no payment of Gas to miners.

As the document states, "as a web2 company, you will have the opportunity to be the first point of contact for users entering web3 and to help them control their digital identity." SiwE hopes to make more Web2 products accessible by standardizing the process of connecting wallet, sending signature, and completing login. Make it a login option, just like when we use certain products, we can choose the login method including Google login, twitter login, facebook login, and then we can put an Ethereum login, embedded through the login portal to reach a very large number of users of web2 products.

The driving force for these web2 products to access SiwE is that they can provide corresponding services according to the on-chain assets disclosed by users. That is to say, if you log in with Google and twitter, you can only complete the action of logging in, but if you log in with Ethereum, you can make more specific services according to the assets held by users. If you own an NFT you get 20% off or something like that.

The link to the proposal for IP-4361 is as follows: https://eips.ethereum.org/EIPS/eip-4361 below to SiwE message template, complete ABNF and corresponding window style, The Message to be executed by the user, the URL URI to be logged in, the current Version, the Chain ID to be logged in, the Nonce to prevent replay attacks, the valid time Issued AT the login, and the end time Expires are revealed in a very structured and standardized manner AT.

The whole process of ABNF is Augmented Backus-Naur form, which is a formal system describing a language as a two-way communication protocol. This is also the focus of EIP-4361, which standardizes the login process.

As mentioned above, ENS is behind EIP-4361, so the proposal also contains a relatively deep embedding of ENS. Using SiwE, ENS data can be parsed, including ENS name, ENS avatar and any parsable resources specified in ENS documents. As shown in the figure below, ENS can bind to a wide range of information, including wallet address, email, discord, twitter, and more.

In addition to standardized login, IP-4361 can also prevent phishing attacks to a certain extent. Currently, a large number of users are stolen by phishing websites every day. There are three steps in the login process of IP-4361 wallet

1. Verify the message and check whether the signature complies with the ABNF standard format

2. Verify the domain name. If the domain name meets the login criteria of EIP-4361, the wallet will verify whether the URL that initiated the login meets the URL submitted in ABNF, so as to avoid being unjustified

3. Then create the Ethereum login pop-up, where the existing specification is that all terms must be fully displayed to the user, and requires the user to scroll to the bottom of the page before signing, which is similar to the user guideline of many apps, to the bottom to ensure that the nominal reading can be carried out in the next step

There are four mentioned in the design specification

1. Have to render a page, a human being can understand most of them did not according to the work of the machine, such as JOSN, hexadecimal code, base coding, etc., this is I said to the problems existing in current wallet interact, non-technical staff doesn't know his point after the mean

2. The back-end of the application needs to provide fully available support for its terminal without forcing modification of wallet, which mainly requires that there should be no experience threshold for users when accessing SiwE

3. For the application wallet that has used SiwE, a simple and direct upgrade path should be made. As mentioned above, there will be a Version number identifying SiwE, and subsequent SiwE upgrades should also be compatible

4. Prepare for replay attacks and malicious signatures

In addition, the key management problem is also mentioned in the document, that is, SiwE hopes that a lot of Web2 products can be accessed to bring more users from outside the circle into the world of Web3. However, mainstream users have been used to the "retrieve password" function of Web2 products. In Web3, if your private key is lost, you cannot find it. Therefore, the education threshold of this problem is very high for a large number of Web2 users. In fact, we are looking forward to the popularization of the account abstract AA wallet to effectively solve this problem.

The above is the interpretation of the transformation of Web2 to Web3 account system from EIP-4361. In fact, EIP-4361 itself is not such a huge impact event as account abstraction and Shanghai upgrade. It is more about establishing a standard industry standard. It will gradually improve the experience of Web2 and Web3 users.