The age of email/password login is coming to an end.
Typically when signing in to a "web2" service, you use a username or email address and a password. The service can then look up your username or email address in their internal database and see if the corresponding password matches the one you provided. A random key for further authentication is generated and typically stored in a cookie.
A new specification, EIP-4361: Sign-In with Ethereum, wishes to change the way how we sign in to web2 services by utilising a method commonly used for web3 services (like wallets and dapps).
How it works
EIP-4361 describes an authentication method for existing web2 services that uses signed messages. Instead of using a combination of a username and password, you can use your private key (with corresponding address) to authenticate. For example, you could sign a message like this using your private key:
Example.com wants you to sign in with your Ethereum account: 0x4bbeEB066eD09B7AEd07bF39EEe0460DFa261520
URI: https://example.com/login Version: 1 Chain ID: 1 Nonce: 12345 Issued At: 2021-11-01T12:25:24Z
EIP-4361 defines a standardised format using the augmented Backus–Naur form (ABNF) for these authentication messages that can be verified by the service you want to log into. The format follows the EIP-191 specification, which is already widely supported by many wallets. Logging in does not require a password, simply sign the message with your private key and you're done. The server can verify the message and generate a key to store in a cookie.
Decentralised Data with ENS
EIP-4361 neatly integrates with the Ethereum Name Service (ENS). If an address has a primary ENS name (also called reverse record) set, a service could look up this primary ENS name and resolve data based on it. You could for example store your preferred username, profile picture, email address, or other arbitrary information in your ENS name. ENS also lets you specify addresses for other networks, such as Bitcoin, and Litecoin:
This keeps you in control of your data and removes the need for web2 services to store this information about you. This could lead to a future where using authenticated, signed EIP-191 messages to log into authentication-gated apps is the standard, doing away with email/password combinations entirely.
This model is essentially a decentralised, 100% uptime, user-data owned “Gravatar.” Instead of one private entity holding the data, it is published to the Ethereum blockchain for apps to use. You will have one identity across many applications, all authenticated against your signing wallet.
You can read the full proposal of this and read/listen to previous calls at https://login.xyz/.