> It’s no secret that the Ethereum login will soon become a user standard and passwords will no longer be needed.
That's some serious kool-aid that the author has been drinking.
Nothing worthwhile in the article, users will be asked in a popup to sign a message they don't understand and will click-through anyway, and this hyperbole is applicable anyway only to dApps on Ethereum.
The best alternative to JWTs looked like it was going to be https://tools.ietf.org/id/draft-paragon-paseto-rfc-00.html but the reference implementation and RFC have gone quiet, and these days JWTs are basically OK, the security problems are largely solved by more sensible defaults in most of the common language implementations.
Could you elaborate on why it’s so broken? The user signs a message with his private key, the backend verifies he signed the message using his public key proving the user‘s identity.
I believe this being the same protocol as passwordless ssh. Maybe I am being naive but if everybody got a wallet i.e. a public/private key pair couldn’t this eventually replace passwords altogether?
5 comments
[ 3.1 ms ] story [ 22.0 ms ] threadOh fuck off with this web3 bullsit.
They do need to keep that pump pumping.
That's some serious kool-aid that the author has been drinking.
Nothing worthwhile in the article, users will be asked in a popup to sign a message they don't understand and will click-through anyway, and this hyperbole is applicable anyway only to dApps on Ethereum.
The best alternative to JWTs looked like it was going to be https://tools.ietf.org/id/draft-paragon-paseto-rfc-00.html but the reference implementation and RFC have gone quiet, and these days JWTs are basically OK, the security problems are largely solved by more sensible defaults in most of the common language implementations.
I believe this being the same protocol as passwordless ssh. Maybe I am being naive but if everybody got a wallet i.e. a public/private key pair couldn’t this eventually replace passwords altogether?