5 comments

[ 3.1 ms ] story [ 22.0 ms ] thread
> A simpler way to authenticate users with web3 using signed messages

Oh fuck off with this web3 bullsit.

> Oh fuck off with this web3 bullsit.

They do need to keep that pump pumping.

> It’s no secret that the Ethereum login will soon become a user standard and passwords will no longer be needed.

That's some serious kool-aid that the author has been drinking.

Nothing worthwhile in the article, users will be asked in a popup to sign a message they don't understand and will click-through anyway, and this hyperbole is applicable anyway only to dApps on Ethereum.

The best alternative to JWTs looked like it was going to be https://tools.ietf.org/id/draft-paragon-paseto-rfc-00.html but the reference implementation and RFC have gone quiet, and these days JWTs are basically OK, the security problems are largely solved by more sensible defaults in most of the common language implementations.

The 'authentication' they've demonstrated there is completely broken, I hope this isn't in production anywhere.
Could you elaborate on why it’s so broken? The user signs a message with his private key, the backend verifies he signed the message using his public key proving the user‘s identity.

I believe this being the same protocol as passwordless ssh. Maybe I am being naive but if everybody got a wallet i.e. a public/private key pair couldn’t this eventually replace passwords altogether?