Unifying Logins with Ethereum and ENS

8 min read Original article ↗

Jason Carver

Do you love creating new accounts on every new website you visit? Then I’ve got some bad news for you. It’s going the way of the landline. The promise of one username and one login, everywhere, will finally be fulfilled.

Unified Login

Unified Login means that web apps can completely skip the signup step. That’s good for both creators and users. Fewer users abandon apps during signup, and potential users get to try out a new app before deciding to give out personal information.

We have a preview of unified login in mobile app stores, where apps often store data tied to your mobile account. For example, on Android there are many apps that you can download and use without ever signing up. They can sync the data to a new phone that logs in with the same Google account. Of course, unified login on mobile is only “unified” within the platform you’re on: Google or Apple. Neither platform has successfully translated this monopoly to the web app space.

On the web, many organizations have tried and failed to capture significant share, for a number of reasons. One important reason is that developers are hesitant to tie such an important part of their system to a 3rd party. Developers also give up a lot of power by using unified login, which enables the 3rd party to make demands under threat of removing user authentication at their whim. Developers would have much less business risk with a unified login if it were possible to set up without any 3rd party at all. That sounds like a problem that Ethereum was meant to solve!

How Ethereum Replaces Third Parties

With Ethereum, we can define a service that follows a set of rules, so that no one can alter the deal. Ethereum does this with code that executes verifiably on a blockchain. Everyone can see what the code is, and no one can modify the code after it’s burned into the chain. I call this “open execution” — like open source, but you can verify exactly what code is running, even when it’s running on someone else’s computer. This is beneficial for the most basic applications, like requiring agreement from two out of three designated people before initiating a large transfer.

With only a little more work, Ethereum enables you to write code to act as an escrow. Imagine that you’re buying tickets to a concert online, and you want to be sure that you get the tickets at the same time as the seller gets paid. Without Ethereum, that transaction requires that a third party manage the process, and if something goes wrong, you’re at the mercy of that escrow company (eg~ StubHub, Ticketmaster, etc). With Ethereum, you can use a short bit of code to verify that the tickets are legitimate, and guarantee that you will receive your tickets in exchange for the money. The seller gets reciprocal guarantees: that you control the funds needed for the purchase, and you can’t run away with the tickets without paying. That is the magic of Ethereum. It’s not a far reach to extend the features of Ethereum to unified login.

What follows is an imagined future, so far out that it’s sure to get details wrong in amusing ways. A lot of the major components are possible today, but there’s still a decade’s worth of infrastructure needed before broad adoption is possible. Unified login won’t happen for the masses tomorrow, or even next year. But it’s such a worthy goal that we should be building toward it, right now.

Imagining Unified Login, with No Third Party

In this future: your favorite browser, like everyone’s, includes native access to the Ethereum blockchain. An account was created automatically on install, without contacting any website. From then on, you can prove that you control account 0x5B2063246F2191f18F2675ceDB8b28102e957458 to any website that asks. That’s a mess that no one wants to look at, and it only deals with a single device; both are issues we’ll address shortly. First, let’s review the basic concept of logging in.

You visit a new website that you’ve never seen before. The web app is Ethereum-aware, though it is not necessarily Ethereum-only code. The website asks the browser to log you in using your Ethereum account (ie~ prove that you control your address). You’ve been around the block, so you have set your browser to automatically verify your account. Now the website knows that you “are” 0x5B2063246F2191f18F2675ceDB8b28102e957458. You can post a picture for your friends, meet in virtual reality, send a message to Martianauts, or whatever that website offers. Later, you can return to the website and the app will continue to recognize your same account number. Congratulations, you have just skipped the signup process, and the web developer can securely give you access to the data that you created on their app. Unified login is surprisingly simple with Ethereum.

People are so picky, though: they demand having nicknames instead of 20-byte hex-encoded strings... We can fix that by creating usernames. The old way for web apps to create usernames was that whoever signed up first got to pick from whichever names were not yet claimed. Every new app went through the same process from scratch. Back then, you had to remember which username went with which app, like a savage. Luckily, you have purchased your favorite nickname in an Ethereum Name Service auction, costing you roughly 0.001 eth (about $4). After linking the name to the address, every website can show you as logged in with your chosen name: brave-sir-robin.eth. On every site you visit, whether you’ve been there before or not, the site will use this same name. If you have a nice conversation with a stranger on the street, you can give out your .eth username, and they can find you on whichever platform they prefer. They could even send you a message on a website that you have never visited, and the site could verify that you’re allowed to read the message on your first visit.

The number of devices you use has grown over time. You still want to be able to login to your favorite sites from all your devices: desktop, laptop, phone, kitchen countertop, eye implant, etc. You have a hardware key to connect all your devices securely. It’s used only when you want to add a new device to your approved list or decommission a device before selling it. The rest of the time, your key is stored in a safety deposit box, which is the only reason you still have an account with the bank. Your .eth name is technically tied to your hardware key, but websites recognize the list of approved accounts as able to authorize with your name.

Further, each of the devices has more than one profile. You can browse most sites with your unified .eth username, and for special sites you can switch to a second profile connected to an unrelated name: not-my-real-account.eth. Switching names provides anonymity, but still gives you a persistent account. You like long-running discussions about anarcho-syndicalism on a radical message board, but you don’t like being repressed.

How Far Away is the Future?

Ethereum has been live for two years now; you can create your own account without asking any company for permission. Developers can deploy new contracts at any time. You can buy names on the Ethereum Name Service (ENS), which is now a few months old.

ENS comes with some caveats. You can only buy names that are 7 characters or longer. Technically, there are no promises about how the system will work in a couple years, when it will be upgraded to the final implementation (and allow short names).

There is a proof-of-concept browser called Mist, that shows how all future browsers might work. Mist is usable for the adventurous, but has a bit of work to do before it’s fully stable. Alternatively, you can use Metamask to patch Ethereum into Chrome, with other browsers to come. It’s a useful trick, but will never be quite as fast and secure as native support is. It will be quite a while before popular browsers natively support Ethereum, though.

Since traditional apps have no reason to expect native Ethereum browser support currently, they have little to gain from integration. At first, only apps that require Ethereum to run for other reasons will include login by Ethereum account, like the ticket escrow example from earlier. As soon as some of those apps becomes broadly popular, browsers will feel more pressure to support Ethereum natively. After traditional apps see this change, they will start to see how much they have to gain from unified login. The developers may not want or need Ethereum for any other purpose, but unified login can be enough. That adoption path is long and winding, so it wouldn’t surprise me if broad adoption took ten years or more. New Ethereum apps, however, don’t have to wait at all. They should begin the work immediately.

Whether you are a current or future Ethereum app user, you can kick off the auction for your .eth username today! Depending on your technical expertise and local setup, different options here may be best for you:

  • myetherwallet: excellent web tool; my first successful experience with ENS; a bit low-level
  • ethtools ens: web tool for registration; looks neat
  • go ens: a command line tool written in go; looks neat
  • npm ethers-ens: a javascript API; looks neat
  • ens.py: python API for ENS one-liners; shameless plug of my free tool