Adding EIP-4361 Support for 1wallet (sign-in with Ethereum)

Name of Project

Adding EIP-4361 Support for 1wallet (Sign-in with Ethereum) and proposing a pipeline for integrating seamless multi-factor authentication (as proofs) using Silent Auth.

Proposal overview

As the title suggests, we will implement EIP-4361 (Sign-in with Ethereum / SIWE) [1] for 1wallet [2]. There are three major goals here:

• Implementing the SIWE specification [5] and integrating with 1wallet [3]
• Testing the integration with dApps in the Harmony ecosystem
• Establishing a pipeline to add web3-native multi-factor authentication to 1wallet via Silent Auth (based on proofs)

Let’s discuss each of these below:

• Implementing the SIWE specification and integrating with 1wallet
  Why 1wallet?
  1wallet [3] has shown a strong promise owing to its non-custodial nature, design philosophy, security, and simplicity as compared to contemporary wallet designs. The necessity to type “mnemonic words” or “seed phrases” has limited adoption by a wider user base into the blockchain ecosystem. By removing this need with the help of a One-Time Password (OTP), 1wallet reduces the burden on the user’s end by denying the possibility of theft of private keys and passwords which are typically stored on the client-side in other major wallets. The adaptive, composable, and programmable nature of 1wallet further helps in boosting its adoption.

• Motivation for such an integration
  1wallet and SIWE together can enable strong and usable authentication which has been a major challenge for web-technologies for decades. Web2 modalities such as passwords or centralized IdPs (identity providers) control all the access and consume user data. On the contrary, SIWE with 1wallet would enable a decentralized, non-custodial, and on-the-go authentication with minimal user friction. While SIWE fixes the woes caused by centralized and centrally controlled IdPs, 1wallet is improving the user experience for the wallet ecosystem. Therefore, an integration of the two can solve major challenges and improve the state-of-the-art of web authentication.

The web2 world is on its way to adopt SIWE pretty soon as the de facto method to sign-in to web2 services. 1wallet is perfectly positioned in this world due to its self-custodial nature and the penetration of smartphones to use as a second-factor authenticator (currently using Google Authenticator)

In a recent community call of SIWE, it was mentioned that:
“After talking to many companies about SIWE adoption, we found that many wanted to consolidate the Sign-In with Ethereum workflow to a single service that could be used to access their entire ecosystem using OpenID Connect to forward the user authentication. This reduces management overhead while also mitigating security risks for larger customers that have many services for their users to access within their product ecosystem.”

Also, the OpenID Connect support of SIWE will be further driven by a self-issued OIDC provider (SIOP) [4]. Essentially, this means users can be their own identity provider (IdP). This is a significant step towards decentralization of authentication and self-certification.

All links are in the Google Doc mentioned at the end of the article. As a new user on the site, I’m unable to put more than 4 links in this proposal.

• Alignment of Vision (1wallet, Harmony, and Silent Auth) and Building multi-factor-auth on top of SIWE and 1wallet:

Silent Auth is a multi-factor authentication suite being developed by Silence Laboratories which reimagines privacy-preserving, peer-to-peer, and usable authentication among users and devices by combining cryptography, sensor fusion, and design science. The Silent Auth framework enables a secure, invisible, and effortless user experience for humans and machines using both web2 & web3.

Alignment: 1wallet currently requires the use of Google Authenticator to generate the Time-hashed One-Time Passwords (TOTPs). This is inherently provided by the Silent Auth application as well. This opens up the possibility of using our phone as a single, interoperable and offline passport to the digital world (offchain, onchain, and cross-chain according to Harmony’s vision)!

The visions are aligned in the sense that 1wallet is positioning to support adaptive and composable authentication i.e. a fusion of multiple mechanisms together. For example, guardians, Private key signatures, multiple Google Authenticator codes are being proposed for sensitive operations such as sending large sums of tokens, destroying the wallet, adding/removing identities, etc. By design, Silent Auth is multi-modal and adaptive. This will amplify the benefits for 1wallet.

1. Compared to standard adaptiveness of network security which is based on the perception of risk using network layer parameters (location, IPs, device ids) and the nature of transactions, Silent Auth adds an extra layer for the perception of risk: physical context and understanding of spatial and temporal parameters governing dynamics of the users. Multi-modal risk estimation brings more confidence to the community.

2. Silent Auth has step-up adaptive modes which are governed by risk-estimation. The differentiator here lies in the seamless user experience irrespective of risk of capital. Even for the highest risk level, we don’t expect the person to do multiple steps or type multiple codes. Instead, we use more layers of confirmations using checks that we perform through context-aware signals measured by the sensors on the device. For example, a low-risk transaction using 1wallet can be done without even touching the authenticator application, and for the highest risk cases, the user would be asked to perform certain movements/gestures with the phone. Silent Auth builds and checks randomness from contexts and checks user response through multi-dimensional lenses.

3. These are possible because Silent Auth is a “proof-based-authentication” framework on top of MFA/2FA architectures as used in Google Auth or any other authenticator (both TOTP and push-based) provided by IAMs (Identity Access Management provider).

1496×777 136 KB

Silent Auth brings the proof of possession of the token (a phone or another smart device with an authenticator registered with 1wallet). For high risk, Silent Auth does check if the web app accessing 1wallet and the tokens are in proximity or not (not based on GPS, but instead by using a peer-to-peer communication channel). It also supports proofs of liveliness, colocation, device possession, and continuous authentication as well.

The benefits to 1wallet:

1. Security: As mentioned, 1wallet requires two-factor authentications for sensitive operations. Silent Auth would be an enabling tool for that. Proof of proximity would deny any remote transaction or possibility of brute force attacks. Remote transaction attempts can be both friendly (members of a community granting access to non-members) or ill-intended. Brute force attacks have been mentioned in case either the authenticator or website is compromised. Proof of liveliness would negate possibilities of usage of wallet facilitated services by bots either in real-world or MetaVerse applications. These will compliment the multi-layer authentication goals of 1wallet.

2. Improving Composability: In current form, composability is based on entering multiple OTPs/proofs which would deter UX. Silent Auth rather suggests using different modalities for conformations and proofs for high-risk transactions, without the user needing to type or interact multiple times.There are vulnerabilities that can help capture TOTP codes without user engagement. Silent Auth’s multi-modal verification and no exposure of any such codes negate such vulnerability exploits.

3. User Experience: A large fraction of users find current authenticators to be distracting and not user-friendly. The modalities of looking up codes on a phone adds 10+ seconds to their authentication experience. Hence, they tend not to adopt one if not mandated. While 1wallet improves upon traditional wallet authentication UX, the current necessity of typing in a two-factor auth code in 1wallet for multiple actions discourages users. Silent Auth brings a fresh and much faster interaction where the effort required from a user is little-to-none (less than 0.7 seconds in the riskiest of transactions)

Besides the above, we plan to propose a roadmap to support 1wallet authentication for physical world crypto applications in the Harmony ecosystem as well wherein Silent Auth could be deployed on custom hardware devices (like physical NFTs).

Founding Team of Silence Laboratories comprises of experts in cryptography, sensing, and design:

1. Vladyslav Khomenko: Head of Engineering, Masters in Computer Science and Mathematics, Ukraine, >5 years of experience in security, communication and embedded systems.
2. sidcode: CPO: 7+ years in finance, design, extended reality, crypto/web3, community building, and cyber-physical systems security R&D.
3. Saket Chandra: Software Lead: CS Enthusiast, >4 years experience in software development and embedded systems
4. Andrei Bytes: CTO: PhD (defending) CyberSecurity, >9 Years in Software Development and Security
5. Dr. Jay Prakash: Founder: PhD, Sensing and Security, >6 Years experience in security and sensing algorithms

In summary, this is our proposal to implement EIP-4361 for 1wallet and improving the authentication experience for the entire blockchain ecosystem-

1. Integration of code, documentation, and demo videos on EIP-4361, SIWE, and support for 1wallet.
2. The features include signing a message, replacing a message with scopes/terms/conditions, and adding a field to the smart contract which enables EIP 1271 verification of the signature.
3. Exploring integrations with seamless multi-factor authentication proofs using Silent Auth to increase usability, adaptiveness, and composability of 1wallet.

Thanks for reading!

Proposal ask

$50K

Metrics for success

• Successful Sign-In With Ethereum across web services and applications using 1wallet ( as demonstrated on login.xyz)

• Testing the integration with dApps in the Harmony ecosystem (as defined in the previous sections).

• Establishing a pipeline to add web3-native multi-factor authentication to 1wallet via Silent Auth.

External links

1. Full proposal with links - Google Doc
2. Silent Auth: the de facto multi-factor authenticator for web3 | Grants | Gitcoin
3. https://silencelaboratories.com/silent-auth-login-mfa/
4. https://login.xyz/ (for reference implementation and design).

Thanks for the proposal. I was asked to review this. I have the following questions:

1. How much work is expected from other developers / apps in order to use this?
2. Following (1), what are the benefits for other developers and apps, and why would they want to use this solution?
3. What are the deliverables of the “exploring integrations” objective? Would it be more beneficial to complete this before other objectives so to best use the resources?
4. How much work is needed from 1Wallet side to support this? What are the recommended ways to use it as an option, and what are the steps of integration?

@sid – Just thought I would check in on this. Did you get a chance to address @aaronqli’s question?

Closing out this proposal since we have not received a response from @sid