The 0xPass Blog

The 0xPass Blog

Share this post

The 0xPass Blog
The 0xPass Blog
Web3 Authentication 101
Copy link
Facebook
Email
Notes
More
User's avatar
Discover more from The 0xPass Blog
Thoughts and resources on web3 authentication, identity management, and account abstraction
Already have an account? Sign in

Web3 Authentication 101

A primer of all the authentication and validation standards your dapp needs to support

0xPass's avatar
0xPass
Apr 07, 2023
2

Share this post

The 0xPass Blog
The 0xPass Blog
Web3 Authentication 101
Copy link
Facebook
Email
Notes
More
Share

Hello 0xPass fam -

If you're a web3 developer looking to create rich, contextual user experiences with support for account abstraction, you'll need to be familiar with the following authentication and signature validation standards:

  • ERC-4361: Sign In With Ethereum

  • ERC-1271: Standard Signature Validation Method for Contracts

  • ERC-6492: Signature Validation for Predeploy Contracts

In this post, we'll delve into each of these standards.

If you find this content helpful, please consider sharing it with others and checking out our product, 0xPass.

We're also hiring a Founding Engineer [JD here] and possibly a Head of Growth too! Please let me know if you or someone you know would be interested :)

Share 0xPass’s Substack

Wallet Connection vs Authentication

Connecting your wallet to a dapp lets it identify which account you're using without retaining any information about your identity. This used to be sufficient since dapps required users to sign every on-chain transaction.

However, with the evolution of dapps, there's a need to store user preferences and information to provide more contextual user experiences, which requires wallet authentication.

ERC-4361 → Sign In With Ethereum

Sign-In with Ethereum offers a solution for dapps to authenticate and create user sessions for wallets in a self-custodial manner.

By adopting this standard, dapps can improve the user experience while ensuring that the user remains in full control of their data.

The flow is simple: the user connects their wallet, then they're prompted to sign a message that proves they truly own the wallet they're claiming to hold, which in turn creates a user session.

Sign-In with Ethereum is a game changer. (Image source: https://blog.spruceid.com/sign-in-with-ethereum-is-a-game-changer-part-1/)

However, there's a catch - SIWE works with EOAs but not with smart wallets which account abstraction relies on. This is where ERC-1271 comes into the picture.

ERC-1271 → Standard Signature Validation Method for Contracts

We went over this standard in an earlier post as well, which you can find here.

Smart wallets can have arbitrary signature validation logic. Thus, ERC-1271 requires the verifier or the dapp to call a function called isSignatureValid on the smart wallet for validation purposes.

Quoting ERC-1271 -

isValidSignature can call arbitrary methods to validate a given signature, which could be context dependent (e.g. time based or state based), EOA dependent (e.g. signers authorization level within smart wallet), signature scheme Dependent (e.g. ECDSA, multisig, BLS), etc.

This function should be implemented by contracts which desire to sign messages (e.g. smart contract wallets, DAOs, multisignature wallets, etc.) Applications wanting to support contract signatures should call this method if the signer is a contract.

Awesome - problem solved! Or is it?

Smart wallets are counterfactual contracts, which means that contract deployment is deferred until the first user transaction for UX purposes.

So how will dapps authenticate users with an undeployed smart contract wallet? They can't access the isValidSignature function! This is where the latest proposal, ERC-6492 comes into play.

ERC-6492 → Signature Validation for Predeploy Contracts

At its core, ERC-6492 proposes a contract called the UniversalSigValidator, which validates smart wallet signatures.

There are two possibilities here -

  • Signature ends with a sequence of magic bytes

    • If a signature ends with a sequence of magic bytes we know that the smart wallet is undeployed.

    • At this point, the verifier, or the dapp in this case, can later simulate a deployment of the smart wallet and then validate the signature.

  • Magic bytes are undetected in signature

    • Proceed with ERC-1271

However, this ERC is still in review and in the process of being peer-reviewed.

Should dapps implement these standards?

Yes, they should. To bring all the account abstraction benefits to life, dapps need to implement all these standards. However, as a dapp developer, you can use open source libraries like Ambire’s Signature Validator.

How 0xPass handles these standards

Think of 0xPass as a wallet connector like RainbowKit but with built-in support for authentication, identity management, and account abstraction.

This allows us to hide all of the signature validation work from developers using our product, so they don't have to worry about implementing all these standards themselves! This is especially important as these standards evolve - as might be the case with ERC-6492.

Thank you for reading!

Feedback

If you’ve read this whole post, please give me some feedback! What do you like about these posts? How can we improve? Any other topics you want us to dive into?

References

  1. Ethereum Improvement Proposal 6492. Retrieved from https://eips.ethereum.org/EIPS/eip-6492

  2. Ethereum Improvement Proposal 1271. Retrieved from https://eips.ethereum.org/EIPS/eip-1271

  3. Ethereum Improvement Proposal 6492. Retrieved from https://eips.ethereum.org/EIPS/eip-6492

  4. ERC-6492 and Why it's Important for AA. Zero Dev. Retrieved from https://docs.zerodev.app/blog/erc-6492-and-why-its-important-for-aa

  5. AmbireTech. Signature Validator. GitHub. Retrieved from https://github.com/AmbireTech/signature-validator

  6. Sign in with Ethereum is a Game Changer (Part 1). Spruce. Retrieved from https://blog.spruceid.com/sign-in-with-ethereum-is-a-game-changer-part-1/

Thanks for reading 0xPass’s Substack! Subscribe for free to receive new posts and support our work.

PGCL's avatar
2 Likes
2

Share this post

The 0xPass Blog
The 0xPass Blog
Web3 Authentication 101
Copy link
Facebook
Email
Notes
More
Share

Discussion about this post

User's avatar
Introducing Passport Protocol - Programmable MPC Network
A Programmable and MPC-Based Distributed Key Management Network
Aug 24, 2023 â€¢ 
0xPass
2

Share this post

The 0xPass Blog
The 0xPass Blog
Introducing Passport Protocol - Programmable MPC Network
Copy link
Facebook
Email
Notes
More
Reinventing Authentication with DIDs and Social Logins
How DIDs, VCs, and OAuth integrations can be blended to build better authentication systems.
Jun 27, 2023 â€¢ 
0xPass
3

Share this post

The 0xPass Blog
The 0xPass Blog
Reinventing Authentication with DIDs and Social Logins
Copy link
Facebook
Email
Notes
More
Our Vision Beyond Key Management - Chain Abstraction
Broken User Experiences
May 17, 2024 â€¢ 
0xPass

Share this post

The 0xPass Blog
The 0xPass Blog
Our Vision Beyond Key Management - Chain Abstraction
Copy link
Facebook
Email
Notes
More

Ready for more?

© 2025 0xPass
Privacy ∙ Terms ∙ Collection notice
Start writingGet the app
Substack is the home for great culture

Share

Copy link
Facebook
Email
Notes
More

Create your profile

User's avatar

Only paid subscribers can comment on this post

Already a paid subscriber? Sign in

Check your email

For your security, we need to re-authenticate you.

Click the link we sent to , or click here to sign in.