Skiff is thrilled to announce the release of a new option to log into Skiff with a MetaMask wallet. Tens of millions of individuals already browse the internet with an Ethereum address as a primary form of identity. Now, Skiff has joined the ecosystem of forward-looking services that offer them seamless access.
This integration is technically groundbreaking (see more below) and provides all Ethereum wallet-holders access to privacy-respecting, end-to-end encrypted, and decentralized collaboration. Internally, Skiff already functions a lot like a crypto wallet - safeguarding keypairs and other sensitive information for your documents, identity, and team. We’ve written about this in past blogs on decentralized collaboration and in our technical whitepaper. Using similar functionality in the MetaMask wallet (such as eth_decrypt), we’re able to automatically create a Skiff account directly from a user’s wallet.
Once you click “login via MetaMask,” you’ll immediately be prompted to sign a login token - an attestation that you own your Ethereum wallet:
As the final step, you’ll then be asked for your encryption public key, which is used to secure your Skiff login token and password. From there, the normal Skiff login process begins - choosing a theme (light or dark mode), setting a display name, and enabling account recovery. For your collaborators’ sake, we highly encourage setting up a display name!
That’s it! You’ll then have access to writing, collaboration, and sharing — all with your Ethereum wallet address.
Now that we’ve covered the wallet-based login process, let’s dive into how it works behind the scenes!
First off, if you have the Metamask extension installed, you will see the option to log in with your wallet. If you don’t, you’ll see the familiar email-password login.
When you connect to Skiff with a new Ethereum wallet, the first thing we ask you to do is to verify that it’s actually you. To do this, we generate a challenge message with your wallet address and a random string for you to digitally sign, all done through Metamask’s interface. We call this challenge message skiffLoginToken, which you can see in the Metamask prompt. This challenge-response authentication model prevents man-in-the-middle attacks and other impersonation strategies that could compromise your information’s security.
After verifying that this digital signature is valid, we can rest assured that you’re not being impersonated. At this point, Skiff’s end-to-end encryption model relies on private / public keypairs that are subsequently encrypted with your password, which is never stored or sent over any network. But since the whole point of logging in with our wallet was to eliminate site-specific passwords, we won’t ask you to create and remember a password. Instead, we randomly generate a password, ask you to encrypt it with your public key using the Metamask API, and then store the encrypted result (which can be decrypted with your MetaMask wallet) for future reference. Your unencrypted password never leaves your browser (so we can’t ever see it!) and only you hold the keys to unlock your encrypted password.
That’s it! Using only your Metamask wallet, you’re securely logged in and ready to start securely collaborating on Skiff!
When logging in with an Ethereum wallet that you’ve used before, the process looks a little different. To start, we will still ask you to verify your identity with the same challenge-response authentication. Next, you’ll retrieve your password so you can generate your private and public keys for accessing all your end-to-end encrypted data on Skiff. We query your encrypted password in our database and then you decrypt it with the help of the Metamask API. As with Skiff’s email-password login process, your plaintext password never leaves the browser, ensuring that everything you do on Skiff remains truly private.
The email address has been the internet’s default login credential for so long that it’s easy to lose sight of alternative (and often superior) approaches. With the emergence of Web3 and the continued decentralization of the internet, new forms of identity — such as an Ethereum wallet address or a unique encryption keypair — are already proving their advantages to both user autonomy and privacy.
Metamask logins are only a first step. Skiff is already developing new features to ensure that private, decentralized collaboration remains seamlessly accessible to as many people as possible, regardless of how they choose to access it.