MetaMask implements EIP-4361
MetaMask, a self-managed wallet for crypto assets (virtual currency), announced on the 24th that it implemented EIP-4361.
EIP-4361 (Sign In with Ethereum) is the ability to use wallet addresses to authenticate web services. Allows wallet addresses to be used as self-managed identities instead of centralized identities such as Gmail.
This is a move to strengthen security when connecting to dApps that implement EIP-4361 and to protect users from phishing attacks.
🦊MetaMask is now compatible with EIP-4361, aka Sign In with Ethereum!
This is part of our ongoing effort to make confirmations more legible to our community. Our implementation also offers a “domain binding” feature, which will detect signatures/approvals from malicious URLs. pic.twitter.com/2jkFRhLDsx
— MetaMask 🦊💙 (@MetaMask) March 23, 2023
Websites have typically used company-controlled identities, including free emails like Gmail, to sign in to services.
EIP-4361 defines a standardized sign-in workflow, and by implementing a dedicated sign-in function on the website side, login using a wallet address will be available for the first time.
The adoption of EIP-4361 by many wallets and websites may lead to the expansion of Web3 (decentralized web) services, which are attracting attention as the new Internet. In February, major wallet provider Phantom also implemented the Solana (SOL) blockchain version of the standard, equivalent to EIP-4361.
What is Web3
The current centralized web is defined as Web 2.0, and refers to an attempt to realize a non-centralized network using blockchain. A typical feature is the use case of decentralized networks such as blockchain, such as access to dApps using virtual currency wallets.
Reduce the risk of phishing attacks
MetaMask claims EIP-4361 can help determine if a user is at risk of a phishing attack.
By integrating Sign-In with Ethereum, MetaMask also now adds additional phishing protection.
If what you’re signing doesn’t match the website you’re on, you’ll see a clear warning it might be a phishing attempt. pic.twitter.com/77BmM7OwRh
—Spruce (we’re hiring) (@SpruceID) March 23, 2023
According to SpruceID, MetaMask’s partner in EIP-4361 implementations, if your sign-in destination doesn’t match a previously registered website, you’ll see a “phishing risk” warning.
This mechanism is realized by a function called “domain binding” that checks the correct domain name to protect against unauthorized access from malicious sites. Domain binding is a security feature used by web servers that binds an SSL certificate to a specific domain name to ensure secure communication only to that domain.
In the world of the Internet, security breaches by spoofed email accounts have occurred frequently over the years. It has been rampant as a common phishing method in the virtual currency market as well.
connection:Phishing scam occurred in discord of high-value NFT “BAYC” Calling attention to users
DeFi (decentralized finance) websites also suffered from “DNS hijacking,” which leads to fake sites by hijacking the domain name system (DNS) and illegally acquires personal information.
connection:Possibility of DNS hacking damage on DeFi major “Curve” Is ETH equivalent to 75 million yen illegally leaked?
What is a phishing scam?
A cyber crime that deceives users by directing them to fake sites and defrauding them of authentication information and personal information. E-mails are used to guide users to fraudulent sites, and defraud users by having them enter authentication information such as accounts and passwords necessary for site login.