MetaMask Enables Passwordless Login With Enhanced Security

Crypto wallets like MetaMask are primarily designed to manage crypto assets. However, they also serve as ideal tools for implementing passwordless login systems, since they provide the same strong level of security used to protect those digital assets. This article demonstrates a solution that allows users to log in to a desktop website using the MetaMask app installed on their mobile device. Since the authentication happens on the mobile device, we inherently gain a level of security comparable to two-factor authentication. On top of that, the private key stored on the phone is protected by biometric identification. This approach is therefore not only significantly more secure than traditional password-based logins but also far more convenient—there’s no need to remember complex passwords.
From the user’s perspective, the authentication process is extremely simple. They just need to scan a QR code with their phone’s camera, which opens the MetaMask app. With a single tap, they sign a challenge message—and they’re logged in. The system generates both the random challenge and session_id, then stores the session ID in the PHP session under the key metamask_session. The page refreshes itself every 10 seconds. Each time it loads, the PHP script checks whether an Ethereum address has been added to the session. If it has, the login is considered successful.
The login.php script handles signature verification and writes the Ethereum address into the session. It receives the session ID from the URL path. Using this ID, it retrieves the corresponding challenge from the database. The digital signature is handled by JavaScript in the HTML portion of the page. Communication with MetaMask happens through the provider, which we access using the detectEthereumProvider utility from MetaMask. This provides a simple and compact integration. The script retrieves the Ethereum account using the eth_requestAccounts call, and then requests the signature of the challenge using personal_sign. At this point, MetaMask displays a popup where the user simply needs to approve the signature. The challenge to be signed is visible both on the desktop website and inside MetaMask, allowing the user to verify that they are signing the correct session challenge.
If the signature is successful, the JavaScript sends the signature received from MetaMask to login.php via the signature parameter. The login.php script verifies the signature and extracts the Ethereum address using the signedMessageToAddress method. It then checks whether the session is still valid (i.e., the 10-minute window hasn't expired). If everything is in order, it stores the extracted Ethereum address in the session—completing the login process. As mentioned earlier, index.php refreshes every 10 seconds and checks for the presence of the Ethereum address in the session. Once it finds the address, it confirms that the login was successful.
If you want to link Ethereum addresses to existing users (for example, on a Laravel or WordPress site that already has registered users), the process changes slightly to include a registration step. This step is very similar to the login process, but the session must also store the user's ID. The user first logs in with their existing account. On their profile page, a QR code is displayed. The simplest approach is to include the userId in the generated sessionId, using a format like {random string}:{userId}. Then the regular login flow takes place. When the Ethereum address is written into the session table, the system can extract the userId from the sessionId and store the Ethereum address in the corresponding user record in the database. After this registration step is complete, the user can log in using just their Ethereum address, since it can now be used to look up the associated account.
It’s also worth mentioning that there is an official Ethereum Sign-In standard defined by ERC-4361. The underlying logic is identical to what has been demonstrated here: the user signs a challenge with their Ethereum private key. The standard simply defines the format of the challenge message. In the simplified solution, the challenge is a random string consisting of 2×4 characters, whereas the standard specifies a more structured message format. If needed, the implementation shown in this article can be easily extended to comply with the ERC-4361 standard. As we’ve seen, logging in with MetaMask—or any other crypto wallet—is not only far more convenient than using outdated passwords, but also provides the strong security guarantees of modern crypto wallets. Let’s take advantage of the fact that we all carry a professional-grade hardware key in our pockets, secured with biometric authentication—our smartphones.

Comments
No comments yet