Should I implement “connect wallet” or “sign in with wallet” (asking the user to sign a message) functionality? In the following blog post, we wanted to quickly explore the difference between the two.
Historically, distributed apps have mostly used “connect wallet” (a method for providing the dApp with the user’s public wallet address). That worked because each transaction required a signature by the wallet. Whether you proved ownership of the wallet or not at the beginning of the interaction did not matter as much.
But as web3 apps create sophisticated flows, web2 companies add wallet-based login for authentication and websites establish sessions with their users, understanding the difference between connecting a wallet and a signing a message is critical.
An analogy: verifying your phone number
The difference can be explained with a simple analogy to confirming your phone number in a sign up flow.
If you enter a phone number as part of a website registration flow, the website doesn’t actually know if you own that phone number. You can just as easily enter someone else’s phone number and register on their behalf.
Hence, websites text you to confirm that you have access to your phone, making sure you are who you say you are. You have to enter a code and prove you have access to your phone number.
The same holds true for wallets. Connecting is similar to entering a phone number. Signing is similar to entering the confirmation code you received on that number.
In the sign in case, the way to do it is by generating a cryptographic nonce for you to sign with your private key. That signature proves without a doubt that you are indeed the owner of your wallet.
If you’re establishing sessions with your users, need to log them in, or perform more sophisticated actions, you should follow the Sign In with Ethereum standard and make sure wallets sign a nonce as part of your onboarding process.