This post is overdue. The Catalyst Fund 11 project Crypto wallets for signup, login, and 2FA got approved starting the second quarter of 2024, and Milestone 1 — the technical specification — should have landed long before now. Life intervened and the work sat unfinished. I would rather deliver it late and right than on time and shallow, so here it is.

What the document covers

Most current Cardano login implementations sign a bare random nonce. It works, but it is opaque to the user, carries no information about which site requested it, and leaves a thin audit trail on the server. I set out to specify something better: a structured, human-readable payload that binds the signature to a domain, a server-committed action, and a timestamp — built on top of what CIP-8, CIP-30, and the stalled CIP-93 proposal already got right.

The document also makes the case for what this approach offers beyond plain login: a verified Cardano address is simultaneously proof of identity and a live query key into the holder’s native tokens. Token-gated access, membership tiers, reward eligibility — all off-chain, no smart contract required. That is an advantage a platform passkey structurally cannot offer.

Download

The technical document is available here:

What comes next

Milestone 2 is reference implementations: backend verification libraries in Python, JavaScript, and Clojure, and a frontend wallet-integration example. Milestone 3 is the part I think matters most for adoption — plain-language documentation addressing the question users actually ask: does signing this put my funds at risk? The answer is no, and it deserves to be explained clearly rather than assumed.

A parallel deliverable will be a formal amendment to CIP-93, so these improvements are available to the whole ecosystem rather than just readers of this proposal.