A Detailed Analysis of zkLogin: Bridging Web2 Authentication with Decentralized Security
House of ZK
May 7, 2025
Share on

By @arunim_shukla

Thanks to @Mahdi_seda from the zkLogin team for his kind review.

Introduction to Authentication Challenges

In the digital age, authentication remains a critical yet flawed process. Traditional methods, such as passwords and OAuth, expose users to risks like data breaches, phishing attacks, and overreliance on third parties. In blockchain, these issues are compounded by the complexity of managing private keys. Enter zkLogin, a groundbreaking technology by Sui Blockchain, which leverages zero-knowledge proofs to redefine secure, private, and user-friendly authentication.

Passwords are like exes: you shouldn’t keep too many.

What is zkLogin?

At its core, zkLogin represents a shift in blockchain accessibility. By leveraging zero-knowledge proofs, specifically zk-SNARKs using the Groth16 protocol, zkLogin allows users to prove they possess valid OAuth credentials without revealing the credentials themselves on-chain. This eliminates one of the most significant barriers to blockchain adoption - the complexity of managing cryptographic keys while maintaining the self-custody principles that make blockchain valuable in a user-friendly manner and non-custodial manner.

zkLogin makes singing as-easy-as logging into your Google or Facebook account.

Imagen

How zkLogin Works

Imagen
Image credits: zkLogin documentation

Technical Details: How zkLogin Works

zkLogin leverages the OpenID Connect OAuth flow to authenticate users, generating a JSON Web Token (JWT) from an OpenID Provider (OP). The process involves several steps to ensure security and privacy:

  • User Authentication via OAuth: Users log into a dApp using their existing web credentials, prompting the OP to issue a JWT. This token contains claims such as the subject (sub), issuer (iss), and audience (aud), which are crucial for identity verification.
  • Ephemeral Key Pair Generation: The user’s device generates a temporary cryptographic key pair, with the public key embedded in the nonce field of the JWT. This nonce also includes an expiration epoch to limit the token’s validity, enhancing security.
  • Zero-Knowledge Proof Generation: A salt service validates the JWT and generates a zero-knowledge proof using the Groth16 protocol, a highly efficient ZK proof system. This proof verifies the user’s identity without revealing the underlying credentials, ensuring privacy.
  • Transaction Signing and Submission: The user signs the transaction using the ephemeral private key and submits it to the Sui blockchain, along with the zero-knowledge (ZK) proof. The Sui network verifies the proof to ensure the transaction’s authenticity.
  • Address Derivation: The user’s Sui address is derived from a combination of sub, iss, aud, and a user-specific salt, using cryptographic hashing (Poseidon_BN254 and Blake2b_256) with a zk_login_flag = 0x05. This ensures each zkLogin address is unique and not publicly linked to the user’s OAuth credentials.

This process abstracts the complexity of traditional blockchain wallets, making interactions as seamless as logging into a web application while maintaining decentralization and security.

zkLogin has been used for over 7.6 million transactions. With around 2.4 million unique proofs as of Mar 14, 2025.

Imagen
Image credits: https://mahdi171.github.io/files/zkLogin_O1Labs.pdf

Advantages of zkLogin

zkLogin offers several compelling benefits that address key barriers to blockchain adoption:

  • Ease of Use: By allowing users to log in with familiar web credentials, zkLogin eliminates the need to manage private keys or mnemonic phrases, significantly lowering the entry barrier for new users. This is particularly crucial for mainstream adoption, as traditional wallet management can be daunting.
  • Self-Custody and User Control: Despite its simplicity, zkLogin ensures users retain full control over their funds. Transactions require explicit user approval, meaning no third party, including the OAuth provider, can transact on their behalf without consent, aligning with the decentralized ethos.
  • Privacy Preservation: Zero-knowledge proofs ensure that no personal information is exposed on the blockchain. The user’s OAuth credentials are never stored or linked to their Sui address, which maintains anonymity and makes targeted attacks based on blockchain monitoring more difficult.
  • Accessibility and Flexibility: zkLogin integrates seamlessly with Sui’s other features, such as sponsored transactions (where developers can cover gas fees) and multisig wallets. It can also coexist with traditional account types, such as mnemonic and hardware wallets, offering flexibility for both novice and expert users.
  • Rigorous Security Measures: The technology has been audited by two independent firms, and its cryptographic foundations were established in a public ceremony attended by over 100 participants. The use of Groth16, known for its efficiency, ensures scalability and performance, making it suitable for high-throughput applications.
Imagen
Web3 without zkLogin is like asking your grandparents to build their smartphone.

Disadvantages and Limitations

While zkLogin is innovative, it is not without challenges, which must be considered for a balanced assessment:

  • JWT Leak Risks: If the JWT is leaked, it could reveal sensitive information such as usernames or emails, potentially compromising user privacy. Additionally, the backend managing the user salt is compromised. In that case, an attacker might retrieve the salt, though this does not directly lead to fund loss if the ephemeral key remains secure. This risk underscores the importance of secure backend practices.
  • User Salt Leak: A leaked user salt could link the user’s OAuth identifier (sub) to their Sui address, which is particularly problematic for public identifiers like Google or Twitch. This could enable correlation attacks, reducing the privacy benefits of zkLogin.
  • Ephemeral Key Compromise: While the ephemeral key is temporary and regenerated regularly, its compromise could pose a risk if combined with access to the user salt and zero-knowledge proof. An attacker would need both to access funds, but this remains a potential vulnerability.
  • Loss of OAuth Access: If a user loses access to their OAuth account (e.g., due to account deletion, provider issues, or password recovery failures), they may lose access to their zkLogin wallet. While recovery mechanisms provided by the OAuth provider can mitigate this, it remains a significant concern. Wallet providers are encouraged to support Sui’s native multisig functionality as a backup method, such as a 1-of-2 multisig zkLogin wallet with Google and Facebook OAuth credentials.
  • Length Restrictions: Due to the constraints of the Groth16 protocol, specific fields in the JWT (e.g., aud) have length restrictions, currently set at up to 120 characters. However, this value is not final. This may limit the use of some OAuth providers, potentially restricting the ecosystem’s growth.

Good UX is like oxygen - you only notice when it's missing.

Implications of zkLogin

zkLogin has far-reaching implications for the blockchain ecosystem, particularly in terms of user experience, security, and adoption:

  • User Onboarding and Mass Adoption: By simplifying the authentication process, zkLogin removes a central friction point for new users, making blockchain technology more approachable and user-friendly. This is crucial for driving mass adoption, as evidenced by its potential to enable billions of Web2 users to transition smoothly to Web3. It shifts the paradigm from complex wallet management to familiar web login experiences, likely accelerating the integration of blockchain into everyday applications.
  • Enhanced Security and Privacy: The use of zero-knowledge proofs ensures that users can interact with the blockchain without compromising their privacy, which is crucial for sensitive transactions, such as financial or health-related dApps. The 2FA mechanism reduces the risk of single-point failures compared to traditional wallets, enhancing overall security.
  • Decentralized Ethos and Non-Custodial Nature: zkLogin maintains the non-custodial nature of blockchain wallets, ensuring users retain control over their assets while benefiting from simplified access. This aligns with the decentralized ethos, but it relies on the security of OAuth providers, introducing a dependency that needs to be managed.
  • Developer-Friendly Ecosystem: zkLogin provides developers with tools to integrate secure, user-friendly authentication into their dApps, supported by SDKs and documentation available at Sui Documentation. This accelerates the development of innovative applications, fostering a vibrant ecosystem. As of April, 2025, zkLogin is supported on Devnet, with integration on Mainnet expected shortly, expanding its reach.
  • Privacy-Focused Applications: The ability to submit only zero-knowledge proofs and ephemeral signatures on-chain makes zkLogin suitable for privacy-focused dApps, such as those in DeFi, identity management, or confidential voting systems. It also supports optional verified identity for on-chain identity layers, balancing privacy with accountability where needed.
Imagen
Mass adoption is about your grandma logging into DeFi without panic attacks.

Why Do We Need zkLogin?

Traditional blockchain wallets, while secure, are often cumbersome for the average user. Managing private keys, mnemonic phrases, or hardware wallets can be daunting, especially for those new to the space. This complexity has been a significant barrier to mass adoption, as highlighted in research such as zkLogin: Privacy-Preserving Blockchain Authentication with Existing Credentials. zkLogin addresses these challenges by:

  • Simplifying User Onboarding: Users can log in using familiar credentials, reducing the learning curve and making blockchain accessible to a broader audience. This is particularly important for non-technical users who may find traditional wallets intimidating.
  • Facilitating Mass Adoption: By making blockchain interactions as seamless as logging into a web app, zkLogin paves the way for mainstream adoption of decentralized technologies. It bridges the gap between Web2 and Web3, enabling billions of users to engage with dApps without the hassle of setting up a wallet.
  • Enhancing Security and Privacy: zkLogin’s use of zero-knowledge proofs ensures that users can authenticate without exposing their identity, addressing a key concern in blockchain adoption. The 2FA mechanism adds layer of security, reducing the risk of unauthorized access compared to single-key wallets.
  • Enabling Innovation: By abstracting away the complexities of wallet management, zkLogin allows developers to focus on building innovative dApps rather than worrying about user authentication. This fosters creativity and accelerates the development of new financial primitives, asset exchanges, and other blockchain-based solutions, as seen in the Implementation of zkLogin and On-Chain Points with the SUI Blockchain.

Use Cases of zkLogin

zkLogin is already being implemented in various practical scenarios within the Sui ecosystem, demonstrating its versatility and potential impact:

  • Seamless Web2 to Blockchain Access: Users can log in to dApps using social accounts like Google, Facebook, and Twitch, eliminating the need for traditional wallets or seed phrases. This is highlighted in Sui Features | zkLogin, with plans to expand to Microsoft, Apple, WeChat, and Amazon in future versions.
  • Simplified Onboarding: By removing the barrier of private key management, zkLogin makes it easier for new users to enter the blockchain space, reducing friction and improving the user experience.
  • Native Web2 Authentication: Sui is the first blockchain to integrate Web2 authentication providers at the protocol level, enabling secure and familiar login experiences. This enhances the DeFi space and uses zero-knowledge cryptography without external dependencies.
  • Multi-Device Support: zkLogin leverages Sui’s cryptographic capabilities to support biometric authentication across devices, enhancing user experience and accessibility, as seen in practical implementations like the Sui zkLogin Tutorial.
  • Enhanced Privacy: By submitting only zero-knowledge proofs and ephemeral signatures on-chain, zkLogin ensures no personal information is stored, prioritizing user privacy, which is crucial for mass adoption, as detailed in zkLogin | Sui Documentation.
  • Developer Integration: Developers can easily integrate zkLogin into their dApps, with support for Devnet and upcoming Mainnet integration. SDKs and documentation are available at Sui Documentation, facilitating rapid development.
  • Secure User Registration: zkLogin enables secure registration processes for dApps, ensuring user data confidentiality through zero-knowledge proofs, as implemented in projects like Implementing zkLogin and On-Chain Points with SUI Blockchain.
  • Wallet Management: It simplifies wallet management without exposing personal information, improving both security and usability, as seen in practical demos like GitHub Repository for the Sui Login Demo.
  • On-chain User Profiles: zkLogin allows for the creation and management of user profiles directly on the blockchain, securely associating actions and points with unique profiles.
More articles
News
The ZK Infrastructure Map
Read More
September 25, 2024
Interview
Interview with Dr. Jiannan Ouyang, Co-founder and CEO of Snarkify
Read More
February 14, 2025
ABOUT
PODCAST
BROADCAST
education
JOURNAL
EVENTS
MAGAZINE
SPONSORSHIP
CONTACT US
BRAND ASSETS