Feature name
- 2FA using an NFT for authorized access
Feature function
- Authorize access using an NFT
- The ability to share/transfer access by providing an NFT
Just get a Yubikey. Safer since it’s a hardware taken and more widely used. Highly doubt this will be implemented anywhere especially with the downfall of NFT’s and Crypto in general.
I also have a yubikey.
What downfall are you talking about? Crypto and nft are never going away. They also order abilities a yubikey cannot.
Usefulness aside (I agree with @Sincerity9661 , just use a YubiKey or an offline OTP based authenticator) what would even be the technical implementation, or at least the user flow for this?
I can imagine a 2fa token based on a smart contract, though it would be cumbersome to use without a user interface for this. But how would this work with an NFT (ERC-721). An NFT just tracks ownership certificates. How can this be used as a (second) authentication factor?
Are there any other systems/apps that implement this?
An NFT is simply a record of ownership of an property that proves provenance. This record resides on the blockchain. You confirm ownership through a private cryptographic key that you hold securely and do not share.
Having a cryptographic key of an NFT or having a cryptographic key that reside on a Yubikey are effectively the same thing if their sole purpose is to unlock your vault. So, then why wouldn’t you use the tool built for that purpose (Yubikey) instead of a tool designed for a different purpose (NFT)? What would be the advantage? I’m genuinely curious.
Having said this, I am attracted to the concept of a decentralized password manager that leverages the blockchain to secure its vaults. That technology is proven and I would trust it more than I would trust the security of LastPass’s enterprise servers. 
Potential benefits of NFT vs. Yubikey. (Riffing here…)
- You don’t need to carry a physical device with you.
- Yubikey can break
- NFT accessible via any device, not just those Yubikey compatible
- NFTs can be minted with permanent limiters, such as expiration date and geolocking
- Create a BW Folder for Project X Logins; Share by minting an NFT for each person
- Decentralized storage of all logins/etc could be impressive
I could probably add more, but this is a good start. Nothing is perfect. Someone could steal your wallet. Someone could steal your yubikey.
I’m not sold on this idea, but thought this forum would be a good place to air the idea.
Interesting concept. What you have devised here appears to depend on smart contracts, correct? I would personally never leverage a smart contract for password vault security. Not yet, anyway. They are just too immature and prone to hacks.
Note that if a benefit of an NFT is you don’t need a device, such as a Yubikey, don’t forget that devices such as phones now act as keys with secure enclaves. Google and Apple are leverages primary devices as keys now. I personally don’t like it as the only device but it’s here to stay.
Yubikey are tough as nails. I have done major damage to them and they keep on ticking. Loss is a bigger risk which is why you need redundancy. Apple just began to allow security keys to secure its accounts and you are required to have a minimum of two.
I like the parameter limiting concept. Would you need to re-mint each time you change a parameter? Bitwarden has limited options to change parameters. LastPass has many (blocking TOR; white/black listing countries) which I miss. Wouldn’t it be easier to change your preferences than re-mint your NFT through a smart contract?
I agree that decentralized storage of vaults would be of value but how would this work? You can’t store the vaults, themselves, on a blockchain. They would be too big. You could store the confirmation that your vault is yours on a blockchain and then your private key could unlock it. But, the vault itself still has to be stored somewhere. If it’s only locally, that’s like KeePass. Makes sense. If it’s also “in the cloud” (like BW) AND decentralized (not like BW), I am curious how you could make that work. Smart contract again? I don’t know.
It’s a interesting concept to consider.
You would need a smart contract.
iiuc, you would need 2 (at least) smart contracts. SC#1 Mint an NFT and set metadata; SC#2. BW has to connect to your crypto wallet (which contains the NFT). You could make the metadata centralized and therefore adjustable as needed by the vault owner, I’m just riffing here, so assume I’m missing a detail or two.
The cryptowallet and BW software can be installed on multiple devices, so you’re definitely not limited in that regard.
Apple Phones are rock solid on security. I have nothing to say here.
Parameters: You can either allow the minter to update NFT metadata or make it so a new NFT is needed for any change. Both have their merits and problems.
For storage, BW could partner with IPFS. There are a number of chains that specialize in storage. The content would be visible, but encrypted. The NFT can be the key to unlock that vault. I don’t see why you couldn’t have local storage. I think you’d still need internet access though, so the NFT could unlock the local vault. This is, again, an example where Yubikey and Auth App win. This is a thought exercise.
METAVERSE - What about when people need to use SSO while inside a metaverse? I guess your Yubikey could use some kind of passthrough so that your avatar could authenticate. However, an NFT could be a solution, too, as you are already inside a blockchain environment and therefore have a connected cryptowallet. I foresee people doing data transfers and storing/hiding data caches in various metaverses. Heck, store your local BW vault inside a metaverse, or make it accessible that way.
Alright, enough flights of fancy. I think I agree that:
- NFTs are not really needed at this stage (solution in search of a problem);
- BW needs login geo-restrictions / blocking TOR / I’m sure there are more!