Last week I wrote an article (Storing And Accessing Private Data on the Blockchain with an NFT) explaining how you could use an NFT as a token to store and access private data. In this post, I will show how such a simple concept can be expanded to a blockchain login requiring the user to hold an NFT credential token along with a password to login into an application. This would add a much-needed extra layer of security.

Most of you are familiar with Multi-factor Authentication (MFA), which is a great way to fight against online threats. Usually, there is secondary seed info that is texted or emailed to the user or sent to a designated device by the user. Currently, in the crypto space, there isn’t anything similar to MFA being used. Sure, seeds themselves have a secure element where you are able to interact with the network with a generated address rooted from an initial seed phrase. But if that seed phrase is compromised, it’s game over.

A way to mitigate the release of everything your wallet has access to in the event of a compromise is through an effective login mechanism. This concept is nothing new, but if implemented in the crypto space, it can provide us additional security by allowing the user to use a token as a credential while also using a password in order to login to DApps online. In the event of a hack, a hacker may have access to the credentials token but will still need to enter a password. If they steal your password, they would need the token in their account to be able to confirm the login. This will give users an extra layer of security behind applications while having an NFT serve as a security mechanism.

This sort of login structure has 2 parts: a user login contract and a DApp login contract. The user will launch the user login contract, and in it, they will set their password and set some metadata in the URI (Uniform Resource Identifier) identifying: contract address and total token amount.

The user will then register their user login contract to a DApp login contract of the DApp they are connecting to as part of their sign-up process. Once the contract is registered in the DApp login, the DApp login contract can pass parameters and verify that the user attempting to log in is using the correct password. It will also verify that they hold the correct token in their wallet by checking the status of the user login contract.

This means all parameters are confirmed in the originally established contract, allowing a secure way to log in and now access a Dapp without having to surrender your password data to a 3rd party. The best part is this can be used for both traditional applications and blockchain DApps, as this is a versatile login confirmation method designed to safely grant access to the user.

In this contract structure, there are a total of 5 credential tokens. A user needs 3 of these tokens to edit or view the contents of the login contract and 1 token to log in to a DApp. In theory, a user can mint as many credential tokens as they’d like, but keeping them all secure is his or her responsibility. Users can also burn tokens from compromised accounts possessing the token.

Ideally, a user can store a token on every device they have access to (mobile, web apps, cold wallets, etc). These tokens would be used for logins. The rest of their tokens can be kept on a hardware wallet and only used to edit accounts or destroy tokens on a compromised or stolen device.

User Login Contract: Allows users to store password credentials and generates a Credential NFT that is required by anyone wanting to confirm a login with the contract.

DApp Login Contract: Allows DApp to relay credential information to their already registered login contract for verification.

Amendment to Private AccessToken: I also added this edit feature along with altering the number of login tokens so you can have multiple devices logged in at the same time.

You would have the security of a typical password coupled with a token that will allow the holder to attempt the password. The contract, once launched with a password set, will provide its contract address to the user, and the user will need to provide the contract address and password to verify login as well as be in possession of the Credentials Token.

So instead of an email slot, it’s a contract address and while in the logged-in status on the DApp only the token is required to access functionality until the user logs out of the DApp

This is something that can be looked at as a simple task, I mean who hasn’t logged into a website this isn’t new. EXACTLY!! Having a good login security process is essential to traversing the web considering how often you use it and now that your data can be stored privately on the XDC network you now have the means to access your own private data and confirm it independently on the blockchain.

And what makes this so cool is after a login contract has been created you could connect and register to any other DApp login contract for even better convenience for the users while still having the requirement to hold the NFT Credential token. When broken up even DApps with new versions can use their users main login to just subscribe to a new DApp making it seamless on the part of the users to login to a new version of an established contract without having to change their login, this can even be used as a more secure method for traditional app logins so verification of data is in the smart contract not on their private databases.

About the Author: R Quincy Jones XDC Foundation developer, who on behalf of the XDC Network is building new standards and applications for the XDC Network. With over four years in cloud development, and a growing following on YouTube: CoinClubCrypto, is well-suited to break down the fundamentals of blockchain-based technologies for general audiences.

GitHub Link: https://github.com/QCloud-DevOps/LoginContract

The content above represents my own individual perspective as an XDC community member and does not reflect the official stance of XDC Foundation