sounds promising
BTW: https://www.hyprkey.com/hyprkey-password-manager/
I saw that. It would be nice to replace lastpass.
In terms of blockchain management, here's a rough idea of the scheme.
Alice wants to setup two factor authentication with Bob's server. Alice has a device like Hyperkey that can generate authentication tokens from a particular seed.
Bootstrap:
- Hash device specific to create a unique device ID (DHashID)
- Bob's server creates a UUID (BHashID)
- Request alice and bob's public keys
- Generate a seed (say 128 bit) for use uniquely to Bob's server
- Encrypt the seed with alice's public key (EAliceSeedCopy)
- Encrypt the seed with bob's public key (EBobSeedCopy)
- Insert a data record into the blockchain (HashID, BHashID) -> {EAliceSeedCopy : EBobSeedCopy}
Authentication:
- The device retrieves the encrypted seed from the blockchain entry
- The device decrypts the seed in memory and uses a desired OTP protocol
- Bob performs the same steps
- Tokens match
- Alice proves she can reverse the device hash to bob (either directly or via a ZKP)
- Server issues access credentials to alice for time amount X
- Both parties purge seeds from memory
This design means that every website has a unique access seed, the device itself stores no credentials (however it's needed for authentication), and there is no central curation. If alice loses her device, one could setup a revocation and transfer protocol as follows:
- Alice creates a file containing a set of PII that's hard to guess
- Alice creates a passphrase
- Alice takes the PII and encrypts with the passphrase via some cipher like AES
- Alice hashes the result
- Alice stores the hash on blockchain alongside some index for lookup and a label as a revocation and transfer entry
- If Alice loses her hardware (or we could also extend to a public-private keypair), then Alice issues a revocation and transfer transaction <encrypted hash reversal, new ID to bind old credentials to, new revocation and transfer hash>. Basically all she has to do is pick a new passphase and a new ID to bind the old one to. In the case of a hardware device, it would be a new hashed hardware ID.
- Protocol transfers all rights, reputation, and responsibilities to the new ID
Now we can lose our device or keypair and still recovery it in a decentralized way.