Can NFT be used for authentication on web apps

Question

Can NFT's be used as a mean of authentication? The scenario is a user buys an NFT (ERC721) now he visits the site that uses this Token for authentication, so am guessing the web3.js on the site checks the users wallet if he has the token in wallet then can access the site....but what about server side calls...the server can check the ledger to see who owns the token, but how can it know if the person making the call is the owner..address can be spoofed so sending it with call is out of question. Also the case if users sells his token now a new user owns it

Am thinking something like digital signature but how to get the owners public key and is requiring users to sign messages a hassle...am noob to solidity what do I know but SO requires me to try to answer my question before asking for an answer also some code a requirement for every posts

pragma solidity ^0.4.22;contract helloWorld {
 function renderHelloWorld () public pure returns (string) {
   return 'helloWorld';
 }
}

Answer 1

Checking that the viewer has an address that owns the token is not enough. You would need to confirm that the viewer controls the address by asking them to sign a message.

One system like this is called MetaKey.

If you want to coordinate sessions with a backend, you need to do additional work because the NFT could be transferred. You would need to revoke the session key when the NFT is transferred, which requires that you monitor the blockchain for transfer events.

I don't recommend building sign in infrastructure around an NFTs though. It will be extremely difficult or impossible to avoid security flaws. Better to authenticate people using a wallet signature. There are many tutorials online for building this flow, for example here.