GM!
Would people want to have a (backup) username and password for nostr services (yes, had many client lose their nsec) and optional email recovery option (reset password type). What are your thoughts, and please state your reasons too. 🫡☕️
Discussion
I support adding a username and password but not an email as I prefer to keep it unlinked to points of failure.
That’s why I said optional. But I understand your motives. When people lose their nsec that would mean game over though
If they could be linked. I big chunk of the reason for Nostr is have the one profile everywhere.
Then better keep that nsec backed up, since there will be no way to verify original user.
It's not a particular string of letters that one is attached to, it's the notes and the ability to continually verify they are associated with the real life human being. I can imagine scenarios where everyone (almost everyone) forgets about the nsec and npub underneath and only thinks about what notes they still attribute to themselves or stand by. I haven't thought through any particular implementation for such a thing, but have heard it mentioned that one could have a backup set of keys prepared in case of compromise and ability to dissassociate with certain notes and bring back certain others with a pointer or a digital affidavit of sorts.
I am talking about paid service that uses npub/nsec to associate your purchase and assets with you. If you have no backup way to login and verify yourself, then once it’s lost, the money and the assets are gone too. If that’s the risk people want to have, I don’t mind.
I realized how far my tangent went after I clicked 'Reply.' I think the answer to your question is yes, there are people who would want that, and decent arguments not to provide it (eventually it will be a service offered somewhere anyway though.)
I'm not one who is against such tradeoffs on principle necessarily, but do encourage corresponding education (transparency) of the actual tradeoffs - in other words customer ought have a way to learn about the decision from a maximally paranoid security perspective if they so choose - and would want that to be up front from the provider.
The model I think of that's closest to the ideal tradeoff would involve distributed trust, i.e. 3 people I trust can get me back my nsec but no one of them has the whole thing.
I went on another tangent. Twas fun tho :D
🤣 all good. I am not even going into the whole key management, not my area of interest or concern at the moment
Yes that could be very handy.
While I'm not opposing the idea of an nsec vault, I don't see how it can be done safely and securely, without requiring a lot of trust. On the other hand, for a paid service like yours, an optional account dissociated from the npub/nsec pair is OK. If you lose your nsec, you just log in and associate a different one with your account. That doesn't sound problematic at all, especially if it would be optional.
🫡🚀
I think there's potential for a client that's more than just Nostr to have something like that. But personally no
🫡🚀
I think it’s what we’ll need to get the normies on board.
The normies need that type of stuff. It's a good idea at the beginning while they learn how nostr works.
Would make life of my GF easier
GM 🤙👍
Super interested in people's responses. For nostr:nprofile1qqs0xgvyaeact5khdrllmk7r936mhmtdjt3d6sm3g2h4c5qgd5wp00cprpmhxue69uhkv6tvw3jhytnwdaehgu3wwa5kuef0qyghwumn8ghj7mn0wd68ytnhd9hx2tcqfttnh I've been considering the classic social media sign up flow where you pick your "username". This would in turn become their username for recovery as well as nip05 on our domain