why is that?
Discussion
there is no user accounts and without the key you can't sign events.
Okay that is clear to me. Overall, that's a bigger security issue innit? All the power is focused on one single key instead of distributing it across different auth methods
Am I missing something?
Well, if a person can't take responsibility for a private key then I don't know. However, nobody can sign anything without your key. 2fa is useless if a site, or database gets compromised. I think 2fa is obsolete since 2015 latest since web3 signers became a thing around 2018 (metamask etc). Nostr authentication is no different.