Implementing an email-based recovery flow right now, and it's incredibly prone to very bad security-related errors. Nostr makes everything so easy, the threat model is incredibly simple when the user holds their key. Having keys even makes email based recovery more secure, because I can use them to guarantee that the person who initiates the recovery process is the one who completes it, completely eliminating a whole class of MITM attacks.
Discussion
I'm curious to hear your thoughts on multi-guardian security, where email could be just one of the options. This would open the door to "social recovery", which I think is probably the best recovery method for non-technical people.
I'm not entirely sure how to implement this into Nostr, but maybe it's worth exploring?
Social recovery of keys with shamir secret sharing is a great tool, and under-utilized so far. I actually recently wrote a NIP for key migration: https://github.com/nostr-protocol/nips/pull/2137
The project I was alluding to before is less secure, but is more user-friendly. It uses shamir secret sharing to shard keys to multiple custodians who can then collaboratively sign events using FROST. The user can then recover their key (or log in again) by going through an email based challenge flow: https://github.com/coracle-social/pomade
I should also say that in theory the "mailer" and the "email address" could be anything, so you could implement recovery via twitter DM, simplex, carrier pigeon, etc.
Buidlstr
Is it possible to use nostr for a monthly paid private community?
Yes, but it's not yet built to my knowledge. I have plans for something like this eventually, maybe nostr:nprofile1qqsth7fr42fyvpjl3rzqclvm7cwves8l8l8lqedgevhlfnamvgyg78sdv7ysa has a story too?
We won’t build paid community tools ourselves.
Instead, we hope someone will create an independent paid community mini web app that can be used within the Keychat browser.