Replying to Avatar arkinox

I got the impression from some nostr people that nsec login should be completely abolished. I agreed, so I have only provided 2 login options on every nostr app I've made: create new identity w/ export options, or use extension.

However, with such limited options for signing extensions on Android, I basically can't use my own apps on my phone. 🤔 I've looked at the available signing extensions according to NIP-07 and I don't really trust any of them except maybe Spring, but that's self-contained and doesn't have my apps in it.

What is your opinion of using heavy warnings on nsec logins? **ducks**
Avatar
TheGrinder 2y ago

Problem with nsec auth is that it's probably not a problem at this moment in time due to a lack of (enough) traction to make nostr appealing to bad actors. However, as the network grows so will risks and nsec interception (in various ways) will be more a thing at that time. Personally I agree that the option to paste a private key into an app or website should be "normalised" doesn't matter if just nostr or for a Bitcoin key or for anything else that might evolve in the years to come.

I guess the bottom line is that we need more means to safely authenticate on web3 protocols. It could be something like a key-managing signing device that doesn't even have a wallet service attached to it but something is definitely needed. However, I think for now you're good to use nsec auth but we should move away from this method as soon as possible.

Thinking about this from the perspective of a person who hasn't been in this space for as long as I have, careless handling of keys because it appears to be "normal" isn't very appealing.

Reply to this note

Please Login to reply.

Discussion

No replies yet.