Nostr Web Client

If an attacker had your TAPSIGNER, they'd still need your username/password to authenticate and vice versa. We don't secure funds with these Tapsigners. They are only for 2-factor authentication, so the Best Practice violation seems like a reasonable trade-off for this use case.

boilerhodl 2y ago

One alternative is we could only use the TAPSIGNER for authentication. Just scan it, type in your PIN, & you're authenticated, no username/password needed. If you lost your Tapsigner, an attacker would still need to know your PIN to authenticate, which is now not on our server.

Reply to this note

Please Login to reply.

Discussion

boilerhodl 2y ago

Will we implement this in production? We'll see, but it's been a fun project and the TAPSIGNER is a great product!

boilerhodl 2y ago

Check out megawatthq.com 👀 for all of your miner hosting needs! The company was founded at the Indy Bitcoin meetup, so get out there and support your local #Bitcoin groups. You never know who you'll meet.