Nostr Web Client

SQRL invented the anti-phishing public key cryptography based approach to website authentication many years ago. It was a beautiful spec of one page with multiple grassroots implementations.

Then they decided that the simple "I sign something with a key" approach wasn't good enough, they also had to cover a bazillion other key management things in the protocol so they brought a team of academics that turned the thing into a 300-page unreadable spec that no one ever implemented fully.

LNURL-auth basically reinvented the original simple SQRL version in 2019 and got many implementations and some traction within the bitcoiner realm.

But at the same time another team of academics probably by paid by some evil people were creating Webauthn, i.e. "passkeys", which solves the exact same problem and works in the exact same way, although this time the spec is much bigger than even the worst version of SQRL and apparently designed to create centralization.

It took them at least 6 years to get browsers and phones and some websites to start adopting this behemoth, but so far there are no answers to what is their real purpose or to the question: "what if I lose my phone?".

https://www.youtube.com/watch?v=xYfiOnufBSk

Reply to this note

Please Login to reply.

Discussion

Matt 2w ago

I've avoided them. Bitwarden generated username, password, and the best available 2FA is good for me if I can't have something as simple as Nostr. Although that has concerns at the moment too (for me)

arjunacharya10 2w ago

Can you please expand on this? I want to learn

Matt 2w ago

Expand on what?

arjunacharya10 2w ago

Concerns on Nostr

Matt 2w ago

1. My main concern with all the passkey stuff is that I simply haven't taken the time to understand it. My aforementioned strategy has worked well for me, but I can see a case for having a better way. I prefer a password/user combo with a hardware 2FA device, or OTP if that isnt available. SMS 2FA shouldn't even exist anymore. I almost want to say that about email 2FA. OTP sort of edges on the same issue since it's usually either on a device with logged in applications or a password manager. Or even worse, stored in a password manager with the password/user combo (dumb).

2. The Nostr way could be that better way (it's simple), but it's still pretty easy to rekt yourself. You're using a single key pair for everything in perpetuity. You could tell people to not do this, but that defeats all the identity uses and they'll ignore you anyway.

I have some older notes where I discuss this (also to learn, I'm not an expert) with nostr:npub1f6ugxyxkknket3kkdgu4k0fu74vmshawermkj8d06sz6jts9t4kslazcka and others.

arjunacharya10 2w ago

Thats an interesting take. Yea i think the convenience of this and the catastrophe of missing the private key is quite alarming.

If your private key is leaked you are screwed, whereas with a leaked password you still have some leverage since there is a place for accountability.

Nostr has something called Bunker i havent gone in depth but its solves most of these challenges.

And your concern is valid, a real opportunity would be to look at how to make this Simple for everyday users who don’t mind having their keys stored safely

Matt 2w ago

Bunker as I understand it doesn't prevent a user from losing their private key. In fact, you have to give it up to the application you're using. Limiting exposure to Amber (what I use) IS better than giving every app my nsec, but I still gave it to Amber and still have to secure it myself ultimately. A Bitcoin cold storage type system is my ideal solution. Store the key totally offline and only ever give it to a signer that is offline. And also have sub keys maybe that can be expired.

arjunacharya10 1w ago

Agreed i think this is a tradeoff for sure

Matt 2w ago

I'm also not even close to expert on the Nostr protocol, so I'm speaking from an amateur perspective. I would reference other people's input but I think I'm educated enough to spot potential low to intermediate security issues. Passkeys on the surface (as I'm learning more) don't seem right for me.

arjunacharya10 2w ago

Of course . In the end it boils down to adaptability right? If it doesn’t sit right then probably it doesn’t for a lot more people as well which then becomes the problem to solve.

Matt 2w ago

One of my jobs in my household is tech and security. So a lot of times my takes are based on what I see from truly amateur users (like my wife). She is super trainable on this stuff (meaning she does what I tell her to, but she also is about as clueless as one can be lol Which is probably 99% of people. So I'm always trying to get outside of myself when thinking about and implementing security measures. What is the dumbest shit I could do, how do I mitigate those things, and what am I most likely to actually do (security fatigue). Finding balance is difficult and there isnt one perfect solution. For example, I don't think OTP and password manager apps should be accessible from the device being used to login. But few people are willing to carry a separate device. So maybe you force a PIN or login to those apps. Stuff like that. I'm learning and thinking about this stuff frequently.

arjunacharya10 1w ago

Haha yea thats exactly how it should be! But yea 2 devices is definitely a chance.

I think otp already brings the odds down to 99% dont u think? Combine that with 7 billion people in the world, we need not worry about the 1%

Tim Bouma 2w ago

Yeah, “what if I lose my phone?” - that’s the key issue I identified. They want you to be dependent on your phone. The comeback is to store those passkeys in your platform account - in that case you are now chained to your account as well, and the security is only as good as access to your account.

Diacone Frost 2w ago

i have my passkeys in self-hosted vaultvarden. I can access it everywhere where i install the browser extension.

(also there are physcical FIDO devices out there so you don't need a phone per se)

nicodemus 2w ago

Ah, well that’s the trick: you don’t lose your key if you lose your phone. At least, not with the major players’ implementations. It syncs “with the cloud”, and you can simply buy a new device and auth with the same account to recover it.

Yep. Simple password/secrets management. Password Manager in google, keychain in Apple…

And so here we see a hint of the end game: they control your logins to every account you use the passkey on.

Power concentrates.

Fuck that.

The answer is to get a couple of yubikeys. Take 5 minutes to learn it.

Chris Jackson 2w ago

There is KeePassXC, open source and can manage PassKeys!

Jerome Powell 21iQ 40TPW 2w ago

A password is something you can remember and type. A passkey is something that can be tied to a digital ID, which can later be used as a sort of internet passport. 🧐

n 1w ago

ぬるぬるでパスキー登録したら必ず秘密鍵をエクスポートして安全に自分で保存してください。

nostr:nevent1qqsgtn40rpuq9lxstfld44jv0f54nu0ve0ml8a0yesfjl26tpz7vlmspr9mhxue69uhhq7tjv9kkjepwve5kzar2v9nzucm0d5pzqwlsccluhy6xxsr6l9a9uhhxf75g85g8a709tprjcn4e42h053vaqvzqqqqqqyc8kvl9

CXPLAY 1w ago

SQRL is basically unaccepted by any entity, and its authors are virtually impossible to fight against compared to the FIDO alliance behind WebAuthn (and that "Passkey").

fiatjaf 1w ago

What do you mean by unaccepted and impossible to fight? Why do you want to fight them? No one ever used the big SQRL version as far as I know.

CXPLAY 1w ago

SQRL lacks the interest alliance like FIDO to drive its adoption among hardware and software vendors, and it also lacks the resources to promote it to consumers. Currently, all software or hardware vendors actively promoting Passkey are part of the FIDO alliance, such as Microsoft Windows, Google Android, and Apple iOS/macOS. So, GNU/Linux is not included.

CXPLAY 1w ago

The main conflict lies in FIDO's requirement that the passkey key cannot be extracted a second time, which essentially promotes vendor lock-in. In the open-source ecosystem, achieving non-vendor-locked passkey key synchronization without secondary key extraction is virtually impossible.

SUKONI 1w ago

The pattern every time:

1. Someone builds something simple and elegant

2. "Experts" arrive to "improve" it

3. Spec grows from 1 page to 300 pages

4. No one implements it

5. A corporate committee builds a centralized version

6. 6 years and billions of dollars later, it ships

7. "What if I lose my phone?" has no answer

The answer is always: "Trust the cloud. Trust the platform. Trust us."

Nostr's answer: 64 characters. Write them down. You're done.

Lost your phone? Import nsec on new device. No cloud. No sync. No platform permission.

The academics aren't confused. The complexity is the feature. It creates dependency by design.

Simple systems empower users.

Complex systems empower platforms.

Choose accordingly.

(>0_0)> 5d ago

I remember being quite excited about SQRL when it first came out. But I realized it was dead once Passkeys were announced.