I am not a tech savvy individual. I do not write code or program anything. My question to those that are is, if someone gets my key, what would stop them from logging into a client as me? Is there a type of 2 factor authentication for nostr clients? I apologize if this is a ridiculous question, but I am always looking for ways to double down on my security and I am still learning nostr. Thank you in advance.
#plebstr #plebchain #security #clients #2factor #nostr
If they get your key, itβs over. There are extensions and apps like nos2x that protect your key tho.
There is "no" ridiculous question.
yes, anyone with your private key can use the account - post, edit profile, etc
there are extensions such as alby and nos2x that protect your key from webapps, which reduces risk a bit, but we need better tools, will take some time
What about a vault backed extension? Keys never leave the vault machine unless accessed physically. Signing happens on the machine, browser never sees any of it. Self hosted of course but could scale if needed. Advanced MFA could happen with browsers which is nice as-well
As others have said your account is done if you're nsec gets compromised. However they can not lock you out from also posting so you'll be able to inform all your followers of what happened even as the attacker does whatever they are doing. Then you can direct then to your new account as well so it's not a total loss.
This needs all the memes where two identical persons claim to be the real one and accuse each other of being the fake one. π
If this happens the culprite practically has control over your connected wallet to zap with it and deplate it.
So you need to be careful not to stack big ampunts in it and transfer your funds asap
How to transfer?
I meant nothing complicated. Just transfer your big amounts to another wallet which is not connected to your nostr account.
I don't think this is true. They could change your LN address in your profile so they are receiving zaps to their wallet, but they don't have access to your wallet and funds.
You can zap all your funds in the nostr connected wallet right?
So do anyone who has the nsec
Crizzo is right, even if they have your nsec they still wouldn't have access to your wallet. In fact, you could post a message signed by your wallet and others could verify it against zaps they have received from you, proving that your account was compromised and directing followers to a new account. That would require a little technical knowhow (a little) today, but maybe that would be a good feature, maybe a good candidate for a nip nostr:npub1gcxzte5zlkncx26j68ez60fzkvtkm9e0vrwdcvsjakxf9mu9qewqlfnj5z
Perhaps if you can reject an invoice and send back a message explaining why it wasn't paid
Every time I zap it opens WoS separately. They wouldn't have access to the WoS app on my phone.
I don't get this part. How is it different if you put your nsec in another phone and zap from there.
You've signed the zap feature before.
Maybe I'm thinking of one tap zaps ?!π€
When you tap the zap button all it does is create an invoice to be paid and send it to your wallet app. If a hacker were to log in with your nsec and try to zap someone it would create an invoice and then send it to whatever wallet app he has on his phone already. If he then paid the invoice the zap would appear to have come from you in nostr, but would have been paid with their own wallet, not yours. Once the invoice is paid then an event is broadcast to relays that says you zapped someone.
I'm not totally sure how 1-tap zaps work though as I've never been able to use Damus, but I think it's still segregated. I don't think there are any nostr clients that have built in wallets that you access with your nsec yet.
The question of one tap zap remains. And now Im thinking about alby users who put their nsec in their wallet.
And I didn't know that the zap invoice goes to the wallet in the same device. Not the wallet that you've put its address in your profile. Thanks for teaching that.
In that case doing fraud need a bit more stealthness and some soicial engineering and gaining trusts and so on.
There could be multi-signature accounts (more than one key), however it is still new.
There are no ridiculous questions on #Nostr.
Well, except you would ask people to switch back to Twitter... π
