Very cool, sounds like an interesting project fueled by some very specific experience in the industry. I just followed you, and I'll let you know if I want to dive more deeply into the passkeys approach (email based is getting increasingly painful as I flesh the spec out, but I'm still going to see if I an complete it)
Discussion
Sure happy to chat. Just to be clear passkeys we concluded are a dead end (as in FIDO passkeys, what you use with Touch ID, etc.). They've no execution space, and curve issues too. It's JWTs which are the auth vehicle in the world of SSO and social sign in. A lot of things get confused between JWTs, FIDO passkeys, on-device enclaves (like for iOS), cloud enclaves, chip enclaves (intel TDX), etc.
Ah that actually makes way more sense, you can do a lot with a JWT. I had read quite a while ago that passkeys weren't the way forward, but I've never done my homework on it
Yes, not the way forward IMO. Passkeys are just private keys that sign challenges from within the secure enclave on your iOS device, or from keychain, a TPM, Yubikey, even cross-platform third-party password managers. And with specific protocol scaffolding around them (WebAuthn/FIDO2).
Often when people say they’re doing something with passkeys for nostr it’s not actual passkey passkeys (not WebAuthn/FIDO2), it’s more like “passkey-inspired design". Because passkeys themselves are too limited.