So the user has to remember their passcode still? Is there a way to recover the secret from storage if they lose it? How do they sign things, is their encrypted key returned to the client to sign with? I'm interested in the details.
I see, but in that case it still depends on a special email service.
My project is Chuchu, and I plan to add third-party logins.
https://github.com/nsnjx/chuchu
My idea is to derive a unique private key from:
1)the unique secret obtained from third-party login, and
2)a user-provided passcode,
so that no dedicated server is needed.
Discussion
The passcode is optional, but strongly recommended. Without a passcode, a third-party service(apple/google) could recover your key based on the derivation rules.
Of course, you can also choose not to remember it and store the passcode in your iOS/Android device’s secure storage—then your key can be directly recovered on the same device.
Note that this is not a signing service; it’s a key recovery solution. Once recovered, the key is stored on the client, and signing is done locally on your client.