This should be even more secure in the future with the login-with-a-client NIP. We currently do something similar when logging in to sign up for purple. The app opens up and Damus is used for verifying that it’s you.

We just couldn’t use this flow yet for logging in on the website since we hardcoded that flow for purple lightning subscriptions.

Soon we won’t need the OTP stuff and you can just let damus to verify the login directly.