Can you please expand on this? I want to learn
Discussion
Expand on what?
Concerns on Nostr
1. My main concern with all the passkey stuff is that I simply haven't taken the time to understand it. My aforementioned strategy has worked well for me, but I can see a case for having a better way. I prefer a password/user combo with a hardware 2FA device, or OTP if that isnt available. SMS 2FA shouldn't even exist anymore. I almost want to say that about email 2FA. OTP sort of edges on the same issue since it's usually either on a device with logged in applications or a password manager. Or even worse, stored in a password manager with the password/user combo (dumb).
2. The Nostr way could be that better way (it's simple), but it's still pretty easy to rekt yourself. You're using a single key pair for everything in perpetuity. You could tell people to not do this, but that defeats all the identity uses and they'll ignore you anyway.
I have some older notes where I discuss this (also to learn, I'm not an expert) with nostr:nprofile1qqsyawyrzrttfmv4cmtx5w2m85702kdct7hv3amfrkhagpdf9cz46mgpzemhxue69uhkummnw3ex2mrfw3jhxtn0wfnj7qg6waehxw309ac8junpd45kgtnxd9shg6npvchxxmmd9uq3kamnwvaz7tmjv4kxz7fwdehhxarjwpkx2cnn9e3k7mf0aur9gg and others.
Thats an interesting take. Yea i think the convenience of this and the catastrophe of missing the private key is quite alarming.
If your private key is leaked you are screwed, whereas with a leaked password you still have some leverage since there is a place for accountability.
Nostr has something called Bunker i havent gone in depth but its solves most of these challenges.
And your concern is valid, a real opportunity would be to look at how to make this Simple for everyday users who don’t mind having their keys stored safely
Bunker as I understand it doesn't prevent a user from losing their private key. In fact, you have to give it up to the application you're using. Limiting exposure to Amber (what I use) IS better than giving every app my nsec, but I still gave it to Amber and still have to secure it myself ultimately. A Bitcoin cold storage type system is my ideal solution. Store the key totally offline and only ever give it to a signer that is offline. And also have sub keys maybe that can be expired.
Agreed i think this is a tradeoff for sure
I'm also not even close to expert on the Nostr protocol, so I'm speaking from an amateur perspective. I would reference other people's input but I think I'm educated enough to spot potential low to intermediate security issues. Passkeys on the surface (as I'm learning more) don't seem right for me.
Of course . In the end it boils down to adaptability right? If it doesn’t sit right then probably it doesn’t for a lot more people as well which then becomes the problem to solve.
One of my jobs in my household is tech and security. So a lot of times my takes are based on what I see from truly amateur users (like my wife). She is super trainable on this stuff (meaning she does what I tell her to, but she also is about as clueless as one can be lol Which is probably 99% of people. So I'm always trying to get outside of myself when thinking about and implementing security measures. What is the dumbest shit I could do, how do I mitigate those things, and what am I most likely to actually do (security fatigue). Finding balance is difficult and there isnt one perfect solution. For example, I don't think OTP and password manager apps should be accessible from the device being used to login. But few people are willing to carry a separate device. So maybe you force a PIN or login to those apps. Stuff like that. I'm learning and thinking about this stuff frequently.
Haha yea thats exactly how it should be! But yea 2 devices is definitely a chance.
I think otp already brings the odds down to 99% dont u think? Combine that with 7 billion people in the world, we need not worry about the 1%