I’m starting to think login with key is not a bad idea. It sacrifices some security but it’s fine for new users. They can figure nip7 if they have to later. The bunker stuff is the worst. I don’t think we should send anyone into that flow.
Discussion
they key in the beginning is user initial accounts (npubs) as testing ground so people can just use those nsecs around without much concern before moving into a more serious account and understand how some things work and use of NIP05/07/47 etc
Yes, security is not a huge concern in the beginning. Nostr has a learning curve and we should optimize for ease of initial use over security or risk losing everyone in the process. Clients like primal and Damus are better starting points and work fine already.
nostr:npub1yzvxlwp7wawed5vgefwfmugvumtp8c8t0etk3g8sky4n0ndvyxesnxrf8q is also amazing
yakihonne.com
The new Aegis app (bunker for iOS) works really well. And super straight forward to use and set up. So far, I’ve only tried it with Nostur. But it works with Olas too
I think suggesting anything other than Amber/Aegis is like suggesting address reuse because it's one less thing to explain to normies.
Set up a proper key vault, **then** start signing shit. Don't make them get the nostr experience & earn it later; that kind of fiat thinking is more important to fix than their social media habits anyway.
It's not a good idea just because the more secure options have shitty UX. It doesn't sacrifice some security. It sacrifices all security. You're at the mercy of whatever potentially shit tier app you're tossing your key into. Instead of one dedicated app or service, you make it all of them. Users would need to understand up front that they can lose their entire identity on Nostr if they lose that key. My probably unpopular opinion is that we shouldn't send anyone into the Nostr flow at all yet unless they are technical enough to grasp the dangers and how keys work. At least not if they plan on putting a lot of work into an npub without understanding key security. Social identity should be just as important as something like Bitcoin keys, in my opinion. I refuse to login to anything that doesn't use Amber at this point (using my primary identity). I prefer something totally offline, but Amber is the best I have found.
That rules out using an nsec with any iOS native app (though I haven’t tried Aegis with Nostur as mentioned in comments). I don’t like client web apps as much.