Nostr Web Client

1. My main concern with all the passkey stuff is that I simply haven't taken the time to understand it. My aforementioned strategy has worked well for me, but I can see a case for having a better way. I prefer a password/user combo with a hardware 2FA device, or OTP if that isnt available. SMS 2FA shouldn't even exist anymore. I almost want to say that about email 2FA. OTP sort of edges on the same issue since it's usually either on a device with logged in applications or a password manager. Or even worse, stored in a password manager with the password/user combo (dumb).

2. The Nostr way could be that better way (it's simple), but it's still pretty easy to rekt yourself. You're using a single key pair for everything in perpetuity. You could tell people to not do this, but that defeats all the identity uses and they'll ignore you anyway.

I have some older notes where I discuss this (also to learn, I'm not an expert) with nostr:nprofile1qqsyawyrzrttfmv4cmtx5w2m85702kdct7hv3amfrkhagpdf9cz46mgpzemhxue69uhkummnw3ex2mrfw3jhxtn0wfnj7qg6waehxw309ac8junpd45kgtnxd9shg6npvchxxmmd9uq3kamnwvaz7tmjv4kxz7fwdehhxarjwpkx2cnn9e3k7mf0aur9gg and others.

arjunacharya10 1w ago

Thats an interesting take. Yea i think the convenience of this and the catastrophe of missing the private key is quite alarming.

If your private key is leaked you are screwed, whereas with a leaked password you still have some leverage since there is a place for accountability.

Nostr has something called Bunker i havent gone in depth but its solves most of these challenges.

And your concern is valid, a real opportunity would be to look at how to make this Simple for everyday users who don’t mind having their keys stored safely

Reply to this note

Please Login to reply.

Discussion

Matt 1w ago 💬 1

Bunker as I understand it doesn't prevent a user from losing their private key. In fact, you have to give it up to the application you're using. Limiting exposure to Amber (what I use) IS better than giving every app my nsec, but I still gave it to Amber and still have to secure it myself ultimately. A Bitcoin cold storage type system is my ideal solution. Store the key totally offline and only ever give it to a signer that is offline. And also have sub keys maybe that can be expired.

arjunacharya10 1w ago

Agreed i think this is a tradeoff for sure