Replying to Avatar arjunacharya10

Concerns on Nostr
Avatar
Matt 1w ago 💬 2

1. My main concern with all the passkey stuff is that I simply haven't taken the time to understand it. My aforementioned strategy has worked well for me, but I can see a case for having a better way. I prefer a password/user combo with a hardware 2FA device, or OTP if that isnt available. SMS 2FA shouldn't even exist anymore. I almost want to say that about email 2FA. OTP sort of edges on the same issue since it's usually either on a device with logged in applications or a password manager. Or even worse, stored in a password manager with the password/user combo (dumb).

2. The Nostr way could be that better way (it's simple), but it's still pretty easy to rekt yourself. You're using a single key pair for everything in perpetuity. You could tell people to not do this, but that defeats all the identity uses and they'll ignore you anyway.

I have some older notes where I discuss this (also to learn, I'm not an expert) with nostr:nprofile1qqsyawyrzrttfmv4cmtx5w2m85702kdct7hv3amfrkhagpdf9cz46mgpzemhxue69uhkummnw3ex2mrfw3jhxtn0wfnj7qg6waehxw309ac8junpd45kgtnxd9shg6npvchxxmmd9uq3kamnwvaz7tmjv4kxz7fwdehhxarjwpkx2cnn9e3k7mf0aur9gg and others.

Reply to this note

Please Login to reply.

Discussion

Avatar
arjunacharya10 1w ago

Thats an interesting take. Yea i think the convenience of this and the catastrophe of missing the private key is quite alarming.

If your private key is leaked you are screwed, whereas with a leaked password you still have some leverage since there is a place for accountability.

Nostr has something called Bunker i havent gone in depth but its solves most of these challenges.

And your concern is valid, a real opportunity would be to look at how to make this Simple for everyday users who don’t mind having their keys stored safely

Avatar
Matt 1w ago 💬 1

Bunker as I understand it doesn't prevent a user from losing their private key. In fact, you have to give it up to the application you're using. Limiting exposure to Amber (what I use) IS better than giving every app my nsec, but I still gave it to Amber and still have to secure it myself ultimately. A Bitcoin cold storage type system is my ideal solution. Store the key totally offline and only ever give it to a signer that is offline. And also have sub keys maybe that can be expired.

Avatar
arjunacharya10 1w ago

Agreed i think this is a tradeoff for sure