Oddbean new post about login | logout @dtonon @PABLOF7z @brugeman @fiatjaf whats the best place to send a dev who has a non-nostr bitcoin web app to learn about “log in with nostr” & “create nostr keys” capability?
Adding nec.app to your app or NIP-46 with NDK?
How about this https://nostrlogin.org/ ? PRs and issues are welcome.
I like it and I've been a fan of web3 authentication for a long time since it makes user accounts, two-factor authentication and password managers obsolete. The problem however is adoption since platforms and websites cannot sell user data which virtually doesn't exist thanks to web3 auth.
Well on Nostr a lot of user data is public. I'm also not sure web3 auth adoption wasn't happening (was it not?) due to the lack of business model for apps. Maybe web3 is too focused on blockchains/shitcoins. We'll see where it goes with nostr.
I just call them web3 authenticators, best word I can think of to describe authenticating. That can be Alby or Metamask or any other kind of signer. Also the perception of web3 representing shitcoins or blockchains (decentralised ledger technologies [insert unicorn poo]) is something I'd credit to the most recent years. Hardly anyone spoke about web3-anything before 2020 when it became popular through ETH and Metamask.
Btw how does your preferred web3 auth provider solve the key storage, backup, recovery, etc? Removing passwords and 2fa is easy, but is there something to ultimately replace them with?
I guess. I have a recovery seed for metamask (which I don't really use) and I got backups for my nsec's. This is where self-responsibility comes back into play instead of relaying on third parties to do it for you as if they were your legal guardian just because the end user has become too lazy to protect vital data or access information. However, all I meant to initially say is that I love what you've put up but we probably wont see a wide nostr-auth adoption for the beforementioned reason of platforms not being able to sell customer data that doesn't exist. Yes, we share a lot of data on nostr publicly but that doesn't tie that data to an email address, google account, phone and eventually personal information.
I read it and I really like this form of authentication with keys 🔑. But I can’t imagine the avalanche of requests to recover private keys from my users who lost or forgot them. Of course I can ask for them and store them❌. I don’t see any other way for now.
It's the job of a provider (browser extension or nsec storage like nsec.app) to help users recover. It's not black and white, we don't have to leave users on their own with how-do-I-store-this-nsec thing.
I will tell you an anecdote, I taught a friend to us and how to use a client on his mobile phone and I explained everything to him so that he can save his nsec correctly. In the afternoon he sent me his keys on WhatsApp to help him save because he said he was sure he would lose them. Me 🫥 They are not the tools. It is the digital culture of many.
That's right, it's like explaining them how to store and backup bitcoin keys. It's always a facepalm. That's why there are setups like Casa or Bitkey that don't expose keys, and instead build good storage and recovery tooling. It's not for experts, but most people aren't experts. Nsec.app doesn't expose nsec too (at least if you don't ask atm), we will try to keep it safe and help you recover without making you write it on a piece of paper.