I wish it were that simple. But I have to sign events with their key - ssh doesn't. So it's not just a "tell me who you are" problem, but a "how do I BE you" problem. The only way to accept a password is to custody the user's keys, which I do think defeats the purpose. ActivityPub and Bluesky have keys too (held by the server instead of the user), and this is the one thing about Nostr that makes it matter. That users control their own key.