Oddbean new post about | logout
 I need to do more research here. One question though - if nsec is encrypted by password then user would still have to enter it in the app, even if server only needs webauthn to return the encrypted nsec. So from user's point of view, it's still a second factor, even if server needs just one. Or am I missing something? 
 Mostly, you are right.
But strictly, it is not a password for authentication, but just an encryption key, so the user is only asked to enter it when changing browsers, for example.
This is because it is usually not recommended to store passwords in localStorage, etc., but with an encryption key it is considered possib le.

I think in bitwarden it is called "master password".🤔 
 Yes, hash of master password is used in bitwarden for server auth (since user already has to remember it to decrypt the master key), and webauthn can be used as a second factor. 
 My concern with The Nostr, unlike the password manager, is that implementing a master password like bitwarden would actually make the master password and nsec the same thing.
If so, users would have to worry about managing the master password instead of the nsec, which would not be fun.  
 I have the same concern actually. Here is my line of thinking:

Ultimately, user has to remember some secret (or have a reliable device storing that secret). Password can at least go through a hard key derivation function and be much shorter then the actual nsec and easier to remember. And w/ webauthn as a second factor, a leaked password alone can't be used to recover key from the cloud and decrypt it - user could be notified about the failed cloud access and be asked to change the password. 

I need to think more on this, I feel like there is still something here in what you're saying.