Oddbean new post about | logout
ocknamo | 11 months ago (raw) | root | parent | reply | flag +1 
 That's great. 
As a matter of fact, nosskey has it
I've implemented it as a prototype.
You may be able to use it as a reference.

https://github.com/ocknamo/nosskey
ocknamo | 11 months ago (raw) | root | parent | reply | flag +1 
 @brugeman
You mention using webauthn as a second factor.
But in my opinion, only webauthn authentication is sufficient and password authentication is not necessary.
This is nosskey.😁
brugeman | 11 months ago (raw) | root | parent | reply | flag +2 
 I need to do more research here. One question though - if nsec is encrypted by password then user would still have to enter it in the app, even if server only needs webauthn to return the encrypted nsec. So from user's point of view, it's still a second factor, even if server needs just one. Or am I missing something?
ocknamo | 11 months ago (raw) | root | parent | reply | flag +1 
 Mostly, you are right.
But strictly, it is not a password for authentication, but just an encryption key, so the user is only asked to enter it when changing browsers, for example.
This is because it is usually not recommended to store passwords in localStorage, etc., but with an encryption key it is considered possib le.

I think in bitwarden it is called "master password".🤔
brugeman | 11 months ago (raw) | root | parent | reply | flag +2 
 Yes, hash of master password is used in bitwarden for server auth (since user already has to remember it to decrypt the master key), and webauthn can be used as a second factor.
ocknamo | 11 months ago (raw) | root | parent | reply | flag +2 
 My concern with The Nostr, unlike the password manager, is that implementing a master password like bitwarden would actually make the master password and nsec the same thing.
If so, users would have to worry about managing the master password instead of the nsec, which would not be fun.
brugeman | 11 months ago (raw) | root | parent | reply | flag +2 
 I have the same concern actually. Here is my line of thinking:

Ultimately, user has to remember some secret (or have a reliable device storing that secret). Password can at least go through a hard key derivation function and be much shorter then the actual nsec and easier to remember. And w/ webauthn as a second factor, a leaked password alone can't be used to recover key from the cloud and decrypt it - user could be notified about the failed cloud access and be asked to change the password. 

I need to think more on this, I feel like there is still something here in what you're saying.