Oddbean new post about | logout
 @Ava @Michael J @Luxferre

What do you think about this option?
Am I missing some security leak here?

It just sends/DMs you a one-time code that you can type in. 
 IMO signing with an extension or nsecbunker would be best.  I think there's a NIP for HTTP auth using Nostr.

The 2FA scheme with npub+DM makes sense to me.  It's an extra step to log in, but it would work with whatever Nostr client the user is familiar with already.

Easiest flow would have the DM give a link that authenticates and redirects to the home page of nostr.build, so the user doesn't have to copy-paste or remember a one-time code. 
 Yeah, I think I like it as a second option.

I guess because I often switch computers and I don't have my extension on all of them, for all npubs, and then I start e-mailing my nsec to myself or some nonsense. It's too long to just type out. 
 i recommend logging in with nip-07 extension for best security until we get hardware signing, with npub+dm as a 2nd option. definitely not emailing your nsec to yourself (did you mean npub?)... especially if you aren't using an e2ee email, but even then, it would be more secure to put it in a password manager. 
 It's e2ee encrypted, but it was still a stupid idea. 😂