Oddbean new post about | logout
 I partially agree. My Trezor supports FIDO2, and I'm not worried about that key leaking. It never leaves the device, unlike passwords. I consider this superior to any password manager, and that's saying something coming from me!

I agree that giving your nsec to a website is sketchy. Maybe it's stored in LocalStorage and never leaves your browser, but it's hard to know and even if that's true, it still turns an XSS vulnerability into "my private key has been leaked".

So, the way people are implementing things now… yeah, no. But I think there is potential for cryptographically secure authentication, possibly by just signing each request and not even having a session token.