Oddbean new post about | logout
 I just saw nip49 implemented in Amethyst, it's a format to export nsec encrypted with a password as ncryptsec1... string, I guess I will use that 
 Even if you implement nip49, I still think you need to include nsec export. Vitor says nip49 is not meant to replace nsec, and nsec should still be stored in a separate place. If you permit a user to generate new keys, then you need to permit nsec export. Otherwise, users might be left with a lock in situation to your bunker - especially now when client support for all these new nips is incomplete and buggy. 
 Indeed nip49 doesn't solve my issue.
I need to think through whether I can provide some protections first. Amethyst requires you to enter system pin / scan finger to verify your identity. Otherwise anyone who has 10 second access to your device could steal your nsec. Either I need to ask for a password first for nsec export, or add WebAuthn auth, or maybe some other clever way to do that.  
 Exactly.