I love the elegance of using npubs for solving the #authentication problem. Having an identifier that natively supports encrypted messaging and signing can vastly reduce the complexity of login (#authentication)solutions and eliminate entirely the need to store passwords.

But this still does not solve the #identity problem. If you are using the same npub to login to a multiplicity of sites, if your nsec is compromised, you’re screwed.

I’ve heard the criticism that login with npub is actually a ‘regression’ to less secure authentication but that’s not an authentication problem, that’s an identity problem.

The best approach is have seen to mitigating identity compromise is Lightning Login (#lud04) where the wallet derives a new pubic/private key for each site that is authenticating (using a hash of the domain to derive a new key pair). That way there is no correlation capability.

Carrying this over to #nostr, if a client is privy to your ‘identity’ (has your nsec), it should be able to derive different npubs for different domains, and handle all of the derivations so all those identities look like it’s all one from the perspective of the client.

So it’s a problem to be solved, but right now I see a huge benefit of just solving #authentication, getting rid of all those bespoke authenticator apps, and not become device-bound to someone’s hardware because of a passkey that refuses to leave the secure enclave.