Generating Nostr account using Passkeys \ stacker news ~nostr

217 sats \ 3 comments \ @dolu 15 Aug nostr

I wanted to conduct an experiment today. The main idea was to generate a Nostr account using Passkeys as the entropy source for private key generation.

https://nostr-passkeys-demo.vercel.app

I arrived at a functional solution (though perhaps not the best), but I encountered the issue that Passkeys are tied to domains. In the demo, you can generate a key pair, but it would be "impossible" to generate the same key pair on another site that might implement this system. (such as Nostr clients like Primal, Coracle, etc.)

What do you think? Do you see any improvements? Is it something useful or completely useless? I’m open to criticism; it's entirely experimental.

view all related items

100 sats \ 1 reply \ @dollarparity 15 Aug

Good work. Can you use a KDF like PBKDF2, Argon2, or HKDF to derive a consistent private key across domains?

0 sats \ 0 replies \ @dolu OP 16 Aug

Passkeys generate a key pair for each account created. From there, the inputs for the KDF key derivation will inevitably be different. Or did I misunderstand what you meant?

0 sats \ 0 replies \ @sebastix 16 Aug

https://notes.neatnik.net/2024/08/passkeys-are-not-passwords

I'm not a passkey expert, but sometimes I learn while I read something like in the article above. I think by design you can't mix/match passkeys with a Nostr keypair.

They’re something truly unique, because baked into their design is the requirement that they be unphishable. And the only way you can have something that’s completely resistant to phishing is to make it impossible for a person to provide that data to someone else (via copying and pasting, uploading, etc.). That you can’t export a passkey in a way that another tool or system can import and use it is a feature, not a bug or design flaw. And it’s a critical feature, if we’re going to put an end to security threats associated with phishing and data breaches.