semisol - 1y
Normal users don't know what key backup is. They just want it to work, and may prefer a username/password login initially. Using some cryptography, a pretty secure (even against the service operator) cloud key backup scheme can be made.
- An outside attacker cannot brute force passwords faster than the server and key derivation function allows them to. - The server or someone with access to the server's database cannot brute force passwords than the key derivation function allows them to.
The Fishcake🐶🐾 @fishcake - 1y
Actually not a bad idea! Need to think about it! You can even implement private key encryption on the client and then store it somewhere in the cloud! Still not perfect, but at least people can use password manager! 🐶🐾🫡
How this basically works: - User requests encrypted envelope and KDF parameters from server - User derives key using KDF, gets x - User blinds x with b (random) and gets xb - User fulfills whatever requirements the server requested (CAPTCHA, 2FA, etc) and sends xb - Server adds own secret s, sends xbs - User unblinds xbs and gets xs - User uses that to decrypt the envelope and get their key
That is sound! 🐶🐾🫡
edfa2 - 1y
How about just require/force users to learn private key management? It is to their own benefit to do so! Let the lazy users stay on traditional platforms! They will be properly motivated in time! What is the rush? It is IMO better to inform users on best practices...
Users are going to get pushed away if they have to learn complicated shit on the first few minutes they sign up
d4f29 - 1y
This!!! ☝️
Skip 5 minutes of key management, spend 5 weeks setting up profile and follows, 5 seconds get #Rekt. Deserved.
How do you know what a "normal" DECENTRALIZED Protocol user going to be?
4d04a - 1y
word banks LFG multisig hybrid custody solution would be interesting