Using FIDO Passkeys for Nostr private key management

Hey guys,

So I have this idea around using FIDO Passkeys as Nostr keys (and maybe even bitcoin keys). I believe this could be a massive improvement for onboarding users to Nostr and private key management in general.

I'm not super technical so there may be many flaws in my reasoning but I'd like to share this idea here and get some brainstorming going.

First, what are Passkeys?

Based on open FIDO standards, passkeys are a replacement for passwords that provide faster, easier, and more secure sign-ins to websites and apps across a user’s devices. Unlike passwords, passkeys are always strong and phishing-resistant.​ They use similar cryptographic primitives to Nostr for key generation but come with a significantly better UX. Apple, Google, and Microsoft have all adopted the Passkey standard so it's not some niche standard no one uses.

Passkeys simplify account registration for apps and websites, are easy to use, work across most of a user’s devices, and even work on other devices within physical proximity.​

Before continuing I would suggest reading the info on FIDO's website and their whitepaper: https://fidoalliance.org/passkeys/.

How would this work with Nostr?

It's likely Nostr would have to move to using the Passkey standard for key generation (which again, is open) over the current secp256k1 which is slightly larger in signature size (uses ECSDA over Schnorr) BUT the interoperability and UX benefits outweigh that trade-off imo.

As mentioned earlier Apple, Google, and Microsoft have adopted Passkeys and embedded them within their respective operating systems. This means Passkeys are likely going to be the dominant (and passwordless method) the average person will be using to authenticate with apps in the near future.

This is a simple, yet secure, private key management solution for normal people. To think your average joe will manage / backup their own keys like we currently offer in Nostr (and bitcoin) is a pipe dream and disaster waiting to happen beyond any significant amount of adoption. But we should still be allowing seamless key backups and management without compromising security - which I believe Passkeys offers.

I like solutions like Nostr Connect but having to have a dedicated app just for Nostr logins is a lot of user friction and again requires backup which the average user just won't do securely. Furthermore, if the average user is signing into their other apps with Passkeys (this is coming), it would be significantly less user friction for them to sign up to a Nostr client with a flow they are already familiar with. We should be leveraging what exists (Passkeys) rather than re-inventing the wheel.

Below I go over a basic user flow of how this would work using iOS and Damus as an example, but this would work with any Passkey compatible OS and Nostr client.

<iframe class="remirror-iframe remirror-iframe-youtube" src="https://www.youtube-nocookie.com/embed/LefZRnDLKdU?" data-embed-type="youtube" allowfullscreen="true" frameborder="0"></iframe>

https://youtu.be/LefZRnDLKdU

Figma source file from above video.

Resources

• https://fidoalliance.org/passkeys/

• https://fidoalliance.org/apple-google-and-microsoft-commit-to-expanded-support-for-fido-standard-to-accelerate-availability-of-passwordless-sign-ins/

• https://techcrunch.com/2022/09/12/apple-passkey/

• https://developer.apple.com/passkeys/

• https://developers.google.com/identity/passkeys

• https://makers.bolt.fun/story/nostr-connect--575

• https://au.pcmag.com/security/97313/no-more-passwords-how-to-set-up-apples-passkeys-for-easy-sign-ins