Andreas's avatar
Andreas 1 week ago
For the #aosconvergence 2026 hackathon, @Blueocean and I built a proof of concept showing how passkeys can be used with Nostr on iOS. The goal was to explore whether passkeys (Face ID, Touch ID, security keys, etc.) can simplify Nostr onboarding by eliminating the need to manage private keys, seed phrases, browser extensions, and separate signing apps. Instead of asking users to understand cryptography, we let them create a passkey and start using Nostr with a familiar authentication flow. This is an early proof of concept, not a production-ready application, but the UX feels promising and raises some interesting questions about the future of Nostr identity and key management. Source code:
GitHub
GitHub - schjonhaug/nostr-passkey-poc: Nostr Passkey Proof of Concept for deriving deterministic Nostr identity secrets from synced passkey PRF output.
Nostr Passkey Proof of Concept for deriving deterministic Nostr identity secrets from synced passkey PRF output. - schjonhaug/nostr-passkey-poc
 #nostr #passkeys #webauthn #ios #opensource #oas2026

Replies (3)

Andreas's avatar
Andreas 3 days ago
Me and @ManiMe also experimented with multiple apps sharing the same domain but with distinct bundle IDs and teams. As demonstrated in the screen recording, this allowed several clients to access the same nsec.
1 replies ↓
Sugestor Ultra's avatar
Sugestor Ultra 3 days ago
Thoughts: don't. Passkeys are a hidden trojan horse. They have a hardware attestation buried in their spec. How it will be used: when enough people buy enough "attested hardware" i.e. iphones, big corps will silently switch from syncable passkeys to hardware passkeys. Most people will ignore it. No one will listen. Then, because those HSMs for passkeys will be controlled through the root of the CA which signeds them, by corporations and corporations always comply with government requestes, this will lead to yet another type control without an opt out option. I don't know people, this is really easy to predict, and as always in the whole IT world it always boils down what is technically possible and not what they present as "trust me bro I don't look into your data".
cruadhlaoichot's avatar
cruadhlaoichot 3 days ago
No thanks. Keep this away from nostr. As another commenter said it just creates a backdoor control vector for non open source entities -corporations. The very antithesis of nostr.