This is a consideration we're making while developing our custodial lightning wallet.
For context, this is a custodial wallet, so that's a given. Not your keys not your coins, true. But for smaller amounts and/or quick transfers a custodial wallet is helpful for obscuring away all the complexities of liquidity with lightning. And given that it’s custodial, we need to implement a secure way for users to authenticate themselves.
Currently, we offer authentication via phone number with SMS verification and are considering adding email and password as another option. Additionally, we're evaluating whether to include social sign-in (e.g., Google, Facebook) as an optional method. We would like to gather feedback on how our potential users feel about the inclusion of social sign-in, which is the purpose of this informal poll.
Great! That would be my preferred choice4.5%
Good! More optionality is always welcome9.1%
I wouldn’t use it, but I’m fine with it18.2%
I might use it, but it puts me off4.5%
No way! I wouldn’t touch that63.6%
22 votes \ poll ended
305 sats \ 3 replies \ @tony_ 4 Sep
Please, whatever you do end up doing, do not rely on SMS for auth. Sim swappers will be all over it if you do.
reply
You do realize you need to physically have someone's sim card to sim swap them right? Not sure how it works now with esims but being simswapped if you have a physical sim card is virtually impossible
reply
I'm pretty sure you just have to convince a salesperson that you "lost your phone" and get the same number reassigned to a new sim/device. It's the number that's used for SMS based auth, not the sim itself. Social engineering is often a weaker link than hacking or physical theft.
reply
The threat here is they steal you phone number. There is strong evidence that someone can steal your phone number and is willing to sell that as a service for as little as $1,000 (if its t-mobile, other carriers cost more).
Hackers have also offered t-mobile employees as little as $300 to perform sim swaps, and I'd be willing to bet there were some takers near that price point.
reply
If I can't log in with a yubikey or a TOTP time-based authentication token, I suspect that the organization doesn't take security very seriously. Ultimately there needs to be a private key involved, not punting to a third party.
reply
lnurl-auth. I think SN calls it lightning login. You should use that lmao it would be very ironic
reply
386 sats \ 1 reply \ @ek 5 Sep
It's easy to forget which wallet you used to login and can't be recovered though. Almost all of our support requests regarding accounts are because of that. I used to like it because it's so simple but that simplicity can backfire with bad UX. Still like it, just less than initially.
Nostr login is better because you usually only have one nostr identity while it's more likely to have multiple wallets. And even if you have multiple nostr identities, it's easier to keep track of since there isn't this mismatch of wallet<>id.
reply
It's easy to forget which wallet you used to login and can't be recovered though
I weirdly can't relate. Also haven't tried nostr login. I'll test it out though.
reply
There might be some selection bias at play in this poll ;)
It'll be interesting to see how diverse the SN crowd is though.
reply
21 sats \ 1 reply \ @TMRW OP 4 Sep
You mean selection bias in the sense that it's targeting a bitcoiner forum? If that's the case then that's ok because we precisely want to gauge bitcoiner's options.
We know it's just a segment of the overall population. But it's the segment more likely to pick up our product first and thus the one we're drawing opinions from.
reply
I meant to say in the sense that vocal btc maxis, as the ones you find here, who have strong opinions about traditional social media, are not fully representative of the more diverse crowd of shitcoiners who also happen to use bitcoin and probably don't care about using Facebook, etc. The latter are probably not sampled by your poll yet might be part of your target group of customers.
reply
I believe that a custodial wallet should include several authentication mechanisms from the start, not just the phone. There are many users who prefer email. That is to say, initially consider several and not just one. I consider the integration with nostr to be of vital importance, especially in these times.
reply
No way. This is the thing that you nobody can touch I have seen dozens of wallets that are not collecting information from users through this means.
reply
Goes against everything Satoshi wanted and Bitcoin stands for. Anonymity.
reply
No way that was pethantic
reply
What advantages does connecting to the wallet offer? I would like to understand
reply