People were very accustomed to the now defunct nsecDOTapp encrypted nsec/signer website. This is just a way to make that same custodial encryped nsec recovery service more accessible for everyone over blossom but this time with 2FA and no signing server. I’ve always used nip-49 as a starting place, even made this offline tool a while back for decrypting nip-49 on device, in the browser, fully off-line.

Replies (1)

You're right that a rug is permanent that's nostr, no reset button. Brute force isn't how it happens with this design. the password and 2fa secret fuse into a single scrypt passphrase, so cracking one factor gives no feedback and no partial win. The secret alone is 160 bits, which makes offline attacks on the public blob infeasible outright, weak password or not. The honest risk is phishing both factors at login time. That's worth worrying about.