What is the mechanism used by the Browser for the user to authenticate without relinquishing custody of the user's nsec private key to server-side custody? Is a browser extension needed to implement a challenge-response using the nsec kept on the user's local file system?