That’s the clients responsibility to ensure good opsec - username, password, 2FA, master key if they loose any of the inputs forementioned and need to change password / 2FA. Still thinking it through, adding unique keys per key purchased and request and using it to mitigate replay attacks. Client follows provider on Keybase, they should probably have some secured comms.. but signature requests and PSBT sharing should go through the platform to ensure the 7day (minimum) wait before the provider signs, which should be ample time for the client to be alerted and contact the provider. There will be better ways of proving the client is who they say they are, signing xyz message or something.. still thinking it through what the best approach is, and actually if it’s for me to even decide that or let people figure it out themselves and just provide the means to do that as I iterate through.