Yes, right now it's only password. I was planning to add webauthn later as second factor.

That's great. As a matter of fact, nosskey has it I've implemented it as a prototype. You may be able to use it as a reference.

GitHub

GitHub - ocknamo/nosskey: ⛔️ DEPRECATED: Nosskey challenges better ways to handle Nostr keys

⛔️ DEPRECATED: Nosskey challenges better ways to handle Nostr keys - ocknamo/nosskey

@brugeman You mention using webauthn as a second factor. But in my opinion, only webauthn authentication is sufficient and password authentication is not necessary. This is nosskey.😁