search

near / fast-auth-signer

https://fast-auth-signer.vercel.app
MIT License
30 stars 9 forks source link

Maximum number of account keys #125

Open nall-near opened 9 months ago

nall-near commented 9 months ago

Description

Currently FastAuth accounts have limited number of keys they can store, requiring the removal of old keys in order to add new keys. When FastAuth users reach the maximum key limit, they are prompted to choose an existing key to remove to make room for the new key.

It was originally suggested to remove the oldest key automatically, but this leads to some challenges with the user experience (see comment)

image

User Story

As a user I want to use my account in multiple places without the need to constantly manage my keys

Acceptance Criteria

  1. Provide appropriate metadata about each active key to help user make a confident decision
  2. Only prompt users to take action when key limit is reached
### Open Questions
- [ ] What key types are considered as part of the limit, FAK, LAK, or both?
- [ ] What is the key limit?
- [ ] Do keys have a natural expiration or will they stay active until removed?
- [ ] What metadata can we provide about each key to help user make a decision? (last used, actively used, In use, date, time, device, etc)
- [ ] What are the consequences of removing each key type, what will the pain point be for the user?
- [ ] Could some "sign in" actions be handled using "sign message" function to avoid adding an additional key?
nall-near commented 9 months ago

Comments from @hcho112:

...a bit more context around the key management. A. I actually implemented based on your recommendation (we think alike!) but I have received feedback that we have to be careful on deleting keys (because the oldest key you refer may be used by user interacting with dApp. By them manually deleting keys, they should be aware about their actions) But we can have group discussion on this.

B. Being oldest key doesn't necessary mean that it is something that obvious to be deleted. (eg. As a user, I use my person iphone to access to near.org which is my main device. Then I found dApp that needs more screen, so I use my PC Chrome. Then one day I'm out at cafe and I bought my laptop and wanted to access via safari on mac. In this case, I'm not sure deleting iphone keys are the right thing to do) Instead of assume, we let user decide which key is not relevant and delete it instead.