We agree that security is very important and we strive to provide most secure way of handling user keys. Our app uses multi-authority permission feature, which modifies account metadata to share posting authority with our account @oneplace.app. Such change requires signing transaction with your private active key. This method is also used by a lot of apps in the Steem ecosystem and all users can check modifications to their authority list on https://steemd.com/@account
Why we chose this method as the most favourable for security:
- You need to enter your private active key only once to transfer authority. This transaction is signed in your browser and the key is never transferred anywhere.
- After that all transactions are signed by our posting key and you can log in to your profile using just the email/password combo.
- Your key is never stored in the browser, so nobody can steal it.
Of course we realize it still requires trust that's why our application is fully open-source (GitHub) and open for scrutiny and review by other developers. We also plan to implement an option to use SteemConnect, which is already trusted by many users to handle their private keys.
Steemconect is a good solution for this! I think it will increase users on your app. As everyone known , scammers and thieves are everywhere on steemit. I will never trust anyone my private keys and I don’t know any app that requires active private keys either. I trust steemconect and will be back as soon as you start to use it.
Much better to have software that runs on the desktop for managing authority. I have one in development now
Much better to have software that runs on the desktop for managing authority. I have one in development now
Actually if the user could provide his posting key each time and you are only posting, you wouldn't need the active key.