boilerhodl on Nostr: If an attacker had your TAPSIGNER, they'd still need your username/password to ...

If an attacker had your TAPSIGNER, they'd still need your username/password to authenticate and vice versa. We don't secure funds with these Tapsigners. They are only for 2-factor authentication, so the Best Practice violation seems like a reasonable trade-off for this use case.