Passkeys are a new way of logging in to online accounts, services, and apps that are designed to be faster, easier to use, and more secure than passwords. They are a replacement for passwords that are designed to provide websites and apps a passwordless sign-in experience that is both more convenient and more secure.
The Backdrop of WebAuthn
The emergence of WebAuthn as a web standard for passwordless authentication has played a pivotal role in the evolution of passkeys. Through its framework, WebAuthn facilitates the generation and authentication of cryptographic key pairs, forming the backbone of the passkey technology. This development is instrumental in advancing secure, passwordless authentication, thereby contributing to a safer and more intuitive user experience in the burgeoning web3 domain.
Secure Enclave: Apple's Fortification
A notable mention in the security enhancement of passkeys is Apple’s Secure Enclave technology. Embedded as a dedicated microchip in Apple devices, Secure Enclave provides an isolated environment for secure data operations, including transaction signing and biometric authentication processes like Touch ID and Face ID. This robust security feature significantly elevates the security posture of passkeys, ensuring a secure generation, storage, and handling of cryptographic key pairs.
Passkey Storage Challenges
Despite the advancements, challenges persist, particularly around the storage of passkeys. Traditional keychain storage, for instance, lacks hardware-level security and heavily relies on iCloud for passkey recoverability, presenting potential security risks.
Device and Software Discrepancies
The effectiveness and security of passkeys can vary across different devices and software platforms. While Apple’s Secure Enclave provides a robust security framework for passkey management, not all platforms have an equivalent hardware-based security feature. For instance, Android devices and Windows platforms may employ different security architectures, which might affect the security level and user experience of passkey-based authentication systems.
Moreover, software implementations and the integration of WebAuthn could also dictate the overall security posture and usability of passkeys across various platforms. Understanding these discrepancies is crucial for developers and platforms aiming to implement passkey technology and account abstraction effectively.
Wallets with Passkey
In the context of wallets, passkeys can be used as the signers/owners for your wallets. This enables a powerful experience where users get to create self-custody wallets using biometrics, without having to remember any seed phrases.
After authenticating via email or social, users are prompted to create a passkey with their device (e.g., biometrics). This grants them a wallet and enables transaction signing with that passkey.
Passkeys work on straightforward identity verifications, like fingerprint scans, facial recognition, PIN, or swipe patterns. They leverage a familiar pattern of using a biometric (FaceID, or TouchID) to securely create and store a credential to the user’s device.
Passkeys Signature Validation
Passkeys can be implemented both on-chain and off-chain, depending on the context in which they are used. Here are some examples of how passkeys can be implemented on-chain and off-chain:
On-chain Passkeys (Passkey Wallet)
Also known as an onchain wallet or passkey wallet, this approach involves verifying passkey signatures directly on the blockchain via a smart contract.
- How it Works: The smart account (AA wallet) is programmed to verify the WebAuthn (passkey) signature (secp256r1) directly on-chain. Recent advancements like RIP-7212 (a precompile for P256 curve) significantly reduce the gas cost of this verification. EIP-7702 further enhances this by allowing EOAs to temporarily adopt smart contract capabilities, enabling a seamless transition to on-chain passkeys.
- Pros:
- True Decentralization: Direct user transaction signing using passkeys without any intermediaries or signing services.
- Security: Leverages the hardware security module (Secure Enclave) of the user's device.
- Features: Enables powerful features like Session Keys (to avoid constant popups) and Sponsored Transactions (gasless experience).
- Cons: Historically, gas costs were high (~300k gas), but RIP-7212 is solving this. Support for these precompiles varies across different chains.
Examples:
Off-chain Passkeys (Signing Service)
- How it Works: Rather than directly signing with passkeys, users authenticate with a signing service which then produces ECDSA signatures. Depending on each architecture some leverage secure enclaves, decentralized networks and other approaches.
- Pros: It ensures compatibility with existing wallet infrastructure. More gas efficient due to the indirect nature of the signing. Users always have the flexibility to switch signers, making it adaptable.
- Cons: It might require a centralized service like iCloud or Drive.