Passkeys are a modern alternative to passwords, designed to make logging in to apps and services faster and more secure. Instead of remembering a long string of text, users can use their device's built-in biometrics (like Touch ID or Face ID) or a screen lock to authenticate.
What are Passkeys in onchain apps?
In the context of blockchain wallets, passkeys act as the "signer" or owner of an account. This allows players to create and manage self-custodial wallets using their phone's hardware security, removing the need for seed phrases. When combined with account abstraction, passkeys enable a "passwordless onchain experience where signing a transaction is as simple as scanning a fingerprint.
The Role of WebAuthn and Secure Enclaves
Passkeys rely on the WebAuthn standard to generate cryptographic key pairs. On devices like iPhones and Macs, these keys are stored in the "Secure Enclave"—a dedicated microchip that keeps sensitive data isolated from the rest of the operating system. This hardware-level security ensures that private keys cannot be easily extracted or stolen, even if the device is compromised.
Passkey Storage Challenges
Despite the advancements, challenges persist, particularly around the storage of passkeys. Traditional keychain storage, for instance, lacks hardware-level security and heavily relies on iCloud for passkey recoverability, presenting potential security risks.
Device and Software Discrepancies
The effectiveness and security of passkeys can vary across different devices and software platforms. While Apple’s Secure Enclave provides a robust security framework for passkey management, not all platforms have an equivalent hardware-based security feature. For instance, Android devices and Windows platforms may employ different security architectures, which might affect the security level and user experience of passkey-based authentication systems.
Moreover, software implementations and the integration of WebAuthn could also dictate the overall security posture and usability of passkeys across various platforms. Understanding these discrepancies is crucial for developers and platforms aiming to implement passkey technology and account abstraction effectively.
Wallets with Passkey
In the context of wallets, passkeys can be used as the signers/owners for your wallets. This enables a powerful experience where users get to create self-custody wallets using biometrics, without having to remember any seed phrases.
After authenticating via email or social, users are prompted to create a passkey with their device (e.g., biometrics). This grants them a wallet and enables transaction signing with that passkey.
Passkeys work on straightforward identity verifications, like fingerprint scans, facial recognition, PIN, or swipe patterns. They leverage a familiar pattern of using a biometric (FaceID, or TouchID) to securely create and store a credential to the user’s device.
Passkeys Signature Validation
Passkeys can be implemented both onchain and off-chain, depending on the context in which they are used. Here are some examples of how passkeys can be implemented onchain and off-chain:
Onchain Passkeys (Passkey Wallet)
Also known as an onchain wallet or passkey wallet, this approach involves verifying passkey signatures directly on the blockchain via a smart contract.
- How it Works: The smart account (AA wallet) is programmed to verify the WebAuthn (passkey) signature (secp256r1) directly onchain. Recent advancements like RIP-7212 (a precompile for P256 curve) significantly reduce the gas cost of this verification. EIP-7702 further enhances this by allowing EOAs to temporarily adopt smart contract capabilities, enabling a seamless transition to onchain passkeys.
- Pros:
- True Decentralization: Direct user transaction signing using passkeys without any intermediaries or signing services.
- Security: Leverages the hardware security module (Secure Enclave) of the user's device.
- Features: Enables powerful features like Session Keys (to avoid constant popups) and Sponsored Transactions (gasless experience).
- Cons: Historically, gas costs were high (~300k gas), but RIP-7212 is solving this. Support for these precompiles varies across different chains.
Examples:
Off-chain Passkeys (Signing Service)
- How it Works: Rather than directly signing with passkeys, users authenticate with a signing service which then produces ECDSA signatures. Depending on each architecture some leverage secure enclaves, decentralized networks and other approaches.
- Pros: It ensures compatibility with existing wallet infrastructure. More gas efficient due to the indirect nature of the signing. Users always have the flexibility to switch signers, making it adaptable.
- Cons: It might require a centralized service like iCloud or Drive.