Blog

Passkeys in the context of Account Abstraction

Joan Alavedra
Group 389.svg

Passkeys are a new way of logging in to online accounts, services, and apps that are designed to be faster, easier to use, and more secure than passwords. They are a replacement for passwords that are designed to provide websites and apps a passwordless sign-in experience that is both more convenient and more secure.

The Backdrop of WebAuthn

The emergence of WebAuthn as a web standard for passwordless authentication has played a pivotal role in the evolution of passkeys. Through its framework, WebAuthn facilitates the generation and authentication of cryptographic key pairs, forming the backbone of the passkey technology. This development is instrumental in advancing secure, passwordless authentication, thereby contributing to a safer and more intuitive user experience in the burgeoning web3 domain.

Secure Enclave: Apple's Fortification

A notable mention in the security enhancement of passkeys is Apple’s Secure Enclave technology. Embedded as a dedicated microchip in Apple devices, Secure Enclave provides an isolated environment for secure data operations, including transaction signing and biometric authentication processes like Touch ID and Face ID. This robust security feature significantly elevates the security posture of passkeys, ensuring a secure generation, storage, and handling of cryptographic key pairs.

Passkey Storage Challenges

Despite the advancements, challenges persist, particularly around the storage of passkeys. Traditional keychain storage, for instance, lacks hardware-level security and heavily relies on iCloud for passkey recoverability, presenting potential security risks.

Device and Software Discrepancies

The effectiveness and security of passkeys can vary across different devices and software platforms. While Apple’s Secure Enclave provides a robust security framework for passkey management, not all platforms have an equivalent hardware-based security feature. For instance, Android devices and Windows platforms may employ different security architectures, which might affect the security level and user experience of passkey-based authentication systems.

Moreover, software implementations and the integration of WebAuthn could also dictate the overall security posture and usability of passkeys across various platforms. Understanding these discrepancies is crucial for developers and platforms aiming to implement passkey technology and account abstraction effectively.

Wallets with Passkey

In the context of wallets, passkeys can be used as the signers/owners for your wallets. This enables a powerful experience where users get to create self-custody wallets using biometrics, without having to remember any seed phrases.

After authenticating via email or social, users are prompted to create a passkey with their device (e.g., biometrics). This grants them a wallet and enables transaction signing with that passkey.

Passkeys work on straightforward identity verifications, like fingerprint scans, facial recognition, PIN, or swipe patterns. They leverage a familiar pattern of using a biometric (FaceID, or TouchID) to securely create and store a credential to the user’s device.

Here's are simple demos of passkey wallet with Lit Protocol and Turnkey.

Passkeys Signature Validation

Passkeys can be implemented both on-chain and off-chain, depending on the context in which they are used. Here are some examples of how passkeys can be implemented on-chain and off-chain:

AA wallets to verify passkey signatures on-chain

  • How it Works: The AA wallets are programmed to verify passkey signatures directly on the blockchain.
  • Pros: Direct user transaction signing using passkeys without any intermediaries, ensuring a higher degree of decentralization.
  • Cons: The most efficient on-chain passkey verification currently known demands around 300k gas per transaction. This is quite steep in terms of costs for most applications. A potential solution could involve an upgrade to the EVM, perhaps with a mechanism similar to EIP-7212.

AA wallets to verify passkey with a Signing Service

  • How it Works: Rather than directly signing with passkeys, users authenticate with a signing service which then produces ECDSA signatures. Depending on each architecture some leverage secure enclaves, decentralize networks and other approaches.
  • Pros: It ensures compatibility with existing wallet infrastructure. More gas efficient due to the indirect nature of the signing. Users always have the flexibility to switch signers, making it adaptable.
  • Cons: It might rewuerid a centralize service like iCloud or Drive.
Share this article