Cryptocurrency Wallets and Passkeys

Contents

• Great breakthrough or wild security risk?
• What are passkeys?
• What are self-custody crypto wallets?
• What does it mean to use passkeys with crypto wallets?
• Deeper Understanding of the Risk
• Closing

Great breakthrough or wild security risk?

What are passkeys?

Passkeys are a powerful yet simpler way to log in to websites and apps without the need to remember or type complicated passwords. In essence, they represent a material leap forward in security over passwords and in most cases a faster, easier, and better user experience than passwords.

The Passkey standard was defined by the FIDO Alliance as a replacement for passwords (Full Disclosure: I previously was a member of the FIDO Alliance). It is effectively a reduced security version of the FIDO2 standard. Essentially, Passkeys are a novel approach to online service authentication that utilizes cryptographic keys to replace traditional passwords. They are similar to passwords in that they are designed for authentication, but the private keys are stored on the user's device and never shared with the service provider. The private key is used to sign an authentication challenge so the server can verify the signature as proof of authentication. Similar to password best practices, a unique passkey public/private key pair will be issued per online service.

Passwords are often weak and reused. They can also be stolen through phishing attacks or when an online server is compromised. Two-factor authentication (2FA) became popular to combat these problems. Even then, many 2nd factors used today are not phishing-resistant. Passkeys address these risks making it an ideal solution. Passkeys can still be stolen; however, it is far more difficult to achieve.

Benefits of Passkeys:

• Increased security: Passkeys are much more secure than passwords because they are never shared with the service provider. This means they cannot be stolen in transit or submission.
• Easier to use: Passkeys are easier to use than passwords because you don't have to remember them. They are massively more complex than a password and thus much more difficult to crack. You can simply use your fingerprint, Face ID, or another biometric to authenticate yourself.
• More convenient: Passkeys can be used on any device, including your smartphone, tablet, or computer. This makes it easy to access your accounts from anywhere.

Like passwords, passkeys can be stored and cloud-synced across devices and password managers offering a friendly user experience. Indeed, Apple, Google, 1Password, Bitwarden, LastPass, and many other password managers, manage authentication, cloud backup, and cloud sync of passkeys.

What are self-custody crypto wallets?

Self-custody crypto wallets are often associated with externally owned accounts. They provide the foundation to cryptographically sign an intended transaction with a private key such that the signature’s authenticity can be verified publicly. If someone could obtain the private key, then that person has full control of the account.

When setting up such a wallet, they often require the user to create a password that is used locally to unlock the wallet and/or private key to sign transactions. It is not transmitted to an online service. Because the password is not managed in an online service, most crypto wallets do not have an “I forgot my password” and instead, issue a recovery phrase also called a seed phrase or mnemonic of 12 to 24 words. Typical instructions are to keep this recovery phrase safe as it is the only way to recover the account. This can be inconvenient and prone to problems.

What does it mean to use passkeys with crypto wallets?

While both crypto wallets and passkeys utilize private keys, they are not interchangeable for most blockchains. Account abstraction, supported by some blockchains, uses smart contracts that can bridge this gap by enabling the derivation or a similar process with the passkey to authenticate transactions. Account abstraction is far broader than passkeys alone allowing for flexible and customizable rules for wallet management; however, since each wallet could define its own account abstraction smart contracts, end users must consider additional implementation risks compared to traditional self-custody wallets.

Unlike wallets that issue a recovery phrase with instructions for safekeeping, passkey-based wallets have inherent recovery mechanisms built in by the passkey provider (e.g., Apple, Google, 1Password, LastPass, Bitwarden). This provides a seamless user experience for wallet recovery, device upgrades, and new devices, but introduces significant security risks.

The passkey providers back up the passkeys to online cloud-based storage. This practice mirrors the discouraged behavior of saving recovery/seed phrases in password managers, which has resulted in significant security breaches and financial losses for users. Consequently, online cloud storage becomes a prime target (aka. honeypots) for hackers. This is not merely a theoretical risk; actual exploits have led to the theft of millions of dollars in cryptocurrency.

Deeper Understanding of the Risk

The online risk and potential for all to be stolen far outweigh the combined risks of securing the recovery phrase of a self-custody wallet as long as that phrase is not stored in online storage. This is not a flaw in passkeys, which represent a massive improvement over passwords for online services. Crypto services differ significantly from classic web services where fraud claims are possible and recourse, while potentially painful, exists. For example, a stolen credential for X (Twitter), Reddit, or Facebook is upsetting while a stolen credential for a bank or Tradfi account is painful but likely recoverable. However, cryptocurrency transactions are finalized with each block added to the blockchain, and there is no fraud claim process to reverse them. Consequently, one mistake or a stolen passkey can result in total loss. Because a bad actor could compromise a cloud resource, you might not even be aware of the loss until well after it occurs.

The alternative of self-custody wallets issuing a recovery phrase is also imperfect. One can easily misplace or lose the backup, rendering the cryptocurrency completely inaccessible. There's also the potential for someone to physically break into your home or safe and steal the recovery phrase, and the ever-present risk of losing access to the recovery due to natural disasters.

One thing should be clear, the online risk and potential for total loss far outweigh the benefits of using a passkey for signing crypto transactions and the complexity of securing a recovery phrase.

Closing

As discussed, passkeys offer a significant improvement over traditional passwords. They also have the potential to enhance the user experience with cryptocurrency wallets. However, when used for cryptocurrency wallet transaction authentication, they introduce a considerable risk—the risk of total loss which is inherent in the design of passkeys. Some blockchains introduced account abstraction enabling flexibility and configurable rules via smart contracts for wallet management. Account abstraction is often a mechanism to allow a friendly user experience; however, additional risks can arise from the account abstraction implementation.

Although it is outside of this article, there are guardian-based products for backup and recovery of seed phrases such as the one offered by my employer: SecretShield. A thorough analysis of the security, risks, and benefits associated with this and other approaches will be the subject of a separate article.