Introducing Passkeys for Faster, Safer Access to Crypto Wallets

Introducing Passkeys for Faster, Safer Access to Crypto Wallets

On this page

We are thrilled to announce that we are rolling out support for Passkeys on Web3Auth - an authentication method that makes it faster and simpler for users to access their crypto wallets while enhancing their security. 

Passkeys is becoming one of the most popular sign-in processes on the Internet. Imagine unlocking your digital assets with just a touch or a glance - it's that simple. Traditional passwords, while familiar, are increasingly vulnerable to breaches and phishing attacks.

We are entering an era where blockchain onboarding is just as smooth as onboarding in any other application. Don’t believe it? Just take a look at how easy it can be:

What are Passkeys?

Passkeys are an alternative to passwords. They are secure keys that can be unlocked through authentication factors, such as scanning a QR code, using a Yubikey, entering a PIN, or leveraging biometrics. They are remarkably easy to set up and, most importantly, eliminate the need for users to remember complex strings of characters, unlike traditional passwords. Verification is quick and user-friendly.

Faster and Safer Logins

By combining something the user has (their device) with who they are (biometric verification), Web3Auth provides an easy way for users to recover their crypto wallets without remembering passwords and seed phrases. 

Moreover, passkeys offer enhanced security because they are not stored on external servers and therefore can never be leaked.

With this inherent security combined with their simplicity, we believe that passkeys will soon dominate as a popular authentication method on the web. 

How it Works with Web3Auth

We are enabling passkeys as a factor for our Single Factor Authentication (SFA) SDK and also soon for our Plug-and-Play (PnP) SDKs. Now, users can access and manage their wallet accounts with just their biometrics. Passkeys has been an excellent login method for Web2 applications, and now we are also enabling it for decentralized applications. 

SFA SDK Passkeys

The process for users who will use passkeys as their primary authentication factor is simple. They first need to log in with their oAuth provider (eg. Google). This one-time sign-in will automatically setup their passkey. Once the setup is done, they can always choose to ‘Login with Passkey’ without any hassle.

From here, they can register a passkey from their device. Registering generates a unique pair of cryptographic keys for the user—the wallet private key which can be unlocked by a passkey and only the user can access, and the public key which is shared with your application.

Once a passkey is added, it will then be their primary factor, and it can be used to access their wallet whenever they log in to the application. 

On top of SFA Passkeys, we are also enabling it as a secondary login option for 2FA very soon.

Plug-and-Play SDK Passkeys (Coming Soon)

If you are using our PnP SDK, you will soon be able to use passkeys as a secondary option for your user’s two-factor authentication (2FA). 

Using passkeys as a second authentication factor will allow the user to access their wallet even when they are logged in on a different device, adding a layer of security and recoverability for them. Passkeys in PnP must be set up by the user before they can sign in with it, similar to the initial flow of registering a passkey in SFA. 

Why Enable Passkey Authentication?

Even though passwords may still be the most familiar method of accessing wallets, the simplicity and convenience of passkeys has made it one of the most preferred authentication methods according to our users. Passkeys effortlessly improves the UX flows for onboarding for any device that support fingerprint access, especially for mobile devices.

Convenience

Utilizing fingerprint for access is significantly quicker than typing out a password. Everything the user needs to access their wallet is already at their fingertips—quite literally. In terms of convenience and speed, a passkey stands out as the superior choice for anyone prioritizing quick and easy access.

Security

Passkeys provide an extra layer of security because biometrics cannot be entered by the user on a malicious site and are stored entirely on their device, making phishing attacks practically impossible.

Technical Implementation Considerations

Our system ensures that Passkeys seamlessly integrate with existing authentication protocols and standards, such as WebAuthn and FIDO. We're committed to adhering to universal standards to ensure compatibility and security across platforms.

Next Steps

Passkeys represent a significant leap forward in authentication technology, so we are making it simple for developers to enable them for their users. Stay tuned for more Passkey features coming up - it will soon be available as an authentication factor for our PnP packages.

If you are interested in integrating passkey authentication into your dApp, you can check out our demo or join our community call. Join us in embracing this exciting new way of authentication, and let us know your feedback on this feature!

FAQ

Is the passkey feature supported for mobile applications?

Currently, we are only supporting web browsers. Please note that there may arise some cross-platform compatibility issues for other types of browsers. If you encounter any issues, please reach out to us. Do keep a lookout for Passkeys coming to mobile applications soon!

Will the user’s passkey be shared with Web3Auth or my application if they use it for authentication?

The passkey is securely stored on the authentication factor of the user and is not shared with any external parties. Only their public key credential is transmitted to Web3Auth when the user authenticates or registers using passkeys. This means that the actual passkey remains private and secure. The public key credential, a unique identifier, allows Web3Auth to verify the user's identity without exposing sensitive information. This system ensures a high level of security, as the critical authentication data does not leave or be sent by its host, greatly reducing the risk of unauthorized access.