In This article
Account abstraction holds the promise of eliminating the need for private keys while ensuring self-custody and security. However, most of the smart accounts do not fully achieve this goal due to a lack of libraries for other authentication methods. Due to this, app developers use methods that are less user-friendly or they use social login or third-party multi-party computation (MPC) services. Although these options offer a better user experience compared to private keys, they still fall short of the ideal vision. Fortunately, there is a way to eliminate these dependencies entirely.
This is where passkeys come in. Passkeys are a revolutionary advancement, providing a user-friendly and secure authentication option that uses biometrics, patterns, or PINs, thereby eliminating the need for mnemonic phrases.
This article outlines what are passkeys, their benefits, how they can be implemented, and how they enable a smooth, secure user experience while maintaining self-custody.
Current Wallet Landscape
Digital wallets are of various forms, each with unique advantages and disadvantages:
- Custodial Wallets
Custodial wallets include wallets like Binance that require users to entrust a third party to manage their assets. While they offer convenience, they come with the risk of losing users’ assets if the custodian is hacked.
- Private Key EOAs (Externally Owned Accounts)
Wallets such as Metamask, Coinbase Wallet, and Phantom require users to manage their own private keys. This method provides more security compared to custodial wallets, but it can be challenging because users must remember and securely store a seed phrase. Losing this phrase means losing access to assets.
- Hardware Wallets
Examples include Ledger and Trezor. These wallets store private keys offline, offering enhanced security. However, they can be cumbersome to use due to the additional steps required to sign transactions.
- MPC Wallets
Wallets like Zengo and OKX Wallet distribute the private key into multiple parts across different devices or parties. This approach reduces the risk of a single point of failure but can be slower and requires significant infrastructure.
What is Account Abstraction (ERC-4337)?
Account abstraction ERC 4337 has the potential to enable a new generation of passkey-based cryptocurrency wallets. By abstracting the underlying functionality and allowing smart contracts to manage accounts, ERC-4337 enables more user-friendly features, such as social recovery, customizable transaction logic, and the ability to pay gas fees in various cryptocurrencies. These innovations can make blockchain technology more accessible to mainstream users by simplifying the wallet experience and reducing the reliance on complex seed phrases.
Understanding Passkeys and their Impact on Blockchain Usability
The objective of account abstraction web3 is to enhance the accessibility of blockchain applications for everyday users. Passkeys are an effective means to achieve this, making web3 authentication as simple as that of any standard application or mobile application.
The integration of passkeys can potentially streamline the authentication paradigm, making it as intuitive as using any traditional application, while seamlessly incorporating advanced technologies like facial recognition or fingerprint scanning without exposing users to their complexities.
Passkeys have three main entities:
- Authenticator: This is a hardware or software device responsible for handling requests from the client to perform attestation operations. Examples include USB tokens and smartphones.
- Client: This entity represents the interaction between the user and the platform.
- Relying Party: This is the entity that utilizes Web Authentication to verify a user’s identity, such as services like Google and Facebook.
Working of Passkeys
Passkeys consist of a pair of related keys: a public key and a private key. The public key is stored on the server, while the private key remains securely on the user’s device, even during sign-in. The private key is never shared with the server or anyone else.
When a user signs in, the server sends a one-time challenge to their device. Only the user’s private key can generate a valid response to this challenge, which is then sent back to the server. The server verifies this response using the public key. If the response is correct, user sign-in is successful. The public key can verify the response but cannot generate it, ensuring that the server can confirm the validity of your private key without ever knowing it.
These keys are generated by the device securely and uniquely for each account.
Benefits of Passkeys
- Biometric Authentication
Passkeys allow users to sign and submit transactions using biometric methods such as fingerprints or facial recognition, removing the need for complex passwords or seed phrases.
- Cross-Device Recovery
Passkeys can be backed up and restored on any device through services like Apple Keychain on iCloud or Google Credential Manager. This ensures users can recover their account abstraction wallets if their primary devices are lost.
- Smartphone as Hardware Wallet
Passkeys transform users’ smartphones into hardware wallets, utilizing its biometric and cryptographic features to securely manage private keys and sign transactions.
- Speed
While MPC wallets offer enhanced security by splitting the private key into fragments across multiple devices, requiring consensus for transaction authorization, they are generally slower than passkey-based wallets. Passkey wallets use secure enclaves and biometric authentication for faster, more convenient access.
Implementing Passkeys with the ERC-4337 Standard
To integrate passkeys on Ethereum, a user must have an ERC-4337 smart contract capable of verifying P256 signatures. Reason being, this standard facilitates transactions without the need for conventional private keys, addressing a key limitation on Ethereum blockchain as well as other EVM-compatible blockchains, like Optimism, BnB Smart Chain, and Arbitrum.
Here are the two primary steps to enable passkeys on Ethereum:
- Client-Side Signing with Passkeys: Use the WebAuthn API to create and sign passkeys on users’ devices. While the specific method for generating local passkeys can vary by device, the overall process generally follows a consistent pattern.
- Setting Up Smart Accounts for Passkeys: Develop a smart account that can verify passkey signatures, often known as elliptic curve secp256r1 or P256 signatures. This involves modifying the validate UserOp function in the smart contract to include the P256 signature verification algorithm.
The Road Ahead: Enhancing Web3 User Experience
Passkeys present a groundbreaking method for user authentication on the Ethereum blockchain, aligning with the objectives of account abstraction by removing the need for traditional private keys. For developers and organizations aiming to improve the security and user experience of their blockchain applications, integrating passkeys with ERC-4337 offers a progressive and effective solution.