Are you an LLM? Read llms.txt for a summary of the docs, or llms-full.txt for the full context.
Why Passkeys – 1auth
Skip to content

Why Passkeys

Passkeys are the foundation of 1auth's security model. They provide a user-friendly alternative to passwords and seed phrases, while ensuring your users maintain full custody of their private keys.

What are Passkeys?

Passkeys are a modern authentication standard based on WebAuthn (FIDO2). Instead of remembering passwords or securing seed phrases, users authenticate with their device's built-in biometrics:

  • Face ID or Touch ID on Apple devices
  • Windows Hello on Windows devices
  • Fingerprint sensors on Android devices

Each passkey is bound to a specific domain and protected by the device's secure hardware. They cannot be reused on a different site, which makes credential theft through fake websites ineffective.

How Passkeys Work

Passkeys use public key cryptography:

  1. Registration: When a user creates an account, their device generates a key pair. The private key is stored in secure hardware (Secure Enclave, TPM), while the public key is sent to the server.

  2. Authentication: When signing in or signing a transaction, the server sends a challenge. The device signs this challenge with the private key after biometric verification.

  3. Verification: The server verifies the signature using the stored public key.

The critical point: the private key never leaves the device. The server only ever sees the public key and signed challenges.

┌─────────────────────────────────────────────────────────┐
│                    User's Device                        │
│                                                         │
│  ┌──────────────────┐      ┌─────────────────────────┐  │
│  │   Biometric      │      │    Secure Hardware      │  │
│  │   Verification   │─────▶│    (Secure Enclave)     │  │
│  │                  │      │                         │  │
│  │   Face ID        │      │   Private Key Stored    │  │
│  │   Touch ID       │      │   Signing Operations    │  │
│  └──────────────────┘      └───────────┬─────────────┘  │
│                                        │                │
└────────────────────────────────────────┼────────────────┘
                                         │ Signed Intent

                              ┌─────────────────────┐
                              │      1auth Server   │
                              │                     │
                              │  Public Key Only    │
                              │  No Key Material    │
                              └─────────────────────┘

Benefits

For Users

  • Full self-custody - Private keys live in your device's secure hardware. No third party—including 1auth—can access or move your assets. Secure enough for anyone to use.
  • No passwords or seed phrases - Just use Face ID or Touch ID. Nothing to remember, write down, or lose.
  • Cross-platform sync - Passkeys sync across your devices via iCloud Keychain, Google Password Manager, or Windows Hello, so you're never locked to a single device.
  • Simple and familiar - The same biometric experience as unlocking your phone or making an Apple Pay purchase.

For Developers

  • Self-custody = regulatory hedge - Because users hold their own keys, your application can align with non-custodial wallet classifications. No custody license required.
  • Clean user onboarding - No wallet downloads, no seed phrase UX, no browser extension requirements. Users sign up with a single biometric prompt.
  • Fast conversion - Users are more likely to complete sign-up without password friction or extension install steps.
  • Cost-effective - No MPC infrastructure, no key management servers, no HSMs. Passkeys leverage existing device hardware at zero infrastructure cost.
  • Standard browser APIs - WebAuthn is supported in all modern browsers with no dependencies.

Passkey Support

Passkey support is effectively universal on modern hardware.

PlatformPasskey SupportSource
iOS / macOS95%+passkeys.dev
Android95%+passkeys.dev
Windows~75%passkeys.dev

Password Manager Support

Major password managers also support passkey storage and sync, extending coverage beyond platform-native implementations:

Password ManagerPasskey Support
1PasswordFull support (all platforms)
DashlaneFull support (all platforms)
BitwardenFull support (all platforms)
EnpassFull support (desktop + mobile)
NordPassFull support (all platforms)

This means users can store and sync passkeys through their preferred password manager, independent of their device platform.

How 1auth Uses Passkeys

1auth leverages passkeys throughout the authentication and transaction flow:

  1. Account Creation - User registers a passkey, creating a smart account controlled by that passkey
  2. Authentication - Users authenticate with biometrics via WebAuthn
  3. Transaction Signing - EIP-712 typed data is signed using the passkey's private key
  4. Cross-Origin Security - The passkey provider runs in a secure iframe, isolating credentials from your application

This architecture ensures that even if your application is compromised, the user's private keys remain protected in their device's secure hardware.