Self-Custody & Compliance

Passkeys enable true self-custody of crypto assets, which has significant implications for regulatory compliance.

Self-Custody Tests

1auth's architecture passes the key tests that distinguish a self-custodial wallet from a custodial service:

Test	1auth
Provider cannot access private keys	Keys are generated and stored exclusively in user device hardware (Secure Enclave, TPM). 1auth never sees key material.
Provider cannot sign transactions	All signing happens on-device via WebAuthn. 1auth has no technical ability to produce valid signatures.
Provider cannot censor or block users	1auth cannot prevent a user from signing or submitting transactions. Users can also interact with their smart account directly onchain.
Provider cannot freeze or seize funds	Assets are held in user-owned smart contract accounts. 1auth has no admin keys or backdoors.
User can recover access independently	Passkeys sync across devices via platform providers (iCloud Keychain, Google Password Manager). Users can also add backup passkeys or recovery modules to their smart account.

Test	1auth
The "Reconstruction" Test: Provider cannot access or reconstruct the private keys	Keys are generated and stored exclusively in user device hardware (Secure Enclave, TPM). 1auth never sees the key material.
The "Seizure" Test: Provider cannot sign transactions or withdraw funds	All signing happens on-device via WebAuthn. 1auth has no technical ability to produce valid signatures.
The "Censorship" Test: Provider cannot block users	1auth cannot prevent a user from signing or submitting transactions. Users can also interact with their smart account directly onchain.
The "Independency" Test: User can recover access independently	Passkeys sync across devices via platform providers (iCloud Keychain, Google Password Manager). 1auth also provides a recovery module with a recovery path that is independent of 1auth systems.

A common concern with any wallet provider: what happens if the service shuts down?

Passkeys are synced by platform providers - iCloud Keychain, Google Password Manager, and password managers like 1Password store and sync passkeys independently of 1auth.
Smart accounts are onchain - User accounts exist as smart contracts on public blockchains. They continue to function regardless of whether 1auth's service is running.
Direct onchain interaction - Users can interact with their smart account directly through any EVM-compatible tool (e.g., Etherscan, Cast) using their passkey-derived signature.
Module-based recovery - Users can install recovery modules (social recovery, backup keys) on their smart account for additional portability.

This self-custodial design aligns with major regulatory frameworks:

European Union (MiCA)

Custody requires safekeeping crypto-assets or means of access (like private keys)
1auth doesn't hold assets or keys—users retain exclusive control
Meets requirements for non-custodial service classification

United States (SEC/FinCEN)

Guidance distinguishes "hosted" (custodial) from "unhosted" (non-custodial) wallets
Unhosted wallets: users independently control keys and transact directly
1auth's architecture aligns with unhosted wallet classification

Stakeholder	Benefit
Developers	Reduced compliance burden when adding crypto functionality to your app
Users	Full ownership of assets with no third-party risk
Enterprises	Architecture compatible with self-custodial positioning in regulated markets

	Seed Phrases	Browser Extensions	Custodial	MPC	TEE (server)	Passkeys (1auth)
Key on User Device	Yes	Yes	No	No	No	Yes
Hardware-Protected	No	No	No	Depends	Depends	Yes
Self-Custody	Yes	Yes	No	No	No	Yes
Provider Can't Sign	Yes	Yes	No	No	No	Yes
Provider Can't Censor	Yes	Yes	No	Depends	No	Yes
Recoverable	No	No	Yes	Yes	Yes	Yes
Great UX	No	No	Yes	Yes	Yes	Yes