Simplifying Web3 Authentication: How passkeys work onchain with Coinbase Smart Wallet

The challenges and risks associated with managing private keys have long hindered user adoption and security within the web3 ecosystem. The current methods of securing and authenticating wallets, which solely rely on private keys, present a daunting and often overwhelming experience for new onchain consumers. This high barrier to entry makes it difficult to attract and retain new users, as the initial step of setting up a wallet before you can even interact onchain becomes a significant hurdle.

ERC-4337 compliant smart wallets simplify going onchain for users by abstracting away the complexities of most wallet processes. By leveraging the programmability within its smart contract, a smart wallet can eliminate the need for cumbersome seed phrases, offering more user-friendly and intuitive approaches to wallet management.

The most secure of these methods is the use of passkeys for authentication and recovery. This blog will explore the integration of passkeys with smart wallets, how it all works onchain, and their potential to drive growth and accessibility within the web3 space.

Reimagining Onchain Security and Authentication

Seed phrases, while fundamental to crypto and web3 as we know it today, have numerous vulnerabilities. Users often struggle to keep their seed phrases safe, and losing it can mean permanently losing access to all funds.

Using passkeys offer a more secure and user-friendly alternative for authentication and account recovery. In Web2, passkeys are device-bound cryptographic keys used for secure account creation and authentication, allowing users to authenticate with methods such as biometrics (fingerprints or facial recognition), hardware security keys, or device-based PINs instead of traditional passwords.

In web3, passkeys can be used to create and authentication Smart wallets. The underlying mechanics still involve private keys, but the user's interaction with them is abstracted away. The wallet’s private key is securely stored on the user's device (either in a secure enclave or trusted platform module) and is not exposed to the user.

When the user wants to perform a transaction, the passkey mechanism unlocks the private key stored on the device and signs the transaction.

Benefits of Using Passkeys in Web3

Passkeys for wallet creation and authentication offer multiple benefits that enhance onchain security and user experience through:

Protection Against Phishing Attacks: Passkeys are tied to specific websites and apps, ensuring they cannot be used on deceptive sites. This browser-level verification prevents users from being tricked into popular phishing scams that often result in victims giving up their seed phrases and losing everything.
Enhanced Cryptographic Security: Passkeys use advanced cryptographic methods to secure user authentication, far surpassing the security provided by other traditional webAuth methods Smart Wallets enable, like passwords or SSO. By leveraging public-key cryptography, passkeys ensure that private keys never leave the user's device, whereas SSO systems can still be vulnerable to compromise if users are tricked into entering their credentials on fake login pages.
Resistance to Data Breaches: Passkeys do not reside on central servers, mitigating the risk of large-scale data breaches. The LastPass breach and the subsequent private key compromises that resulted from users storing their seed phrase directly into the password manager underscore the need for simple, secure solutions.
Secure Account Recovery: Passkeys simplify account recovery. Even if a user loses their device, recovering access is more straightforward and secure compared to recovering a lost seed phrase.

The simplicity and security of passkeys make them ideal for web3 environments. By reducing the friction of securing and managing seed phrases, Smart Wallets with passkeys are making it easier for web2 natives to start using onchain products and services. And the easier it is for people to use your platform, the better your user adoption and retention.

Passkeys in Action: Coinbase Smart Wallet

Coinbase is at the forefront of integrating passkey technology into their smart wallet solution. By leveraging passkeys, Coinbase Smart Wallets have streamlined the onboarding process for Smart Wallet users. Here’s how it works::

Sign-Up Process: Upon creating a Smart Wallet, the user will be prompted to create a passkey from one of several options, such as biometrics, security keys, or their browser profile. Passkeys are generated and stored securely on users' devices and are never seen by Coinbase or your onchain platform. If the user has a password manager like Apple Keychain or Google Password Manager, their passkeys will also be backed up and synced across devices.
Smart Contract Deployment: Coinbase then deploys a smart contract that hardcodes the passkey's public key as the authorized key for transactions initiated by the Smart Wallet. This Smart Contract is the Smart Wallet.
Transaction Initiation: When the user interacts with an onchain platform, the platform will create the transaction and prompt the user to authenticate their passkey with whatever method they used when they created their Smart Wallet, such as their fingerprint for biometrics.
Decryption: The biometric data then decrypts the passkey public key (either directly from the device or from the user’s password manager).
Message Signing: The decrypted passkey signs the proposed transaction (Note: a Smart Wallet transaction is a ERC-4337 compliant UserOperation and not a traditional EOA transaction).
Transaction Validation: The UserOperation is then sent to an “alt-mempool” where a bundler [link to 4337 blog] will eventually package it with other UserOperations and submit them all as a single (bundled) EOA transaction to the EntryPoint contract—a singleton contract that acts as a relayer by forwarding UserOperations to the corresponding smart wallet contracts for validation and execution.
Signature Verification: The Smart Wallet smart contract will then unwrap the signature data and verify it against the authorized signing public key created by the passkey.
Transaction Execution: Upon successful validation and verification, the Smart Wallet smart contract will execute the transaction based on the provided UserOperation calldata.

Mitigating Lost or Inaccessible Passkeys

Passkeys are stored on the user’s device, meaning that access to services is tied to that specific device only. For Coinbase Smart Wallets, the user is the sole owner of the smart contract wallet and neither Coinbase nor your onchain platform ever have access to the account’s funds or private key.

If the device is lost or damaged, recovery can be challenging, although mechanisms exist to mitigate this risk. For example, if a passkey was set up with biometrics on an iPhone, recovery is done through iCloud if the user loses their phone. As long as the user doesn't wipe its passkey from their password manager backup, they should be able to access it.

Additionally, because Passkeys are tied to specific websites and apps—in the case of Coinbase Smart Wallets this is https://keys.coinbase.com/—as the relying party in this scenario, if this site was ever to go down then users would be unable to authenticate their passkey and access their Smart Wallet. To mitigate this risk, Coinbase will soon introduce the ability to add a "recovery signer" to their Smart Wallet that users can self custody and use to transact in the event they lose their passkey or their site is down.

Embracing Passkeys for Your Onchain Platform

Current non-custodial wallets cause unnecessary friction for new onchain users. ERC-4337 allows developers to address this friction with new, programmable authentication and recovery methods. By supporting Smart Wallets, developers can ensure their onboarding process is user-friendly, and ready for the future of web3.

Additional Resources

For further information and support, check out the following resources: