Simplify authentication: Social, SMS, and passkeys in web3

Simplifying authentication methods could be one of the most effective ways for decentralized applications to build trust and keep their users engaged. 

A recent survey of 8,000 consumers using traditional web2 style apps and websites found that 75% of respondents wanted changes to how they log in, and 54% said they stopped using an account or service online because they were frustrated with the log in process. 

Web3 applications typically add an even greater hurdle to authentication by requiring wallet setup processes that rely on seed phrases and complex verification flows. All of this can intimidate new users and result in a higher than average churn rate. 

Familiar and easier authentication methods such as social logins, SMS, and passkeys help replace these cumbersome setups with an intuitive onboarding experience that feels simple, trusted, and accessible.

With Turnkey, these authentication methods operate within the same security model that powers all our non-custodial wallets. Users log in with a way they’re familiar with and developers gain verifiable key generation, policy enforcement, and complete transparency at every step.

This article explores the authentication options available to developers building with Turnkey and details how each one of them can deliver a more seamless and secure user experience.

What authentication means in web3

Authentication is how an application confirms who someone is. In web3, that has historically meant proving control of a private key. 

Though elegant from a cryptographic standpoint this tends to be clunky in practice. Wallet extensions interrupt the flow, users must safeguard seed phrases, and lost devices can mean permanent loss of access.

Familiar or more easy to understand authentication methods like social logins, SMS codes, or passkeys improve this experience by separating who you are from how your key operates.

With Turnkey, these authentication methods can authorize access to a secure environment where keys already exist. This environment never exposes private material, it simply performs cryptographic operations on behalf of authenticated users.

Not only do these authentication methods verify identity, they also grant permission for the keys associated with this identity to be used according to developer-defined policies. Those policies can include rate limits, address restrictions, or multi-approver rules, ensuring every operation is both intentional and verifiable.

It’s these policies that protect against account compromise that could result in unauthorized transactions. Even if an attacker gains access to a user’s login method, they can’t extract private keys or bypass policy enforcement. Every signing request still passes through Turnkey’s policy engine, which validates that the request complies with the organization’s security rules before it’s approved or executed.

This separation of authentication and key control is what makes Turnkey’s model so resilient. Users get a login experience that feels as natural as signing into an app they already use, while every key action remains protected, auditable, and verifiable inside Turnkey’s highly secured environment.

Why bring web2-style methods into web3

Modern Web3 applications are not just competing for users, they are competing for attention. Every additional step in an onboarding flow increases the risk of losing a potential customer. Authentication is often the first point of friction, and it determines whether someone continues with an app or leaves.

Web2-style methods like social logins, SMS codes, and passkeys help reduce that friction by meeting users where they already are. They feel familiar and intuitive. 

Here’s why these methods matter:

• Familiarity drives comfort. Users are more likely to engage when the process looks and feels like something they already know, such as signing in with Google or verifying with a code sent to their phone.
  
  
• Lower friction means higher conversion. Removing pop-ups, seed phrases, and browser extensions makes onboarding faster and more predictable.
  
  
• Confidence grows with recovery options. When users know they can recover access through an email or new device, they are less afraid to experiment and more likely to stay engaged.
  
  
• Developers gain consistency. A unified authentication model allows teams to support multiple sign-in types without rebuilding wallet logic each time.

Turnkey brings these advantages together by verifying every authentication event inside a Trusted Execution Environment (TEE), a secure, isolated environment that protects sensitive operations from external access. Regardless of the authentication method – social, SMS, or passkey – each login is verified, encrypted, and policy-enforced before access is granted.

This approach allows developers to design onboarding that feels seamless and secure. Users experience the ease of web2 with the integrity of web3, while developers keep full control of how keys are created, verified, and used inside Turnkey’s TEE-backed infrastructure.

Choosing between Auth Proxy and Backend Authentication

Before diving into specific authentication methods, it helps to understand the two main ways developers can integrate Turnkey authentication into their applications: Auth Proxy or Backend Authentication. Both lead to the same result, secure verifiable sessions, but differ in how credentials are handled and where validation occurs.

Auth Proxy: managed authentication and session issuance

Auth Proxy is Turnkey’s managed authentication layer. It lets developers bring familiar login methods (SMS, OAuth, passkeys) into their applications without handling sensitive credentials or implementing identity logic themselves.

When a user signs in through any supported method, the Auth Proxy receives that verified credential and then securely validates the credential inside a Trusted Execution Environment (TEE). After doing this, it then creates a Turnkey session token which grants access to the enclave-backed wallets and policy engine associated with the authenticated user or organization.

Because all validation happens inside this trusted environment, your application never touches private tokens or keys directly. This removes a major source of risk and makes it possible to offer modern authentication without compromising security.

For developers, the Auth Proxy simplifies integration by handling:

• Token validation and exchange: Securely turning verified credentials into Turnkey session tokens.
  
  
• Policy binding: Enforcing rate limits, address restrictions, or multi-approver rules automatically.
  
  
• Session management: Ensuring that authenticated sessions expire safely and cannot be reused.

In practice, the Auth Proxy acts as the glue between web2-style sign-in and Turnkey’s TEE-backed wallet control. It’s one way Turnkey allows developers to turn a “Sign in with Google” or “Verify by SMS” action into a secure, verifiable, non-custodial wallet experience, all without adding complexity to your codebase.

Backend Authentication: full control over token handling

Backend Authentication setup gives you direct control over how sessions are issued, validated, and used in your infrastructure. In this model, your backend calls Turnkey APIs to create and verify session JWTs, manage users, and define access policies.

This approach is ideal for teams that want to co-sign requests, attach additional business logic, or integrate authentication more deeply into their existing backend systems.

The backend setup handles:

• Session JWT issuance and validation: Your backend creates and validates JWTs using Turnkey’s API.
  
  
• Custom access control: Apply organization-specific logic before allowing operations.
  
  
• Tight system integration: Combine wallet access with existing databases, dashboards, or internal services.

Use Backend Authentication when you want full visibility and control over how tokens are managed and when sessions are created.

Social logins

Social logins replace passwords with identity providers users already trust, such as Google, Apple, Discord, and others. Instead of creating new credentials, users authenticate through these providers, and Turnkey verifies the resulting token securely inside a TEE.

At their core, social logins extend the familiar “Sign in with Google” experience to web3 applications. Users can sign in with a provider they already use, and a wallet is automatically created and linked behind the scenes.

Turnkey supports both OpenID Connect (OIDC) and OAuth-only providers:

• OIDC providers such as Google, Apple, Auth0, or AWS Cognito issue verifiable ID tokens that Turnkey uses to authenticate and create or recognize a user’s wallet.
  
  
• OAuth-only providers like Twitter (X) and Discord do not issue OIDC tokens, so Turnkey automatically wraps their authentication flows into OIDC-compatible tokens for you.

This means developers can integrate nearly any major social provider into their application with minimal setup. 

The result is an authentication flow that feels completely natural to the user — a single click to sign in, while ensuring the wallet creation process is verifiable, non-custodial, and protected by Turnkey’s TEE-backed infrastructure.

For developers, Turnkey handles the most complex parts of social authentication, including token validation, nonce verification, and secure session management. This setup ensures that the application never touches sensitive credentials directly.

Social logins make onboarding fast and familiar, bridging the gap between web2 convenience and web3 control, seamlessly providing your users with secure, verifiable web3 wallets, with no extensions, no pop-ups, and no seed phrases required.

SMS authentication

For mobile-first users, SMS authentication offers one of the simplest and most familiar entry points. A one-time password (OTP) is sent to a verified phone number, and the user enters that code to authenticate and continue. The experience feels natural and lightweight because it builds on a process most users already know and trust.

Each request is signed, time-bound, and policy-enforced, ensuring that authentication can only succeed within a short validity window and under strict developer-defined rules.

Turnkey’s implementation also supports rate limiting and anti-replay protections, preventing repeated or automated attempts from reusing an expired OTP. The enclave performs these checks internally, so sensitive information like phone numbers and tokens never leave the secure environment.

In markets where SMS verification is already standard, this method provides an ideal bridge into web3. It allows developers to onboard users quickly without requiring browser extensions or new cryptographic tools. For many people, SMS is the first step toward decentralized applications and it allows for a familiar mobile experience that gradually introduces cryptographic security in the background.

SMS authentication also integrates seamlessly with other methods such as email recovery and passkeys, giving teams a flexible, multi-channel approach to onboarding. Whether used as a standalone method or part of a broader authentication flow, every SMS-based verification inside Turnkey routes through the same enclave-backed infrastructure, keeping wallet operations secure, policy-controlled, and fully auditable.

The result is a smooth, mobile-friendly onboarding experience that meets users where they are while preserving the verifiable security Web3 demands.

Passkeys

Passkeys represent the next generation of passwordless authentication. Instead of relying on passwords or recovery phrases, passkeys use public–private key pairs that are stored securely on a user’s device. When a user signs in, the device uses its passkey to cryptographically prove their identity without ever exposing the private key itself.

Each authentication event is validated against the user’s registered passkey, ensuring that the request originates from an attested device. This means even if a phishing site or malicious actor tries to mimic your application, the passkey cannot be used outside its intended context.

Passkeys are built on open standards like WebAuthn and FIDO2, making them compatible with major platforms including iOS, Android, Windows, and macOS. They also support native biometrics such as Face ID, Touch ID, and Android’s device unlock, giving users a familiar way to access Web3 applications without entering a password or managing a seed phrase.

Turnkey supports multiple passkey registration and authentication flows, giving developers flexibility in how they integrate:

• Device-bound passkeys use secure hardware (such as a phone or laptop) to store and use credentials locally.
  
  
• Synced passkeys leverage cloud-based keychains like Apple iCloud or Google Password Manager, allowing credentials to follow the user across devices.
  
  
• Hybrid authentication can combine passkeys with social or SMS login methods for added accessibility and fallback recovery.

In each case, the user’s passkey is cryptographically linked to their Turnkey-managed wallet inside the TEE. This ensures that authentication and key control remain separate, the user authenticates locally, while Turnkey securely authorizes operations based on the policy-defined rules of your application.

For users, this feels as seamless as unlocking their phone. For developers, it’s an authentication system that combines phishing resistance, TEE protection, and native UX simplicity, all with no passwords, no extensions, and no seed phrases.

Passkeys redefine how users experience security in web3. They remove the weakest link in authentication, human error, and replace it with hardware-backed trust, embedded directly into the devices people already use every day.

Authentication and recovery

Even the most secure systems need a fallback, and that’s where recovery flows come in. Losing access to a device or passkey should never mean losing access to a wallet. Turnkey’s recovery flows provide a trusted, verifiable way for users to regain control without exposing private material.

Turnkey supports multiple recovery methods. Depending on your configuration, users can recover through email, SMS, passkeys, social logins (like Google or Apple), or even external wallets such as Ethereum or Solana. Each recovery method is verified inside a Trusted Execution Environment (TEE) to ensure privacy and authenticity.

When a user initiates recovery, Turnkey sends a verified challenge link to their selected method. Once confirmed, the user can securely re-register a new passkey or authentication method.

Turnkey also allows developers to configure policies that govern recovery, for example, limiting recovery frequency, enforcing multi-approver confirmation, or linking recovery to specific organizational workflows. These controls give teams flexibility while preserving strong guarantees around identity verification.

This approach transforms account recovery, one of web3’s hardest problems, into a process that feels human and predictable. By blending cryptographic assurance with flexible recovery options, users can regain access confidently, while developers maintain the same verifiable security model that powers every other Turnkey authentication method.

How Turnkey brings them all together

Turnkey unifies these modern authentication methods, social logins, SMS, passkeys, and recovery under one secure, verifiable framework. Each sign-in, whether through a Google account, an SMS code, or a device-stored passkey, routes through a Trusted Execution Environment (TEE) where identity is verified, policies are enforced, and a secure session token is issued.

Developers who don’t want to build their own backends, can use Turnkey’s Auth Proxy to embed these flows directly into their applications, while those who need more control can integrate through Backend Authentication to issue and validate session tokens themselves. 

All authentication events, from login to recovery, follow the same TEE-backed pattern: every credential is verified, every operation is policy-controlled, and every session is fully auditable.

The result is simple: web2 ease, web3 trust. Turnkey makes familiar authentication methods not just compatible with decentralized security, but stronger because of it.

Making web3 mainstream with authentication

As Web3 applications continue to mature, authentication will define the next wave of adoption. The next generation of users will not tolerate friction. They will expect the same seamless login experiences they see in web2 products.

Turnkey gives developers the infrastructure to make that possible: social simplicity, passkey security, SMS accessibility, and recovery when it is needed. This is all backed by verifiable enclaves that ensure every authentication event is secure, auditable, and policy-controlled.

With Turnkey, authentication is no longer just an entry point. It’s a trust layer that scales, bringing Web3 closer to the usability and reliability that mainstream users expect.

Get started with Turnkey. 

‍