Passkeys, passwords, and seed phrases: What's the difference?
Modern sign-in UX is broken. This goes for both traditional sign-in methods like passwords, which can be easily phished or hacked, to seed phrases for crypto wallets, which encounter similar issues.
In this post we'll explore an alternative: Passkeys.
What are passkeys? The path forward for crypto UX
Passkeys are an authentication method which uses device biometrics or a hardware key (like a Yubikey) for users to log in to websites and applications.
Instead of typing in an email and password, users can instead scan their fingerprint, use their Face ID, or use a hardware key on their device. This generates a cryptographic keypair on a user's device. These keypairs are typically created and stored in a secure or isolated environment, such as Apple's Secure Enclaves, or Android's Titan M2 Chip.
A cryptographic keypair is comprised of a private key and a public key. When you sign up to a website, it will store your public key, and send a “challenge” to your device to login. Your device, likely using your biometrics (or hardware key) for approval, will sign the challenge with the corresponding private key.
A keypair will be generated for each website or application you use respectively.
Apple and Google are some of the big names already pushing for passkeys because of their advantages over traditional authentication methods. Let's take a deeper dive at how passkeys bring benefits for both security and UX.
The security benefits of passkeys
Passwords, unlike passkeys, are highly vulnerable to phishing. Phishing is a technique used by attackers to trick users into handing over their sign-in details, such as with fake domain names or social engineering. This is even worse if a user has re-used a password, as it means their details are now compromised across other websites, too.
Passkeys, on the other hand, are virtually un-phishable; attackers would have to intercept a signature sent to a website, and it’s much more difficult to gain access to the user's private key over the internet.
Passkeys are also better for companies, as data breaches would only expose a user’s public keys. Compared to exposed emails and hashed/salted passwords, this adds an extra layer of security — though it isn't always foolproof.
These benefits also apply to crypto. Centralized exchanges such as Coinbase have passkey support in combination with other backup methods, meaning you no longer need to login with an email and password.
Crypto applications, such as Azura, Moonshot, or Infinex, can use embedded wallet providers like Turnkey to integrate passkeys and onboard users without seed phrases or manual transaction signing.
There are always extra security measures that can be added to the traditional authentication methods mentioned, such as two-factor authentication (2FA), magic links, and one-time password (OTP) codes. Passkeys are simply an alternative to these methods, and are better suited for reducing friction to improve the user experience.
How passkeys can improve UX
Outside of security, apps can also directly benefit from the UX upgrades that passkeys bring.
The login experience of entering your email and password, logging into your email, copying the 6 digit code, and pasting it into the website can easily be transformed into a one-step process: scanning your face ID with passkey login.
UX considerations are also especially important for crypto. Wallet and private key management often hinders the user experience, and remains a largely unsolved problem.
There is still a nagging question for developers and applications: How do we make wallets easier to use, without sacrificing security?
The current methods of interacting with anything onchain leaves a lot to be desired: users are required to pre-install some kind of wallet, sign every transaction manually, and perhaps even install separate wallets for separate chains.
Users coming to crypto from Web2 aren't familiar with 12 word seed phrases, and even seasoned crypto veterans aren't a fan of signing multiple, cryptic transaction popups.
The user has to secure their own seed phrase, too, and if that gets exposed or compromised, they are at high risk of losing most or all of their funds.
All of this introduces friction for the people actually trying to use crypto apps, especially for newcomers. This is where passkeys, in combination with solutions like embedded wallets, can play a part in making crypto apps better, without necessarily compromising on security.
Passkeys and Embedded Wallets with Turnkey
Passkeys are already being used as the authentication method for custodial wallets and centralized exchanges.
But they are also being used in crypto-native applications such as Moonshot, which make onboarding and trading crypto super simple for non-crypto natives. These applications utilize the wallet infrastructure primitives we’ve built at Turnkey, which offer incredibly flexible solutions for using passkeys in crypto applications.
With Turnkey's embedded wallets, you can generate millions of wallets for users and set up corresponding passkeys for login. Better yet, you can choose whether these wallets are custodial or non-custodial, allow users to export their seed phrases, or even offer an email recovery method if they lose their device. The security model is up for each developer to decide what is possible or not possible with their application.
We've also invested heavily in our underlying security infrastructure so that you can ensure that every time a user signs a transaction with their private keys, those keys are at a lower risk of being compromised. To do so, Turnkey has a highly paranoid security model in which private key generation, storage, and access take place in AWS Nitro Enclaves (a type of TEE), and no raw private keys are ever exposed to the Turnkey team.
If you'd like to learn more, we have a primer on passkeys here, and information on how you can build embedded wallets here.
We believe that passkeys are the future of authentication, which is why we use them at Turnkey. If you have any questions about building, feel free to contact us here, or via our Slack.
Related articles
