Thoughts on Passkey wallets?

[OmegaStarScream]

I'd like to know what are your thoughts on the Passkey technology and the increasing amount of wallets (JoyID, Trustwallet, and couple of days ago Coinbase wallet) that are starting to support this.

For those who are not familiar with this (and based on the reading I have done, correct me if I'm wrong):

- You basically can create or restore your wallet using your PIN, or biometrics, and without the need of a seedphrase.
- Passkeys are stored in your iCloud or Google drive and are unique to each service. Just because you used the same fingerprint for both Trustwallet and Coinbase, doesn't mean that the passkey is the same.
- Passkeys are end-to-end encrypted.

I have also noticed that some exchanges such as OKX and Binance are using this instead of requesting a combination of both 2FA code and email.

I'd like to hear your thoughts on this?

[Charles-Tim]

Passkey makes it convenient but not as safe as seed phrase. Just as you have seen on Trustwallet to backup your seed phrase using iCloud or Google cloud which we have heard of people that lost their coins because of that. Now it is Swift beta on Trustwallet which makes use of passkey which is also about online backup using your face ID or your fingerprint on your device to spend your coins.

Face ID or fingerprint is not recommended for spending your coins. If you unlock your device with fingerprint and also unlocking your wallet on the device with fingerprint, that makes the wallet to be less secure. It can make physical attack to easily be successful in relation to wallet compromisation.

It has security risks. It should be avoided.

On exchanges, I do not think it has online backup. Your username, password and the 2FA OTP can be used to have access to your exchange account if you want to use another device. But it also has security risks. I prefer 2FA OTP, while the 2FA is on another device.

[BitMaxz]

Okx and Binance seem they added this passkey it said that it would be easier to access without a password if I use Passkey but I am ok with 2FA through SMS and email I feel it is way safer.
I don't feel safe having a passkey it might be worth it if you have a hardware device like Fido but still not good for the long term because we do not know how long this device will work lasts.

For me, I'm ok with only 2FA or the easier one is to access Binance or OKX on the web browser through your phone by scanning a QR code.

[Charles-Tim]

I don't feel safe having a passkey it might be worth it if you have a hardware device like Fido but still not good for the long term because we do not know how long this device will work lasts.

The passkey can be confusing if some people are thinking that it is hardware but it is not. The passkey will let you have access to the wallet or the exchange using your face ID or the fingerprint that you set on your device which is totally a bad idea.

[BitMaxz]

The passkey can be confusing if some people are thinking that it is hardware but it is not. The passkey will let you have access to the wallet or the exchange using your face ID or the fingerprint that you set on your device which is totally a bad idea.

Passkeys are any biometrics, SMS, or email but there is an option to use a USB security key with FIDO2 protocol as your passkey or authenticator it is a hardware device like on OKX it is just optional if you have this USB security key you can use it as your hardware key. It's still not a good option if someone poses about this USB device because it is a direct authenticator once you log in to OKX but can be also used as a backup once you can't log in to your account with your password. That is why you need to securely hide this device in a protected place and no one should know that you have a USB security key.

Read about the Passkey on OKX USB security key is a hardware(as optional passkey)
- https://www.okx.com/help/how-do-i-create-passkeys-app

[FinneysTrueVision]

I am worried that with passkey wallets, I will end up losing or breaking the device where the passkey is stored. You could have it backed up in the cloud, but then you are relying on a third party. If someone has their iPhone stolen and the thief resets their iCloud password, they could end up without any way to restore their wallet. There are too many scenarios that I am imagining where I could possibly lose access to my funds, based on my understanding of passkeys.

If it is proven to be a secure method for backing up a wallet then I might give it a try, but for the time being I will keep using traditional seedphrases.

[Z-tight]

It is not recommended, and i don't think good wallets should make such a feature available, just as people should also be dissuaded from ever storing sensitive data related to their wallets in the cloud or anywhere online. Most people tend to go for the more convenient option, and passkeys would be convenient, but it is not secure. You should only be able to restore your wallet with your seed phrase, and your wallet file should be encrypted with your strong password.

[Wind_FURY]

I'd like to hear your thoughts on this?

It's convenient especially if you are active/making multiple transactions a day from a particular wallet. But perhaps the storage using ICloud or any online service should be discouraged, no? I'm not actually sure how it works, but I don't feel safe storing any "key" in any cloud service. Store it locally in another device, and merely use small amounts of cryptocurrencies if you store them in that walle for a long time.

[LoyceV]

- You basically can create or restore your wallet using your PIN ~
- Passkeys are stored in your iCloud or Google drive

This sounds like a great way for attackers to gain access to your wallets, including inside jobs at the cloud provider.

[NotATether]

- You basically can create or restore your wallet using your PIN ~
- Passkeys are stored in your iCloud or Google drive

This sounds like a great way for attackers to gain access to your wallets, including inside jobs at the cloud provider.

To be clear, the PIN is not intended to be the main authentication option for unlocking something protected by a passkey, but it is usually only used after you already log in with a username or password, mainly for inactivity purposes.

It's like, imagine your phone has a password (not PIN) you had to type to "log in" to the phone. Now imagine a logout button, and a PIN, but you only type it when you are logged in, and only after the phone becomes inactive and locks.

[LoyceV]

To be clear, the PIN is not intended to be the main authentication option for unlocking something protected by a passkey, but it is usually only used after you already log in with a username or password, mainly for inactivity purposes.

It's like, imagine your phone has a password (not PIN) you had to type to "log in" to the phone. Now imagine a logout button, and a PIN, but you only type it when you are logged in, and only after the phone becomes inactive and locks.

The big difference is of course physical access: my phone is right beside me, nobody can access it. Online wallets need a lot more security than physical devices.

[Wind_FURY]

- You basically can create or restore your wallet using your PIN ~
- Passkeys are stored in your iCloud or Google drive

This sounds like a great way for attackers to gain access to your wallets, including inside jobs at the cloud provider.

Yeah, it's an attack vector, but probably a trade-off of a different security-model that's good enough to be accepted for small amounts of Bitcoin/cryptocurrencies. Perhaps a good rule of thumb to have in crypto is, if the UX is made to be more convenient to the user, then expect a higher number of attack vectors?

¯\_(ツ)_/¯

[LoyceV]

probably a trade-off of a different security-model that's good enough to be accepted for small amounts of Bitcoin/cryptocurrencies.

In that case, I prefer a hot wallet on my phone.

[Z-tight]

Yeah, it's an attack vector, but probably a trade-off of a different security-model that's good enough to be accepted for small amounts of Bitcoin/cryptocurrencies.

With the features mentioned in the op, i wouldn't use a passkey wallet, even if it is to store a small amount of money. I'd rather use a recommended online wallet, and store a small amount of my BTC in it, that's a safer choice in my opinion, even for a hot wallet.

[DaveF]

As with anything it depends on it's use.
For a hot wallet with minimal funds or as I like to say, never keep more crypto on your phone then your phone is worth. Then yes I think they are fine.
For a 'warm' wallet or cold wallet, then probably not. As the 2nd 1/2 of a multisig I might use it to make some things easier but for the most part too insecure for me.

-Dave

[mk4]

Very good wallet setup for a hot wallet, in my opinion, so there's one less annoying handwritten physical wallet backup that I need to worry about.

For my general long-term holdings though? No way I would trust this setup unless I use it as a part of a multi-sig setup(still with a hardware wallet).

[Saint-loup]

Are you sure passkeys are really stored in the cloud? That is to say, if you lose your device and you haven't registered another passkey from another device for the service you want to access, there is still a way to access it ? You will be able to get back your passkey wallet on another device? You must be 100% sure about that and sure that the service/wallet using this technology is able to do it without any issue especially. Because if they don't, it would be too late to discover it once you've lost your device/passkey for some reasons. So it's better to test it with an account/wallet without funds IMO

[Findingnemo]

Are you sure passkeys are really stored in the cloud? That is to say, if you lose your device and you haven't registered another passkey from another device for the service you want to access, there is still a way to access it ? You will be able to get back your passkey wallet on another device?

AFAIK, passkeys are stored in the cloud after the encryption there is no way that someone can decrypt it even if they have accessed the file by hacking the server or your cloud account still you need the biometrics such as PIN, password to decrypt once you logged into the new device. And that is the whole point of this being convenience which is less secure than the traditional way of strong seeds but you know people always prioritize convenience over security.