Passkeys are the credentials used for the WebAuthn API. WebAuthn is a web standard built by the W3C to tackle the growing security threat caused by password based authentication. Unlike passwords, passkeys are based on asymmetric key cryptography. This means private key material never gets sent to or stored by service providers and therefore eliminates major threat vectors such as credential stuffing and phishing attacks.
Why passwordless authentication matters
According to industry statistics, 77% of hacking breaches involve stolen credentials. By introducing a 100% passwordless environment, we not only increase the security for our customers but also significantly decrease authentication times for a better user experience.
Where are the private keys stored?
This depends on which authenticator you use. For hardware based keys such as a YubiKey or Apple device, these are stored on secure enclaves. For software based keys such as password managers like Dashlane, 1Password, or Bitwarden, these are stored end to end encrypted on synced devices.
In all cases, private key material never leaves the authenticator and Stackup only stores a reference to the public key for authentication.
Which authenticator should I use?
Stackup supports any authenticator that is compliant with the WebAuthn API. For maximum security and convenience, we recommend using an external hardware based authenticator like a YubiKey or password managers that can securely sync credentials across multiple devices. This ensures smooth access to the Stackup platform and your smart account without being locked into a single device.
How we use passkeys at Stackup
Stackup uses passkeys to authenticate at both the web platform and smart contract layer. During account creation, you will be prompted by your chosen authenticator to create a new passkey. This passkey is subsequently used to login and sign transactions on the dashboard. In order to prevent phishing attacks, all compliant authenticators will ensure that every signature request is coming from the intended source, in this case the Stackup web application.
Unlike MPC wallets, passkey signatures are also verified natively onchain by cryptographically linking the public key to your smart account. Every transaction is signed by the passkey and the signature is attested onchain using a P-256 verifier contract or precompile. This reduces the number of intermediaries for a transaction and keeps your account non-custodial.
Passkeys in three steps
You can use the follow three steps to ensure your organization is setup for secure authentication.
Ensure you are using a modern browser that supports the WebAuthn API (like Chrome, Firefox, or Safari).
Ensure you are using a compliant authenticator (like YubiKey, Dashlane, 1Password, or Bitwarden).
Ensure your authenticator is synced or accessible on all your important devices for redundancy.
Once configured, your team can use passkeys to securely access organization wallets and sign transactions across all their trusted devices.