Nostr Web Client

It's neither your actual fingerprint nor a random key - it's more complex. When you create a passkey, your device generates a random private key and stores it in the secure element. Your biometric (fingerprint/face) is just the unlock mechanism for that key, not the key itself.

⚠ So if you delete and re-register a new passkey, you will not be able to restore your old private key!

Big Barry Bitcoin 6mo ago 💬 1

So it's a random key, I think the nuance you are trying to make is that the key is created and kept in the secure element.

My follow up to that would be this:

AFAIK, you cannot do SECP256K1 on these secure elements. So how do you secure the key and use it?

AFAIK, usually you create a key in the secure element, then create another key, encrypt it with the first key and then save it to a file.

This way you can decrypt the file and load the key into memory during use, but the decryption key never leaves the secure element.

I think.

Reply to this note

Please Login to reply.

Discussion

dolu 6mo ago

My implementation is really basic. I use the passkey's signature as Input in HKDF. Not an expert, maybe it's a really bad idea?

The workflow you described with 2 keys looks great, but I'm not sure how it can be deterministic?