Just built Passkey39: a library that generates the same crypto private key every time you use your Face ID or Touch ID. No more seed phrases to lose, your biometric authentication becomes your deterministic wallet key through WebAuthn magic.
What do you think? I'm curious if it's a good or bad idea 🤔
👉 https://github.com/dolu89/passkey39
🎯 Live demo: https://passkey39.dolu.dev
(Not published to npm until it's safe to use)
Sounds risk to me. I just could scan your face in public to rug you?
No, that's not how it works 😄 The private keys are generated using YOUR biometrics on YOUR specific device. You can't scan my face with your phone to access my wallet - the passkey is tied to my device's secure hardware, not just my face.
Does that mean that it can also be accessed via some backup pin also?
Is this really your fingerprint or just a random key generated and stored in the secure element?
If I delete and re-register my fingerprints with say my thumb, will it still work? will it work with my finger or my thumb?
It's neither your actual fingerprint nor a random key - it's more complex. When you create a passkey, your device generates a random private key and stores it in the secure element. Your biometric (fingerprint/face) is just the unlock mechanism for that key, not the key itself.
⚠ So if you delete and re-register a new passkey, you will not be able to restore your old private key!
So it's a random key, I think the nuance you are trying to make is that the key is created and kept in the secure element.
My follow up to that would be this:
AFAIK, you cannot do SECP256K1 on these secure elements. So how do you secure the key and use it?
AFAIK, usually you create a key in the secure element, then create another key, encrypt it with the first key and then save it to a file.
This way you can decrypt the file and load the key into memory during use, but the decryption key never leaves the secure element.
I think.
My implementation is really basic. I use the passkey's signature as Input in HKDF. Not an expert, maybe it's a really bad idea?
The workflow you described with 2 keys looks great, but I'm not sure how it can be deterministic?
And if the manufacturer of your phone collaborates with the attacker? Possible in theory or do they also not know the decision specifics?
Probably possible yes, I don't know.
I would use this library for an everyday wallet with <100$ on it, but not to generate my hardware wallet mnemonic for example
This looks amazing! I couldn't get the demo to work on Android Brave. It made the credential, but couldn't auth.
BTW couldn't resolve your ln address to zap you either.
I'm also having passkeys synchronization issues between desktop and mobile.
What ln address you try to resolve for zaps?
Passkeys don't work on my phone because I use CalyxOS with microG, I think.
That’s so cool. Beter use an additional passphrase on the face-enabled seed phrase in case of an $5 wrench attack.
Not a bad idea!
I'm not a cryptography expert, so if the implementation is flawed or the process isn't secure for reasons I'm unaware of, I'm open to feedback.
What if my device with passkey gets destroyed what is the recovery method without a seed phrase?
You should use a cloud-synced passkey provider. I know Apple and Google provide native cloud backup for passkeys, so you can use the same passkeys between your iPhone and Mac, for example.
But I'd prefer a strong password manager with passkey support, because Apple's passkeys won't work on your Windows/Linux computer...
Well, maybe it works by scanning the QR Code showed on desktop with your iPhone. Not sure about that 😅
very cool, i was building something similar but now i can just use this, how do you handle recovery if the domain name you are using for the passkey goes away? can i just spoof it locally? i’m not sure how that works
That's currently the biggest problem with passkeys. A passkey is tied to a domain name. The only thing you can do is back up your mnemonic manually
If the domain name changes to another one, here's a solution: https://otpless.com/docs/knowledge-base/passkey/relateddomain
I hope a better solution will appears in the near future
Let's say this method is super safe. Then in theory I could create a private key with it. Backup up it in metal (to be safe) and then have wallet on my phone that never has to store a key at all and instead could sign just in time my transactiona with my biometrics? The perfect "hot" wallet?
I built this lib for this specific use case. I'm building a PWA hot wallet with Ark
FYI, not working on GrapheneOS. I even allowed the JavaScript JIT permissions.
Biometrics can be hacked and can never be changed. These are NOT secure sign on solutions. You can be unconscious or a corpse and your device can still be hacked. Like your Social Security Number, if/when your biometric data gets leaked to the dark web there's nothing can do about it.
It's FAR more secure to simply use MFA that requires both something you know AND something you have. The something you have prevents online hacks and the something you know prevents physical hacking of your accounts.
This is great. I think this is better for peaple.
I am building an application that uniquely creates a "Nostr" private key (or wraps an existing key) with a passkey.
demo https://nosskey.app
Neat
