In the realm of web3, the concept of account ownership is fundamentally anchored in the principles of cryptography. This cryptographic foundation necessitates the secure storage of a 12-word mnemonic phrase, a critical component that grants users access to their funds. The requirement to securely store and manage these 12 words presents a substantial barrier to users, especially those who are new to the web3 environment. It is in addressing this challenge that technologies like WebAuthn and passkeys become pivotal. These technologies aim to streamline user interaction with cryptographic systems, enhancing security while mitigating the complexities associated with managing cryptographic keys. In the subsequent sections, we will delve into the evolution of WebAuthn, explore the implications of passkeys, and examine how Secure Enclave and similar technologies are shaping user-friendly approaches to secure account management in web3.

WebAuthn: Paving the Way for a Passwordless Internet

As the adoption of the internet continues to surge, managing keys has emerged as a significant challenge, underscoring the industry's need for a more secure and user-friendly authentication mechanism. WebAuthn stands at the forefront of addressing this issue. It represents a groundbreaking standard aimed at reshaping the landscape of the internet by enabling passwordless authentication, a transformative approach to user access and security.

Developed by the FIDO Alliance and (W3C), WebAuthn was conceived to mitigate the vulnerabilities and hassles associated with password-based systems. It offers a robust framework that leverages public-key cryptography, scoped specifically to domains, to authenticate users. This eliminates the reliance on passwords, thereby preventing different attack vectors.

The inception of WebAuthn marks a pivotal moment in the evolution of internet security. It not only fortifies defenses against cyber threats but also enhances user experience by obviating the need to manage multiple unique passwords across various websites and applications. This revolutionary standard alleviates the common frustrations of forgotten passwords, account lockouts, and the subsequent password resets, paving the way for a smoother, more secure internet experience.

WebAuthn has been embraced by numerous major websites and services, including Google, Facebook, and Microsoft, and is supported by most major browsers like Chrome, Firefox, Edge, and Safari. Its widespread adoption and continuous development underscore its pivotal role in shaping a more secure and user-centric internet. At Clave, we are at the forefront of adapting WebAuthn and Secure Enclave to be ready for web3, ensuring that the innovations in security and user authentication are in alignment with the evolving landscape of decentralized technologies, bringing forth a seamless and secure experience in the web3 environment.

Passkeys: WebAuthn but on Apple Devices

Passkeys are a revolutionary technology, grounded in the WebAuthn standard, which employs public key cryptography to establish a new paradigm in user authentication. When a user registers an account on an app or website, the device’s operating system generates a unique pair of cryptographic keys, specifically and securely, for that account.

Here’s how it works:

  1. Private Key Creation: The user’s operating system creates a private key. This key is stored securely in different locations, which we will explore in detail in the following sections. It’s crucial that the private key is stored securely as it is fundamental to account ownership.
  2. Public Key Creation: While the private key is securely stored, the operating system calculates the public key from it. This public key is shared with servers and is not kept secret, as it’s used to verify the user’s identity.
  3. Server-Side Verification: The servers use the received public key to verify the ownership of the account, ensuring that the user is who they claim to be, thus completing the secure and user-friendly authentication process.

For Apple device users, features like Touch ID or Face ID can authorize the use of the passkey, authenticating the user swiftly and securely to the app or website. The beauty of passkeys lies in their simplicity and strength—there are no shared secrets transmitted, and they are highly resistant to phishing attacks and can be authenticated via Biometric Authentication.

The crucial aspect of Passkeys lies in the generation and storage of the Private Key. As per Apple's documentation (https://support.apple.com/en-us/102195), the Private Key is generated and encrypted via Secure Enclave and stored in the iCloud Keychain. This means that passkeys supports cross-device compatibility natively, which increases the user experience.

When users establish an account using passkeys, the private key is encrypted and synced through the Cloud. Should the device be lost, the key can be retrieved from another device designated as a "trusted device." The encryption of Passkeys is managed through Secure Enclave technology, often linked with biometric data, and this encrypted key is then distributed via the Cloud. As a result, the security integrity is maintained even if the Cloud is compromised, as the encryption prevents unauthorized access to the private key.

Secure Enclave

The Secure Enclave is a dedicated, isolated microchip within Apple's chips designed for secure data and operations. Not only does it ensure that sensitive data, like private keys, remains protected, but it also facilitates biometric authentication processes, such as Touch ID and Face ID, adding another layer of security. Transaction signing within the Secure Enclave occurs in a separate hardware environment, ensuring maximum security.

Recognizing these challenges, we at Clave have chosen to leverage the Passkeys, instead of Secure Enclave. By doing so, we can ensure hardware-level security and cross-device compatibility at the same time. The Private Key is exposed online and remains protected. This approach ensures that our key management system's security is almost on par with the hardware level, offering users the best of both worlds.

About Clave

Clave is an easy-to-use, non-custodial smart wallet powered by Account Abstraction and the hardware-level security elements (e.g., Secure Enclave, Android Trustzone, etc.) to simplify the onchain experience for the next billions. By empowering users with a user-friendly and secure bridge to seamlessly integrate their assets into everyday life, Clave delivers a comprehensive fintech solution, ensuring a holistic financial experience for all.

Connect with Clave:

  • Website: https://www.getclave.io/
  • Twitter: https://twitter.com/getclave
  • LinkedIn: https://www.linkedin.com/company/getclave/
  • Farcaster: https://warpcast.com/getclave
  • Marketing inquiries: marketing@clave.team
  • Mail: info@clave.team