Passkeys

Get familiar with ZKsync SSO passkeys.

Passkeys are a core feature supported by ZKsync SSO that enable secure, passwordless authentication for users interacting with applications on the ZK Chain. Stored on users' devices, these passkeys make for a self-custodial and secure solution to private key management. This standard also supports biometric authentication methods like Face ID and fingerprint recognition, utilizing the secp256r1 elliptic curve via native precompile in ZKsync.

What are Passkeys?

Passkeys are digital credentials that eliminate the need for traditional passwords by using asymmetric cryptography for authentication. They consist of a key pair:

  • Private Key: Stored securely on the user's device (e.g., in a secure enclave or Trusted Platform Module) and never leaves the device.
  • Public Key: Shared with the relying party (ZKsync SSO Auth Server and associated smart contracts) during registration.

Passkeys are based on the WebAuthn API and the FIDO2 standards, which support various authenticators like built-in device biometrics (fingerprint sensors, facial recognition) or external hardware security keys (YubiKey, SoloKeys). This ensures a high level of security and a seamless user experience.

What are the risks and challenges of Passkeys?

Passkeys enable the simplification of the UI/UX to sign blockchain transactions securely and across multiple platforms. While it improves usability, Passkeys security relies on platform integrity, account protection, and domain ownership. Users should remain aware of these risks when adopting passkey-based authentication.

  • Passkeys Are Still Cryptographic Keys: Unauthorized access to passkey material allows attackers to sign transactions, similar to a compromised private key.
  • Passkeys Security Is Vendor-Specific: Apple, Google, Microsoft, and other platforms implement passkeys differently, with varying security models tied to device and account protections, which users need to understand. These range from device-bound and physical token passkeys (that never leave the device) to 'synced' passkeys (where a device's Credential Manager backs up and synchronize passkeys across the user's other devices). For example, Apple passkeys are automatically backed up to the cloud to be synced across all your Apple devices, so compromising your Apple Account can lead to token access.
  • Passkeys Are Tied to Identity and Devices: The security of passkeys depends on the protection of associated accounts (e.g., Apple ID, Google Account) and the devices where they are stored. Users might need help in understanding and implementing the right security practices (MFA, strong pin-codes and passwords) so they can feel ready to go passwordless and use passkeys without extra worry and hassle.
  • Domain Ownership Risk: Passkeys are linked to specific domains usually maintained by an application developer. If a domain is lost, hijacked, or transferred, authentication could be compromised. This means that users could be at risk of authorizing transactions with unknown consequences, including (but not limited to) granting ownership of their account to another owner.

Managing Passkeys in Development

You can manually delete individual passkeys in your OS. For example, in Chrome browser you can navigate to chrome://settings/passkeys to edit or delete your passkeys.

If you are signed in to SSO with a passkey that you deleted, make sure to click the icon in the top right corner of the SSO popup window. This will allow you to be able to sign up again and generate a new passkey.

Sessions

Get familiar with ZKsync SSO sessions.

Account Modules

Get familiar with ZKsync SSO smart account modules.

Made with ❤️ by the ZKsync Community