Guys, how’s your feeling about JoyID? I love the research survey written by @Cipher, so I translated it into English. Here is the original version: 改变 Web3 未来的新技术,Passkey 钱包基础知识与相关产品分析 - Foresight News
If you have any suggestions, please leave a comment to me 
Revolutionizing the Future of Web3: In-Depth Insights into Passkey Wallets and Their Emerging Role
Key Research Takeaways:
- Passkey ushers in a pioneering era of Web2 account technology, notable for its seamless, installation-free operation, robust security, user convenience, and commitment to privacy.
- By integrating this innovative technology, Passkey wallets redefine the blockchain landscape, offering an unparalleled and novel wallet experience.
- Surpassing traditional Web2 account experiences, Passkey wallets not only enhance user engagement but are also set to catalyze the development of new user scenarios.
- With the entrance barriers for typical users looking to explore the blockchain realm now completely dismantled, the mass adoption of Web3 seems increasingly imminent and accessible.
Overview
An Introduction to Passkey Technology
To grasp the essence of Passkey, it’s essential first to understand WebAuthn. This innovative, passwordless authentication technology, endorsed by giants such as Apple, Google, Microsoft, and Meta, originates from the FIDO Alliance. It deploys asymmetric key pairs generated on the user’s device, shifting away from the traditional password-based authentication system. This approach echoes the principles of traditional security tokens or hardware wallets, where the device-stored private key is utilized for digital signatures, affirming the user’s identity to a server.
WebAuthn’s private keys are securely generated and managed within specialized chips. These include Apple’s Secure Enclave, the Secure Element in Android devices, and TPM in PCs, all of which operate independently from the CPU and operating system, ensuring heightened security. A prime example of such secure storage is the handling of credit card details for Apple Pay. Notably, these private keys housed in secure chips are inaccessible via external APIs; they are exclusively activated for digital signing by the system’s lock screen protocols, typically involving biometric verification.
Passkey builds upon the foundation of WebAuthn as a sophisticated key encryption and synchronization solution. It allows users to seamlessly encrypt and synchronize their device’s private keys through services like iCloud or a Google account. This synchronization capability ensures a fluid, automatic login experience across multiple devices. Currently, Passkey enjoys comprehensive support across a range of platforms, including iOS, Android, and MacOS, while Windows 10/11 maintains support for WebAuthn only.
Passkey/WebAuthn, with their primary distinction being in sync capabilities (hereafter collectively referred to as Passkey), represent the forefront of account authentication technology championed by leading companies. They bring to the table distinct advantages: eliminating the need for passwords, offering protection against loss and misuse, and ensuring simplicity in usage. Yet, Passkey is not without its drawbacks. A critical limitation is the lack of cross-brand device trust; Passkeys on iOS, for instance, cannot sync with Android devices, posing challenges for account logins across different hardware ecosystems.
Enhancing Web3 with Passkey’s Strengths
Originally tailored for the Web2 sphere, Passkey technology didn’t initially consider the specific needs and scenarios of Web3/Crypto. However, its underlying asymmetric key structure, once merged with Web3, unlocks tremendous potential advantages.
- Passkey wallets empower the creation of non-custodial wallets that eliminate the need for both passwords and seed phrases.
- These wallets maintain stringent privacy, not requiring users to share any personal details, including email, phone numbers, or even usernames.
- Elevating wallet security to a hardware level, Passkey wallets notably enhance the overall user experience for the everyday user.
- With blockchain serving as a decentralized trust intermediate, Passkeys generated across different ecosystems or different devices can mutually recognize each other, potentially surpassing the user experience of Passkey in the Web2 domain.
Passkey wallets blend the trio of security, ease of use, and non-custodial features — a blend previously thought difficult to achieve. This innovative synergy positions them as a pivotal catalyst in accelerating the widespread adoption of Web3.
Exploring ERC4337 and MPC Wallets for Mass Adoption
As the drive towards mass adoption of cryptocurrency continues, two key solutions have gained traction in the market: ERC4337 Account Abstraction Wallets and MPC (Multi-Party Computation) Secure Wallets. Let’s start with an overview of their foundational principles and distinctive characteristics.
ERC4337 Wallets
At its core, ERC4337 represents an application layer standard for EVM (Ethereum Virtual Machine) contract wallets. These contract wallets boast several inherent advantages, such as the ability to reset lost private keys, enable developer to pay fees for their users, offer flexible permission management, and support batch transactions. Yet, they’re not without drawbacks, including high costs for initial setup and individual transactions, along with suboptimal dapp (decentralized applications) compatibility. While these are some theoretical pros and cons, practical application reveals more complex challenges:
- The private key necessity: Users still require a private key whose generation and management present unresolved issues.
- Trust anchor for key reset: Determining who holds the ability to reset a user’s wallet private key raises significant trust concerns.
- Multi-chain synchronization in private key resetting: For example, if a user only holds assets on Polygon and decides to reset their private key, should the same action apply to the Ethereum contract’s key? Resetting it involves substantial fees, yet avoiding a reset could restrict future Ethereum account usability.
- Source of initial deployment fees: Whether these should be user-funded or subsidized by third parties remains an open question.
- Incentives for bundlers in the ERC4337 ecosystem: Creating the right motivational structures for bundlers (entities that bundle transactions together) under ERC4337 remains challenging.
These multifaceted theoretical and practical hurdles have unfortunately impeded the widespread adoption and integration of ERC4337 wallets, falling somewhat short of the community’s initial expectations.
MPC Wallet
MPC (Multi-Party Computation) wallets introduce a novel approach to key management by splitting a private key into multiple fragments, which are then distributed across several parties. When a signature is required, the process involves either piecing these fragments back together to form a complete key for signing or enabling each fragment to contribute to a partial signature, which is subsequently combined into a final, complete signature. Key benefits of MPC wallets include:
- Reduced On-Chain Costs: Users are not burdened with additional fees for executing complex wallet contracts, making transactions more cost-effective.
- Versatile Recovery Mechanisms: MPC wallets offer various methods for key fragment recovery, such as email, phone numbers, passwords, and cloud storage solutions, enhancing user convenience and security.
- Broad Blockchain Compatibility: Far from being limited to EVM (Ethereum Virtual Machine) platforms, MPC wallets theoretically support a wide array of blockchain ecosystems, highlighting their flexibility and universal appeal.
Nevertheless, MPC wallets come with a significant limitation: the dependence on centralized services for fragment custody and signature processing. This centralization requires significant investment to ensure the security and backup of fragment servers and to guarantee prompt processing of user signature requests. As a result, the typical business model for MPC wallets leans heavily towards a B2B (Business-to-Business) SaaS (Software as a Service) approach. This might make it difficult to transfer their wallet to other ecosystem and might discourage application developers from binding their user base to any single MPC service provider, considering the potential risks and dependencies involved.
In-Depth Analysis of Passkey Wallet Market Trends
Categorizing Passkey Wallets: Three Emerging Approaches
In evaluating the current spectrum of Passkey wallets on the market, three primary technological trajectories have been identified:
- AA + Passkey Signature Verification Approach: Exemplified by products like Clave and Banana SDK.
- Centralized Authentication Delegation Model: With Turnkey as a notable example.
- Signature Transform Technique: Illustrated by solutions such as JoyID.
Each of these categories represents a unique strategy for integrating Passkey technology into wallet applications. Below is a closer look and analysis of these approaches.
Clave & Banana SDK
The first category incorporates an innovative AA + Passkey signature architecture. In this model, EVM-compatible chains host an abstract account that directly authenticates Passkey signatures. This category includes pioneering projects like Clave and Banana SDK:
Clave (https://www.getclave.io/): Originating as a standout project named opClave at the EthGlobal Hackathon 2023, Clave stands out for its implementation strategy. It calculates Passkey-required secp256r1 signatures(Not the general-used secp256k1 signature) using EVM contracts. This method has its drawbacks, particularly in gas consumption - verifying a Passkey signature can require a substantial 600,000 to 900,000 gas. Given the impracticality of such high costs in every day or mass-adoption contexts, Clave is exploring a novel solution. Their proposal involves initiating a dedicated Layer3 chain, integrating a pre-compiled contract specifically for secp256r1 signature verification. This solution aims to substantially decrease gas expenses. However, this modification might lead to a significant reduction in the wallet’s compatibility across multiple blockchains, potentially hindering its mass adoption efforts.
Banana SDK, accessible at https://www.bananawallet.xyz/, is positioned more as a B2B (Business-to-Business) Software Development Kit (SDK) rather than a typical consumer-facing wallet. This strategy allows decentralized application (dApp) developers to seamlessly integrate an easy-to-use wallet feature, enhancing the user onboarding experience. Despite this innovative approach, Banana SDK shares a significant hurdle with Clave – the prohibitive gas fees on Ethereum, a major barrier to their practical adoption.
To tackle the high expense associated with verifying Passkey signatures on Ethereum, the developer community has proposed initiatives like Ethereum Improvement Proposal 7212 (EIP-7212), which can be viewed at EIP-7212: Precompiled for secp256r1 Curve Support. This proposal suggests the incorporation of a pre-compiled secp256r1 signature verification algorithm directly into the Ethereum Virtual Machine (EVM), aiming to dramatically cut down the verification costs. However, implementing this EIP is a complex process, requiring intricate changes in both the cryptographic foundation and consensus layers of Ethereum. The timeframe for its approval and eventual integration into the mainnet is likely to be measured in years. In response to these challenges, Clave has embarked on a partnership with zkSync, focusing on adopting EIP-7212 within the zkSync environment.
Beyond these, several other projects are experimenting with blockchain-based verification using the AA + Passkey structure, some of which incorporate zero-knowledge proof technology to reduce computational demands on the blockchain. These include knownothinglabs, which utilizes the halo2 framework, and Bonfire Wallet, which employs the risc0 bonsai technology. Most of these initiatives, however, are currently in the prototype stage and lack enough development for an in-depth analysis at this point.
Turnkey
Turnkey (https://turnkey.com) represents a notable shift in addressing the expense of verifying Passkey signatures via smart contracts. Instead of on-chain validation, Turnkey relies on a centralized service to verify Passkey signatures. Once authenticated, a controlled cryptographic engine generates the needed signature. This method essentially parallels how Passkey functions in Web2 environments, substituting the classic username and password combination with a public-private key pair. The critical difference, however, is that the final authentication authority is a centralized server.
Turnkey markets itself as a Wallet-as-a-Service (WaaS) provider focusing on the business-to-business (B2B) sector. Its comprehensive development toolkit and robust ecosystem support offer an enhanced developer experience. This solid foundation has already encouraged multiple partnerships. For example, dynamic.xyz has utilized Turnkey’s framework to provide a consumer-oriented wallet service, which has been well-received for its user-friendly interface.
Despite these advantages, Turnkey isn’t without its drawbacks. A primary concern is the management and security of user wallet private keys. Turnkey’s framework, though frequently described as non-custodial — arguing that private keys are safely stored within the server’s Trusted Execution Environment (TEE) and are beyond the reach of administrators — still hinges on a central entity for key management. This centralization poses inherent risks, including potential privacy and security vulnerabilities. Furthermore, Turnkey’s reliance on a B2B SaaS model means that any interruption or discontinuation of service could leave users unable to perform essential wallet operations like signature, highlighting a critical dependence and potential point of failure.
JoyID
JoyID wallet (joy.id) marks its distinction in the wallet landscape with an innovative approach termed “Signature Transform.” Catering to a range of blockchains including Ethereum, Bitcoin, and Solana, JoyID distinguishes itself by functioning as a standard Externally Owned Account (EOA) across these networks. What sets it apart is the decentralized management of its keys and authorization mechanisms, achieved via an Account Abstraction (AA) account on Nervos CKB. This structure ingeniously merges the adaptability of AA accounts with the affordability and broad compatibility inherent to EOA accounts.
Central to JoyID’s system is its AA account, which plays a pivotal role in enabling Passkey authorizations across multiple devices. It also safeguards an encrypted shard that forms part of a 2-of-2 key pair. The counterpart shard is dynamically generated by the device using the Passkey during signing. This design accomplishes a decentralized signature conversion from secp256r1 to secp256k1, independent of any server assistance. The entire process is executed on the user’s device, anchored by secure chip technology. This methodology not only fortifies security but also upholds the principles of decentralization and non-custodial management.
From the standpoint of user experience, JoyID excels with its intuitiveness and fluidity. Wallet creation is a breeze, requiring no manual input from the user, and completed with just a couple of system authentications. This quick, hassle-free setup, devoid of any charges, places JoyID at the forefront of the Passkey wallet domain. Presently, it emerges as the most polished and robust choice among all Passkey wallets, skillfully balancing simplicity, security, and speed.
Envisioning the Future of Web3 Wallets: Unleashing User Experience and Security
The rise of Passkey wallets heralds a transformative phase in the Web3 ecosystem, underscoring not only convenience but also enhanced security. These wallets transcend traditional barriers by offering a seamless, no-install experience coupled with robust hardware-level security features. Notable for their user-friendly nature, they eschew the complexities of seed phrases and passwords. Privacy is a paramount concern; hence, personal information isn’t a prerequisite. A significant departure from Web2 dependability, these wallets also ensure compatibility with Externally Owned Accounts (EOAs), a vital attribute for widespread acceptance.
The shift in wallet technology with Passkey wallets signifies more than just an upgrade over legacy systems like Metamask or seed phra-based wallets. They mark a leap forward, achieving an unparalleled user experience that easily rivals, and in many aspects surpasses, traditional Web2 account setups typically fraught with verification hurdles like email and phone confirmations.
The ripple effect of this enhanced user experience is set to extend beyond mere convenience, potentially reshaping user demographics and spawning new, diverse application realms within Web3. Imagine a world where Music NFTs, the burgeoning Creator Economy, Open Loyalty frameworks, and DAOs are no longer shackled by the speculative tendencies of the conventional wallet user base. The entry of a broader, more diverse audience uninterested in speculation paves the way for these domains to thrive, focusing on core values and long-term user engagement.
Looking ahead, we might draw parallels between the evolving dynamics of Web3 wallets and the digital payment landscape dominated by Alipay and WeChat Pay. In such a scenario, users may gravitate towards hardware or mnemonic phrase wallets for heavyweight tasks like DeFi engagements and secure asset storage, akin to Alipay’s role in managing substantial financial services. Concurrently, for everyday Dapp interactions and smaller-scale transactions, Passkey wallets could emerge as the favored medium, echoing the convenience and ubiquity of WeChat Pay in handling microtransactions.
The potential of Passkey wallets in shaping a new frontier in the Web3 sphere is immense. With their user-centric design and commitment to security and privacy, they’re poised to redefine digital interactions, promising not just a surge in adoption but a revolution in how users engage with Web3 technologies. As we anticipate the widespread embrace of Passkey wallets, the future looks bright for a truly inclusive, user-friendly Web3 experience.
