Share the love
Want to stay updated? Subscribe below to keep in touch.
Announcing Passkeys wallet creation/recovery!
Allow your users to simply use TouchID/FaceID to create and recover their wallet.
January 11, 2024
Portal is proud to introduce a new backup and recovery option for our embeddable MPC wallets, passkeys + secure enclave. At Portal, we aim to accelerate blockchain adoption and do so with a focus on two fundamental components: security and accessibility. We continually work to build a platform that offers businesses and institutions the best technical options for offering their customers frictionless experiences with enterprise-grade security. Adding passkeys for authentication and secure enclaves for secure processing in the backup and recovery process is a critical next step to enhance our MPC framework and achieve our long-term goals.
Improving recovery for MPC wallets
Portal’s core is MPC technology—a user has one key share and Portal has the other. Both shares are required to sign transactions and access a wallet. If a user loses the key share stored on their device, they can recover it from a configured backup. Portal provides backup methods that require user-based authentication, meaning that the user controls the means of recovery. This level of control ensures a non-custodial experience.
Our new passkey recovery method follows this framework by running passkey authentication within a secure enclave backed by KMS, allowing users to register a passkey as a user-controlled authentication method to store and retrieve the data required to run recovery.
Why use passkeys and secure enclaves
Passkey adoption has exploded across the technical ecosystem. This new passwordless authentication method is user friendly in that there is no need to remember anything. No seed phrase. No password. No email. Without a password, passkeys are therefore resistant to phishing attacks, and weak or reused passwords that can easily be hacked are no longer an issue. Using passkeys for account recovery means users of all blockchain experience levels can feel confident in setting up a wallet and not risking loss of assets due to loss of their private key.
Pairing passkey authentication with an enclave backed by KMS enables us to provide the accessibility of passkeys with the security benefits of a secure enclave.
Passkeys, as an extension of Web Authentication (WebAuthn) protocols, allow users to authenticate themselves using cryptographic keys, improving security due to:
- Platform-based access: The private key of a passkey is stored on your phone and backed up via Google, Apple, or Microsoft’s secure keychains. Gaining access to a passkey requires possession and authorization to a user’s device (biometric auth or PIN) connected to the iCloud, Google, or Windows account.
- Phishing resistance: Passkeys are more resistant to phishing attacks compared to traditional passwords, as the authentication process can be pinned to a domain and involves cryptographic proof that doesn't reveal any secret (like a password) to the server.
- Cross-platform compatibility: With increasing support for WebAuthn, users can use their passkeys across different devices and platforms using Bluetooth + QR codes, enhancing both security and convenience in accessing their assets.
Secure enclaves provide a hardware-based security layer, crucial for protecting sensitive operations and information related to cryptocurrencies. Secure enclaves can:
- Encrypt computation: Secure enclaves are servers running with encrypted memory. The host cannot view or access the values being computed. This means that Portal cannot access the passkey or the backup data as they are being processed.
- Guarantee execution: Using the private keys that power a secure enclave, they can also provide cryptographic signatures to clients to attest (prove) that the server handling their request was running specific code. This is done by providing signatures and finger prints that match public keys and public code.
- Work with attestation-aware cloud services: In AWS, the IAM policies support a requirement for an attestation from an enclave for some of the cloud services. One service that provides this is KMS. You can configure an IAM policy for a KMS key that will only allow actions from a server running within an enclave.
Passkeys + secure enclaves
Putting it all together, our passkey backup is powered by user-friendly passkey authentication to ensure only a user can access their data, a secure enclave that keeps data private from Portal, and an integration with KMS that stores encrypted data so only the user can access it. Have more questions? Reach out to get a live demo!
See it in action!