Passkeys for Bitcoin Wallets: How WebAuthn Replaces Seed Phrases
How passkeys and WebAuthn are replacing seed phrases in Bitcoin wallets, enabling seedless self-custody with biometric authentication.
The biggest obstacle to Bitcoin adoption is not volatility, regulation, or scaling. It is the 12-word seed phrase. Asking ordinary users to write down a sequence of random words, store them in a secure physical location, and never lose them is a UX pattern borrowed from cryptography textbooks, not consumer software. Chainalysis has estimated that roughly 20% of all Bitcoin supply is permanently inaccessible, much of it because owners lost their private keys or seed backups. A 2026 survey by Oobit of 1,000 U.S. crypto holders found that 35% had lost access to a wallet or account, and 31% of those never recovered their funds.
Passkeys offer a way out. Built on the W3C WebAuthn standard and the FIDO2 framework, passkeys replace passwords and seed phrases with biometric authentication: a fingerprint scan, a face unlock, or a device PIN. The private key never leaves the device's secure hardware. For Bitcoin wallets, this means users can sign transactions with Touch ID or Windows Hello instead of managing a BIP-39 mnemonic. As of May 2026, the FIDO Alliance reports 5 billion passkeys in active use worldwide, with 75% of consumers having enabled a passkey on at least one account.
What Are Passkeys and How Does WebAuthn Work?
Passkeys are the consumer-facing name for WebAuthn discoverable credentials. The underlying protocol, standardized by the W3C as Web Authentication (WebAuthn), uses asymmetric cryptography to authenticate users without shared secrets. It is part of the broader FIDO2 specification, which also includes CTAP2 (Client to Authenticator Protocol) for communication between browsers and hardware authenticators like YubiKeys.
The Registration Flow
When a user creates an account with a passkey-enabled service, the following happens:
- The server (called the “relying party” in FIDO2 terminology) sends a challenge: a random byte string along with parameters specifying acceptable key types.
- The platform authenticator (Secure Enclave on Apple devices, Titan M on Pixel phones, TPM 2.0 on Windows) generates a new asymmetric key pair inside tamper-resistant hardware.
- The private key is stored on the device and never exported. The public key is sent back to the server along with an attestation object proving it was generated by genuine hardware.
- The server stores the public key and credential ID. There is no password hash, no shared secret, nothing to leak in a database breach.
The Authentication Flow
To sign in later, the server sends a new challenge. The authenticator signs it with the stored private key after the user verifies with biometrics or a PIN. The server validates the signature against the stored public key. The entire exchange is phishing-resistant because the credential is cryptographically bound to the origin domain. Microsoft reports that passkey sign-in success rates reach approximately 98%, compared to 32% for password-based login.
Why passkeys resist phishing: WebAuthn credentials are scoped to a specific origin (e.g., wallet.example.com). A phishing site on a different domain cannot trigger the authenticator for the real credential. This is a fundamental improvement over passwords and even seed phrases, which can be entered into any interface. Phishing attacks targeting seed phrases remain one of the most common vectors for cryptocurrency theft.
The Curve Mismatch: Why Passkeys Cannot Sign Bitcoin Transactions Directly
There is a fundamental technical tension between WebAuthn and Bitcoin. WebAuthn authenticators generate keys on the NIST P-256 curve (secp256r1). Bitcoin uses a different elliptic curve: secp256k1. These are not interchangeable. A passkey cannot directly produce a valid Bitcoin digital signature.
This means passkey-based Bitcoin wallets cannot simply use the WebAuthn key as the Bitcoin private key. Instead, they use one of several architectural patterns to bridge the gap between the authentication layer (secp256r1) and the signing layer (secp256k1).
Four Architectures for Bridging the Gap
- TEE-mediated signing: The passkey authenticates the user to a remote trusted execution environment (TEE) that holds or derives the Bitcoin private key. The TEE only releases signatures after verifying the WebAuthn assertion. This is the approach used by infrastructure providers like Turnkey, which runs signing operations inside AWS Nitro Enclaves with cryptographic attestation.
- MPC with passkey share: The passkey protects one share of a multi-party computation (MPC) scheme. The user's device holds one share authenticated by the passkey, and one or more servers hold other shares. Transaction signing requires threshold cooperation without any single party seeing the full key.
- PRF-based key derivation: The WebAuthn PRF (Pseudo-Random Function) extension allows a passkey to produce a deterministic cryptographic output during authentication. This output can be used to derive or unlock a Bitcoin private key without any server involvement. The Breez SDK uses this approach for its passkey login feature, binding Bitcoin keys to the device's secure element while offering optional BIP-39 seed phrase export for portability.
- On-chain verification: On account-model chains like Ethereum, account abstraction (ERC-4337) allows smart contract wallets to verify secp256r1 WebAuthn signatures on-chain. This does not directly apply to Bitcoin's UTXO model, but it demonstrates the pattern. The gas cost for P-256 verification on Ethereum L1 is approximately 330,000 to 400,000 gas without the proposed EIP-7212 precompile.
| Architecture | How It Works | Trust Assumption | Bitcoin Compatible |
|---|---|---|---|
| TEE-mediated | Passkey authenticates to server-side enclave holding Bitcoin key | Trust TEE operator and hardware attestation | Yes |
| MPC + passkey | Passkey guards one key share; threshold signing produces Bitcoin transactions | At least t-of-n shares required; no single point of failure | Yes |
| PRF key derivation | WebAuthn PRF extension derives a secret used to unlock the Bitcoin key locally | Trust device secure element; no server dependency | Yes |
| On-chain verification | Smart contract verifies secp256r1 signature directly | Trust smart contract correctness | Not natively (requires covenant or L2 support) |
Seed Phrases vs Passkeys: A Direct Comparison
The traditional BIP-39 seed phrase model has served Bitcoin well for over a decade. It gives users complete sovereignty over their keys. But the operational burden it places on non-technical users is severe, and the failure mode is total: lose the seed, lose the funds. A 2025 Carnegie Mellon CyLab study found that only 43.4% of participants could even correctly identify what a seed phrase looks like, and among those who could, 58% incorrectly believed they could reset or choose their seed words.
| Property | BIP-39 Seed Phrase | Passkey Wallet |
|---|---|---|
| Backup mechanism | User writes down 12/24 words on paper | Synced via iCloud Keychain, Google Password Manager, or device-bound |
| Phishing resistance | None: seed can be entered into any phishing site | Origin-bound: credential cannot be used on wrong domain |
| Key material exposure | Seed exists in plaintext during backup and restore | Private key never leaves secure hardware |
| Authentication factor | Knowledge (the seed words) | Possession (device) + inherence (biometric) |
| Recovery after device loss | Import seed into any compatible wallet | Depends on sync provider or recovery mechanism |
| Platform dependency | None: BIP-39 is an open standard | Tied to authenticator ecosystem (Apple, Google, FIDO2 key) |
| User error surface | High: wrong word order, damaged paper, clipboard attacks | Low: biometric scan or PIN |
| Sovereignty | Full: user controls all key material | Partial to full, depending on architecture |
Synced Passkeys vs Device-Bound Passkeys
Not all passkeys are created equal. The FIDO2 specification supports two modes, and the distinction matters significantly for self-custody wallet design.
Synced Passkeys
Apple, Google, and third-party password managers (1Password, Dashlane, Bitwarden) can sync passkey credentials across devices via encrypted cloud storage. When a user creates a passkey on their iPhone, it becomes available on their iPad, Mac, and any other device signed into the same iCloud account. Apple uses end-to-end encryption via iCloud Keychain: each credential is encrypted so it can only be decrypted by devices within the user's circle of trust, and Apple's servers cannot read the plaintext private key.
For wallet applications, synced passkeys solve the device-loss recovery problem: if a user's phone breaks, their passkeys are already available on their other devices or can be restored from cloud backup. However, this introduces a platform dependency. Recovery now depends on Apple or Google account access.
Device-Bound Passkeys
Hardware security keys like YubiKey and device-bound platform credentials stay on a single piece of hardware. The private key physically cannot be extracted, even by the platform vendor. In WebAuthn terms, device-bound passkeys have their Backup Eligible (BE) and Backup State (BS) flags both set to 0. NIST classifies them as capable of AAL3 (the highest authenticator assurance level), while synced passkeys are limited to AAL2.
For high-value Bitcoin cold storage, device-bound passkeys paired with a dedicated signing device may offer a better security model. For everyday spending wallets, synced passkeys provide the convenience that most users expect.
The sovereignty question: When passkeys sync to iCloud Keychain, Apple's HSM-protected escrow system becomes the ultimate recovery backstop. Apple's documentation states that passkeys are end-to-end encrypted and Apple cannot read them, but recovery still depends on iCloud account access. For a Bitcoin wallet, this means fund access could be gated by platform account recovery, a process the wallet developer cannot control.
Who Is Building Passkey Wallets in 2026
The passkey wallet ecosystem has consolidated rapidly. In June 2025, Stripe acquired Privy (which powers over 75 million accounts across 1,000+ developer teams). In October 2025, Fireblocks acquired Dynamic (powering over 50 million on-chain accounts). These acquisitions signal that passkey-based wallet infrastructure has moved from experimental to strategic.
Infrastructure Providers
- Turnkey: Non-custodial key management API built on AWS Nitro Enclaves. Users authenticate with passkeys; signing operations happen inside TEEs that support secp256k1 for Bitcoin. Raised over $65 million in total funding through 2026.
- Privy (now part of Stripe): Embedded wallet infrastructure with passkey support. Uses Shamir's Secret Sharing to split private keys; the full key is reconstructed only inside secure enclaves. Users can export their key at any time.
- Dynamic (now part of Fireblocks): Web3 authentication SDK with passkey-based wallet creation. The wallet private key is encrypted at rest and decrypted only inside secure enclaves when the user provides a valid passkey signature.
- Capsule: 2-of-2 MPC scheme where one share is protected by the user's passkey and the other by Capsule's infrastructure. Supports pre-generated wallets that activate upon passkey signup.
Bitcoin-Specific Passkey Wallets
- Breez SDK: Integrated passkey login for self-custodial Bitcoin Lightning wallets using the WebAuthn PRF extension to derive keys. Private keys are bound to the device's secure element, with optional BIP-39 export.
- Oviato: Passkey-native Bitcoin wallet SDK unveiled at Bitcoin Amsterdam. Users access self-custodial wallets via Face ID, Touch ID, or passkeys with no seed phrase.
- Gemini Wallet: Self-custody smart wallet launched August 2025 with passkey authentication and no seed phrase required. Partners with multiple L2s for gas sponsorship.
On the EVM side, Coinbase Smart Wallet is one of the highest-profile passkey deployments, using ERC-4337 account abstraction to verify P-256 WebAuthn signatures on-chain. While not a Bitcoin wallet, it has demonstrated the passkey wallet UX at scale and influenced the broader ecosystem.
How Passkey Authentication Flows in a Bitcoin Wallet
A concrete example helps illustrate how these pieces fit together. Consider a Bitcoin wallet using TEE-mediated passkey authentication:
- The user opens the wallet app and taps “Create Wallet.” The app calls the WebAuthn API via
navigator.credentials.create(), triggering a biometric prompt. - The device's Secure Enclave generates a P-256 key pair and returns the public key to the app. This passkey is the user's authentication credential.
- The app sends the passkey public key to the wallet provider's TEE infrastructure. Inside the enclave, a secp256k1 Bitcoin private key is generated and bound to this passkey credential.
- When the user wants to send Bitcoin, the app constructs the unsigned transaction, calls
navigator.credentials.get()to get a WebAuthn assertion (signed by the passkey), and sends both to the TEE. - The TEE verifies the P-256 assertion, confirms it matches the registered credential, and signs the Bitcoin transaction with the secp256k1 key inside the enclave. The signed transaction is returned to the app for broadcast.
From the user's perspective, they authenticated a Bitcoin transaction with their fingerprint. No seed phrase was ever displayed, written down, or stored in plaintext.
The Sovereignty Tradeoff
Passkey wallets introduce a spectrum of custody models that differ from the binary custodial/non-custodial distinction of traditional Bitcoin wallets. The core question is not just “who holds the keys?” but “who can authorize signing, and under what conditions can the user unilaterally exit?”
TEE-Mediated Models
When Bitcoin keys live inside a remote TEE, the user does not have direct access to the raw key material. They authenticate via passkey, and the TEE signs on their behalf. This is functionally similar to self-custody in that the infrastructure provider cannot unilaterally access funds (the TEE enforces access control), but it differs from traditional self-custody in that the user cannot export the private key and use it independently. If the TEE provider goes offline or shuts down, the user may lose access. This is why recovery mechanisms (social recovery, backup shares, secondary authentication methods) are critical for passkey wallet architectures.
MPC and PRF Models
MPC-based passkey wallets distribute key material across multiple parties. The user's passkey protects their share, and the provider holds another. Neither party alone can sign. This provides stronger guarantees: even if the provider is compromised, the attacker cannot sign without the user's passkey. PRF-based approaches go further by deriving Bitcoin keys entirely on-device, eliminating server dependency for signing. The tradeoff is that PRF extension support is not yet universal across all platforms and browsers.
The key test for sovereignty: Can the user unilaterally exit with their funds if the wallet provider disappears? Seed phrase wallets pass this test trivially: import the seed anywhere. Passkey wallets must engineer this property through recovery shares, key export options, or on-chain escape hatches. The best implementations (like Breez SDK's optional seed export or Privy's key export) make this exit path explicit and testable.
Limitations and Open Challenges
Cross-Platform Friction
Passkeys work seamlessly within an ecosystem (Apple devices with iCloud, Android with Google Password Manager), but cross-platform usage remains clunky. A passkey created on an iPhone can be used on a Windows PC via QR code scanning and Bluetooth proximity verification (the FIDO2 hybrid transport), but this flow is significantly slower than native biometric authentication. The FIDO Alliance is working on the Credential Exchange Protocol (CXP) to enable secure passkey transfer between providers, which would reduce lock-in.
Platform Dependency
Synced passkeys depend on cloud infrastructure controlled by Apple, Google, or a third-party password manager. If a user loses access to their Apple ID (account locked, two-factor device lost), their synced passkeys may become inaccessible. Apple's iCloud Keychain escrow system allows only 10 authentication attempts before permanently destroying the escrow record. For a Bitcoin wallet, this means funds could be locked behind platform account recovery.
Non-Exportable Keys
The WebAuthn specification explicitly prevents private key export. This is a security feature for traditional authentication (prevents credential theft), but it creates tension with self-custody principles. A user cannot back up their WebAuthn private key to a paper wallet or import it into a different authenticator. The passkey itself is not the Bitcoin key, but it guards access to the Bitcoin key, and that guard is non-transferable by design.
No Automated Signing
Passkeys require biometric interaction for every signing operation. This blocks use cases like automated trading bots, batch transaction processing, and AI agent wallets that need to sign without human presence. Wallet architectures that require passkey-per-transaction may need session key mechanisms for scenarios requiring programmatic signing.
Social Recovery and Passkey Wallets
One of the most promising design patterns combines passkeys with social recovery. Instead of relying solely on the passkey for access, wallet architectures can distribute recovery shares to trusted contacts, secondary devices, or institutional guardians.
In this model, the passkey handles day-to-day authentication (fast, convenient, phishing-resistant), while the recovery mechanism provides a fallback if the passkey is lost. This mirrors how traditional web accounts work (password for login, email/phone for recovery) but with cryptographic guarantees instead of centralized password resets.
Research on embedded wallet UX consistently shows that recovery anxiety is the top reason users abandon self-custodial wallet onboarding. Passkeys with social recovery directly address this by eliminating the seed phrase while providing a recovery path that does not depend on a single device.
What This Means for Bitcoin Layer 2 Wallets
Passkey authentication is especially relevant for Layer 2 Bitcoin wallets, where the user base skews toward non-technical users making frequent, smaller transactions. The design goal is to make a Bitcoin L2 wallet feel as intuitive as a banking app, and passkeys are a critical piece of that puzzle.
Spark, for example, is designed with an SDK-first architecture that makes it straightforward for wallet developers to integrate passkey-based onboarding. Because Spark uses a FROST threshold signature model where the user holds one key share and Spark operators hold others, the user's key share can naturally be protected by a passkey rather than exposed as a raw seed phrase. The user authenticates with biometrics; the key share is unlocked locally; the threshold signing protocol executes. No mnemonic required.
This pattern aligns with what infrastructure providers like Privy and Dynamic already support. A developer building on Spark's SDK can wire up passkey-based wallet creation using existing WebAuthn libraries, shielding users from the complexity of key management, derivation paths, and backup procedures.
For users who want to try a Spark-powered wallet with simplified onboarding today, General Bread offers an example of what seamless Bitcoin and stablecoin access looks like when wallet UX is treated as a first-class priority. Developers interested in building similar experiences can explore the Spark SDK documentation to integrate Bitcoin L2 functionality with modern authentication patterns.
The Road Ahead
Passkey adoption is accelerating across the web. Google, Apple, Microsoft, Amazon, and hundreds of other services support passkey authentication, and Microsoft has made passkeys the default sign-in method for all new accounts. As passkey infrastructure matures, several developments will shape how Bitcoin wallets adopt this technology:
- Cross-platform passkey portability through the FIDO Alliance's Credential Exchange Protocol (CXP), which would allow passkeys to be securely transferred between providers and reduce platform lock-in.
- Bitcoin covenant support: Proposals like OP_CAT could eventually enable on-chain verification of secp256r1 signatures on Bitcoin L1, opening the door to native passkey verification without TEE intermediaries.
- Hybrid custody models combining passkey authentication for daily use with multisig or threshold signature recovery for high-value holdings.
- Broader PRF extension support across platforms, enabling fully local Bitcoin key derivation from passkeys without server-side infrastructure.
The seed phrase served Bitcoin well during its first decade. It proved that individuals could hold their own keys without banks or intermediaries. But the next billion Bitcoin users will not write down 12 words. They will authenticate with a fingerprint, and the cryptographic machinery will happen beneath the surface: invisible, secure, and self-custodial by design.
This article is for educational purposes only. It does not constitute financial or investment advice. Bitcoin and Layer 2 protocols involve technical and financial risk. Always do your own research and understand the tradeoffs before using any protocol.

