SevenX Ventures, invested in flashbots, dodo etc. infrastructure to wallets & defi, with over 120 portfolios.
Passkeys… could bring the ultimate web3 experience.
Life journey of a key on Ethereum, you have to protect your key. If your intent to sign a transaction, hash transaction, sign the transaction, then broadcast. Node extracts public key from signature, compares address with senders address - if it’s true they check the balance - the nonce prevents a replay. If it’s valid it’s includd in a block.
Private key is non-human readable/rememborable (32 bytes), seedphrases suck and are difficult to remember.
There are multiple ways to preserve the key,
e.g. MPC-combined splitted shares, MPC-TSS (threshold signing), secret sharing schemes - splitting the responsibility of preserving the keys and recovery to different parties - so it’s safer than having one single key. When yo usign something they’re combined together to be signed.
There’s multi-sig, where multiple single keys come together to sign something. e.g. signature aggregation.
Whether it’s one key or splitting key into shares, we need to preserve it. Different places to store keys:
How can we access these key shares, it’s authentication. Something we have (cellphone number etc), something we are (retina/fingerprint), something we know (e.g. password)
MetaMask uses local key on computer
Privy’s solution:
What could be better?
WebAuthN:
81% of hacks relate to password leaks could be yubikey, or other methods the authenticator creates the keypairs and the keypair never leaves the device you can use the public key and the signature to do the verification for security: phishing resistance, webauth happens locally, and never leaves the authenticator you never share secrets with the server, they only verify your signature
‘Cloud-based WebAuthN’
There are divering use cases:
Device-based WebAuthN:
How can we achieve cross-device + cross-platform
Different verifier solutions:
Another option is solidity verification (FCL’s libs)
Hardware secury modules are known to be exploited more often? but if you look at the ZK projects they’ve been exploited more often due to new crypto.
One option is ZK verifier, Risc0 Bonsai: Bonfire wallet, & Aiom’s halo2-ecc: Know Nothing Labs
4th one is Protocol solution: EIP-7212
the 4th one - EIP-7212 is the cheapest overall, as proven by clave team experiments
rollups should implement EIP-7212, which should be the first RIP (rollup proposal).
The burger of Juicy Web3:
Key Layer (WebAuthN) Account Layer: smart contract - multiple signers, multiple keys Verifier: r1-precompile on rollups / FCL / Risc0
Experience: easy auth - sign-in with faceid / fingerprint high security (anti-phishing, no need for password) easy recovery - assign new device or social recovery methods (guardians) flexibility: allows upgradable rules, e.g. threshold signing
What about MPC?
Question:
Remark:
Use: multiple device based authentication, we are suggesting multi-sig?
Could have a time-lock for recovery, and something will only be able to recover after a 7 day delay. if somebody steals it, you can lock it?