Greg on Warpcast

Greg pfp

Passkey-based wallets are cool but I feel like people are skipping over the part where passkeys are scoped to domains, which means the provider could effectively brick your wallet at any time (I think, please tell me if I'm wrong) Sounds like backup signers are in the roadmap but feels like an important caveat

21 replies

13 recasts

165 reactions

Adam Hodges 🔵-' pfp

Adam Hodges 🔵-'

Correct! Adding a non-passkey recovery key is our top priority at the moment.

1 reply

0 recast

13 reactions

cryptocellaris.eth 🎩 pfp

cryptocellaris.eth 🎩

@cryptocellaris

savye problem with visa or your bank account the masses don't care as long as it works most of the time and is easy

1 reply

0 recast

2 reactions

greg pfp

I’m not sure if Coinbase Smart Wallet allows this but in theory you could just add another signer to the smart wallet, right?

1 reply

0 recast

0 reaction

David Furlong pfp

are all passkeys like this?

1 reply

0 recast

0 reaction

itai (building dynamic.xyz) pfp

itai (building dynamic.xyz)

You're right - passkeys are domain bound and so technically if you can't access that domain you'll have an issue. A solution around this is adding more signer options etc that let you access the smart contract account in other ways.

1 reply

1 recast

11 reactions

zack pfp

Completely agree. Passkeys need to be more easily exportable + easily duplicated across different devices and ecosystems. Until then: https://warpcast.com/labadie.eth/0x452c0eac

0 reply

1 recast

1 reaction

Harpalsinh Jadeja pfp

Harpalsinh Jadeja

0 reply

1 recast

1 reaction

vrypan |--o--| pfp

I don't trust passkeys because I don't know how they work. Probably my fault. But I get the feeling that under the magical-one-touch-login there's a compromise and they've tried so much to make it "user friendly" I can't tell what it is.

0 reply

0 recast

1 reaction

Tim Mustafin pfp

I never looked into specs of passkeys, thanks for the highlight! I genuinely thought it's just a keypair like any other public key cryptography. Since self-hosted bitwarden can be used as passkey storage, the problem of untrusted provider can be avoided, right? (for geeks who self-host)

0 reply

1 recast

2 reactions

↑langchain 🎩 pfp

↑langchain 🎩

Ah I hadn’t thought about this deeply when I was creating it. This makes sense. Why not host these things on IPFS/Arweave? Is it not that simple?

1 reply

1 recast

1 reaction

Nitya pfp

Great post! I agree this isn't talked about as much- the ease of any 1-factor setup path (whether its passkeys-only or social-only) will be inherently brittle

0 reply

1 recast

1 reaction

matt ↑ ᖽ pfp

🧡 CB wallet and the new Smart Wallet but feel social recovery / forgot password would’ve been killer feature for onboarding. Marginally easier to custody a passkey then seed phrase but fact remains there’s a single point of failure and you’re rekt. any plans for soc recovery @wilsoncusack ?

1 reply

1 recast

1 reaction

Myk.eth pfp

TIL you can have multiple passkeys control the same wallet. Could be a useful mitigation to this.

0 reply

0 recast

2 reactions

gyrenich1 pfp

0 reply

0 recast

0 reaction

GuruGrid pfp

You raise a valid point about the potential risks associated with domain-scoped passkeys. It's crucial to consider the implications of a provider's control over wallet access. Backup signers could be a good solution, but users should be aware of these dependencies while the technology matures.

0 reply

0 recast

0 reaction

Luke Puplett pfp

Implementers and builders should also consider ways for things in wallets to be cancelled and reissued, or even continual renewals, where that makes sense. Thinking more of attestations and the like.

0 reply

0 recast

0 reaction

timdaub pfp

Is this even true if e.g. set my host file to 127.0.0.1 wallet dot coinbase dot com? Like are the passkeys 100% inaccessible?

0 reply

0 recast

0 reaction

Manarkamel pfp

Just learned about

0 reply

0 recast

0 reaction

Manarkamel pfp

0 reply

0 recast

0 reaction