Web wallets don't exist yet outside of testnet.

They have no downloadable app, don't require social login, and are powered by passkeys.

They are a new thing that will change everything.

One potential concern with passkey-based web wallets is that it trains users to sign transactions on popup windows, exposing the user to scams.

But a passkey is tied to the specific domain where it was created, so only the domain that created the passkey can request its use to sign transactions.

The benefits of pop ups for global web wallets far outpace the risks IMO. It creates an isolated environment, it lets the web wallet control dialogs and explanations, and in general created an experience familiar to oauth which people know and trust.

Building dynamic.xyz | @dynamic | /dynamic | web3 login for everyone - embedded wallets, crypto login, user mgnt, authz and more | Demo: demo.dynamic.xyz

I think mostly similar things that standard branded wallets face - how to educate customers about transactions before you sign them, protect users with tools like Blockaid and Blowfish etc. Enabling key export with minimal UX risk etc.

Agree! What are the primary security risks?

The user can't sign a malicious transaction on another domain because the passkey can't be requested by another domain.