Tony D’Addeo pfp
Tony D’Addeo
@deodad
7702 - EOA key still needs to be stored - passkey signing is blind and confusing since the system UIs can’t be changed and refer to signing in - passkey sync has holes (x platform) - session keys UX unclear: how are keys requested? what’s the trade off between exposing complexity to users around restrictions vs making it magic but users don’t know what they’re approving?
7 replies
5 recasts
50 reactions
Mikko pfp
Mikko
@moo
Most Ethereum signing, outside very basic transactions, is basically blind because Ethereum does not have human-readable transactions. It's not just 7702 or something it could fix. Or anyone could fix.
1 reply
0 recast
4 reactions
Tony D’Addeo pfp
Tony D’Addeo
@deodad
good point but it’s even slightly worse here in that you don’t even know you’re doing a crypto tx
3 replies
0 recast
3 reactions
jxom pfp
jxom
@jxom
Secp256k1 is even worse, there's no "prompt" at all. ;) We have normalized the pattern of Wallets interfacing over Secp256k1 signing (ie. browser extensions, WalletConnect, etc), so same goes for Passkey signing.
3 replies
0 recast
3 reactions
Mikko pfp
Mikko
@moo
I believe Deodao's point is that for most devices (Android / iPhone) the Passkey request to sign to transfer out X amount of ETH is indisguisable from a Passkey request to login to website.
1 reply
0 recast
1 reaction
jxom pfp
jxom
@jxom
The Wallet would preface with a UI before the end-user signs w/ passkey, no?
1 reply
0 recast
1 reaction
Mikko pfp
Mikko
@moo
Yes but the problem is that the final leg of actually pressing the Ok button comes from the mobile operating system dialog box. And that dialog box is indistinguisable for other mobile operating system dialog boxes that just say "Passkey signing request." If you do Passkey signing on a laptop using a mobile device, then there is no indication at all on mobile what could have initiated the request. So if someone gets access to your laptop, they can bomb your mobile phone with signing requests without content.
1 reply
0 recast
0 reaction
jxom pfp
jxom
@jxom
Isn't this problem orthogonal to 7702 and Passkeys though? You could argue the same for an account controlled by any type of other key (secp, p256, etc).
2 replies
0 recast
1 reaction
Mikko pfp
Mikko
@moo
Also it took 10 years to get first Passkeys to mobile phones with WebAuthn standard, so I expect any improvements for the protocol will take equal amount of time, but doable.
0 reply
0 recast
0 reaction
Mikko pfp
Mikko
@moo
It's problem with WebAuthn that's the standard Passkeys have been built on.
1 reply
0 recast
0 reaction