Web wallets don't exist yet outside of testnet.

They have no downloadable app, don't require social login, and are powered by passkeys.

They are a new thing that will change everything.

One potential concern with passkey-based web wallets is that it trains users to sign transactions on popup windows, exposing the user to scams.

But a passkey is tied to the specific domain where it was created, so only the domain that created the passkey can request its use to sign transactions.

The benefits of pop ups for global web wallets far outpace the risks IMO. It creates an isolated environment, it lets the web wallet control dialogs and explanations, and in general created an experience familiar to oauth which people know and trust.

Building dynamic.xyz | @dynamic | /dynamic | web3 login for everyone - embedded wallets, crypto login, user mgnt, authz and more | Demo: demo.dynamic.xyz

Agree! What are the primary security risks?

The user can't sign a malicious transaction on another domain because the passkey can't be requested by another domain.

All transaction signatures are confirmed in a popup window on a coinbase.com domain.

I haven't dug into the guts of the Coinbase smart wallet yet, so not sure if they're using an iFrame, or some other trickery to get around this limitation, but different websites can access the same wallet, so technically speaking still a big risk there regarding malicious pop-ups.

I think mostly similar things that standard branded wallets face - how to educate customers about transactions before you sign them, protect users with tools like Blockaid and Blowfish etc. Enabling key export with minimal UX risk etc.