Passkeys - How They Work

Passkeys are a passwordless authentication technology based on the FIDO2 WebAuthn standard. They provide phishing-resistant security and a superior user experience compared to traditional passwords.

What are Passkeys?

Passkeys are cryptographic credentials that use public-key cryptography to authenticate users. They consist of a public key stored on the server and a private key stored securely on the user's device. The private key never leaves the device, making passkeys highly secure against phishing attacks and data breaches.

How We Use Passkeys?

In IBEx.Fi, each passkey becomes the signer of a Safe{Wallet} smart account. When a user registers with a passkey, the public key (P-256 / secp256r1 coordinates) is used to deploy a Safe smart wallet on-chain, with the passkey as sole owner.

This means the user's biometric (Face ID, fingerprint, Windows Hello) directly controls their on-chain wallet — no seed phrase, no password, no private key to manage. Every transaction is signed by the passkey via WebAuthn, verified on-chain by the Safe4337Module, and submitted as a gasless UserOperation.

Beyond the Safe wallet, the same passkey can optionally derive keys for EOA wallets (EIP-7702) and multi-chain wallets (Solana, Bitcoin, Cosmos…) via deterministic Key Derivation (KDF).

How Passkeys Work

Registration (Sign-up)

1. The server generates a challenge and sends registration options to the client.
2. The user's device (browser/OS) creates a new cryptographic key pair (public/private).
3. The private key is stored securely on the device (in the OS keychain or password manager).
4. The public key, along with an attestation proving the key was created on an authentic device, is sent to the server.
5. The server verifies the attestation and stores the public key associated with the user's account.

Authentication (Sign-in)

1. The server generates a challenge and sends authentication options to the client.
2. The user's device prompts for biometric authentication (fingerprint, face recognition) or device PIN.
3. The device uses the private key to sign the challenge.
4. The signed challenge (assertion) is sent to the server.
5. The server verifies the signature using the stored public key and authenticates the user.

Supported Operating Systems

The IBEx.Fi API supports passkeys across all major operating systems and platforms:

Platform	Passkey Provider	Authentication Method
Android	Google Password Manager	Fingerprint, Face unlock, Screen lock PIN
iOS / iPadOS	Apple iCloud Keychain	Face ID, Touch ID, Device Passcode
macOS	Apple iCloud Keychain	Touch ID, Face ID (on supported Macs), Device Password
Windows	Windows Hello	Windows Hello (Face, Fingerprint, PIN), Security Key
Linux	Platform authenticators, Security Keys	Hardware security keys (FIDO2), Platform authenticators
Web Browsers	Browser-managed passkeys	OS-level authentication (varies by platform)

Password Manager Compatibility

The IBEx.Fi API is designed to be compatible with third-party password managers that support FIDO2/WebAuthn, including:

• Dashlane - Full support for passkey creation and authentication
• 1Password - Compatible with WebAuthn passkeys
• Bitwarden - Supports FIDO2 passkeys
• Other FIDO2-compliant password managers

Supported Key Formats

To ensure maximum compatibility with different password managers and platforms, the IBEx.Fi API automatically normalizes public keys from multiple formats:

• DER SPKI (SubjectPublicKeyInfo) - Standard format used by most browsers and platforms
• Raw EC Point (64/65 bytes) - Uncompressed elliptic curve point format (x||y coordinates)
• COSE (CBOR Object Signing and Encryption) - CBOR-encoded EC2 key format used by some password managers like Dashlane

The API automatically detects and converts these formats to the standard SPKI DER format required for Safe Global wallet operations, ensuring seamless compatibility across all supported platforms and password managers.

Algorithm Support

The IBEx.Fi API strictly uses the ES256 algorithm (Elliptic Curve Digital Signature Algorithm with P-256 curve and SHA-256 hashing), which corresponds to:

• COSE Algorithm ID: -7 (ES256)
• Curve: P-256 (prime256v1, secp256r1)
• Hash Function: SHA-256

This algorithm is widely supported across all major platforms and password managers, ensuring broad compatibility.

Passkey Labels (keyName vs keyDisplayName)

When creating a passkey, you can specify two optional labels:

• keyName: Primary identifier displayed by the OS. Use this for short, stable identifiers like email addresses or usernames. This is the main identifier shown in password manager interfaces.
• keyDisplayName: Optional decorative label. This may be ignored by some interfaces and is primarily used for display purposes.

Platform-Specific Behavior

• Android (Google Password Manager): keyName is visible as "username"; keyDisplayName is not guaranteed to be displayed.
• Apple iCloud Keychain: keyName is used as the "Account" identifier; keyDisplayName is often ignored.
• Windows Hello: keyName is displayed as the identifier; keyDisplayName is generally ignored.
• Password Managers (Dashlane, 1Password, etc.): Behavior varies, but keyName is typically the primary identifier shown in the interface.

Security Benefits

• Phishing Resistance: Passkeys are cryptographically bound to the domain (rpId), preventing phishing attacks even if users are tricked into visiting malicious sites.
• No Password Storage: Private keys never leave the user's device, eliminating the risk of password database breaches.
• Biometric Authentication: Users authenticate using their device's biometric sensors (fingerprint, face recognition) or device PIN, providing a seamless and secure experience.
• Device-Bound: Passkeys are tied to the device where they were created, adding an extra layer of security.

Integration with IBEx.Fi

In the IBEx.Fi API, passkeys serve a dual purpose:

1. Authentication: Users sign up and sign in using passkeys instead of passwords.
2. Wallet Control: The private key for the Safe Global wallet is deterministically derived from the passkey, ensuring that only the user who owns the passkey can control the wallet.

This means that a single passkey provides both secure authentication and wallet control, without the server ever accessing or handling the user's private key.

Smart Contract Wallet Deployment

Passkeys are the entry point for deploying self-custody wallets on IBEx.Fi. The passkey's private key is used to deterministically derive the wallet's signing key — the server never accesses or handles it.

• Safe Global Wallets — ERC-4337 smart contract wallets with modules for recovery, multisig, automation, DeFi. All operations are gasless (paymaster-sponsored) and require only one WebAuthn signature.
• EOA Wallets (EIP-7702) — Externally Owned Accounts that delegate execution to a Safe proxy via EIP-7702. The EOA keeps its address but gains smart contract capabilities (modules, guards, multi-sig).

Both wallet types share the same API endpoints (/v1.2/auth/signup, /v1.2/safes/operations) and are distinguished by a walletMode field (SAFE_4337 or EOA_7702).

Learn More

For more information about passkeys and the FIDO2 standard, visit the FIDO Alliance website.