Passkeys
Passkeys provide a secure and user-friendly alternative for submitting transactions to Sui. Built on the WebAuthn standard, passkeys let users authenticate and sign transactions using:
- Hardware security keys, such as YubiKeys)
- Mobile devices, such as smartphones and tablets
- Platform-based authenticators, such as Face ID and Touch ID
Passkeys simplify authentication by removing the need to manage seed phrases or private keys manually. Instead, they rely on device-based authentication and cloud synchronization, allowing seamless, phishing-resistant access across multiple devices.
By integrating passkeys, Sui improves security and accessibility, making it easier for users to manage their accounts without compromising decentralization or cryptographic security.
Refer to Typescript SDK support on how to add passkey support to your application. Also feel free to refer to SIP-9 for product specification.
Passkeys is available in beta in Sui Devnet and Testnet. The Mainnet release is yet to be scheduled.
Benefits of using passkeys
Sign transactions seamlessly
Users can sign transactions in Sui using passkeys, where the passkey private key stays securely stored within the authenticator, reducing the risk of key extraction attacks.
Authenticate across devices
Users can approve transactions on their mobile phones by scanning a QR code from a desktop browser. Cloud-synchronized passkeys (such as those stored in Apple iCloud or Google Password Manager) let users authenticate across multiple devices without manual key transfers.
Use hardware security keys
Users can sign transactions with external security keys, such as YubiKeys, to add an extra layer of protection against phishing and unauthorized access.
Authenticate with platform-based security
Users can sign transactions directly on devices with built-in authenticators (such as Face ID on iPhones or Windows Hello on Windows PCs). This approach lets users sign transactions natively without needing an external security key.
Recover access and secure accounts with multi-signature authentication
Cloud-synced passkeys help users recover access if they lose a device.
Limitations of passkeys
Passkey functionality varies by authenticator
Some security keys do not support biometric authentication, requiring users to enter a PIN instead. Also since WebAuthn does not provide access to private keys, users must store their passkeys securely or enable cloud synchronization for recovery.
Cloud synchronization introduces potential risks
Cloud-synced passkeys improve accessibility but also create risks if a cloud provider is compromised or if a user loses access to their cloud account. Users who prefer full self-custody can rely on hardware-based passkeys that do not use cloud synchronization.
Passkeys cannot be exported
Users cannot transfer passkeys between different authenticators. For example, a passkey created on a security key cannot move to another device unless it syncs through a cloud provider. To avoid losing access, users should set up authentication on multiple devices.
Multisig support is not available yet
Passkeys are not supported with Multisig yet, which could allow using Passkey with ZkLogin. Reach out to us if you are interested in such a support.