With the development of account abstraction technology and standards like ERC-4337, passkeys are being integrated into smart contract wallets, enhancing security and providing a better user experience.
Currently, passkeys have been integrated and used on major crypto exchanges like Binance and Coinbase. But the question is, how can passkeys be integrated into smart contract wallets, and what impact will this have on security in the crypto ecosystem?
Smart contract wallets are considered one of Ethereum’s important breakthroughs, opening up enormous potential for managing assets and executing complex transactions without third-party intervention.
Meanwhile, passkeys (a passwordless authentication method) are gradually becoming a secure and convenient alternative to traditional authentication methods. Integrating passkeys into smart contract wallets not only brings security benefits but also provides a smoother user experience.
Why Can Passkeys Be Integrated into Smart Contract Wallets?
To understand why passkeys can be integrated into smart contract wallets, we first need to explore the origins of why Ethereum introduced the concept of smart contract wallets. Why develop smart contract wallets when we have been using EOA wallets all along?
Origin and Formation of Smart Contract Wallets
In the early years of Ethereum, wallets were mainly regular storage wallets called Externally Owned Accounts (EOAs). This type of wallet requires users to possess a pair of private cryptographic keys to manage assets and execute transactions.
However, managing these private keys presented many challenges in terms of security, recovery, and usability. For example, losing a private key could lead to the loss of all assets, and there was no way to recover the account if the user did not have a backup key.
The emergence of smart contract wallets aims to address these issues.
Smart contract wallets rely not only on private keys like traditional EOAs but also on smart contracts to manage assets and transactions. This helps automate complex processes such as authentication, account recovery, or setting specific transaction conditions.
Additionally, smart contract wallets offer more security and flexibility features, including:
- Multi-factor authentication (MFA)
- Ability to recover accounts when access to private keys is lost
- Transaction automation based on custom conditions
However, to further optimize security and flexibility, Ethereum needed a new approach to account management, which is why Account Abstraction and the ERC-4337 standard were born.
Account Abstraction Creates a Foundation for More Flexible Wallets
Account Abstraction provides an approach to decouple how accounts operate, thereby improving how these accounts function. Currently, there are two main types of accounts on Ethereum:
- Externally Owned Accounts (EOAs): These are regular accounts managed by private keys. Traditional wallets that users use to store assets and execute transactions rely on EOAs.
- Contract Accounts (CAs): These are accounts operated by smart contracts. Smart contract wallets use this type of account to implement automation and enhanced security features.
However, EOA accounts still rely on private keys to execute transactions, which creates limitations in adding security features like multi-factor authentication (MFA) or account recovery mechanisms. Account Abstraction is the solution that allows EOA accounts to function like Contract Accounts, thereby enabling the integration of advanced features such as passkeys, MFA, and recovery methods.
ERC-4337: The Standard Supporting Passkey Integration and Enhanced Security Features
The ERC-4337 standard was proposed to implement Account Abstraction without changing the core mechanism of Ethereum. Instead of having to modify the entire blockchain protocol, ERC-4337 uses a smart contract-based mechanism to simulate the features of Account Abstraction.
With ERC-4337, users can set account management rules and transaction authentication more flexibly, without relying entirely on private keys. Some notable features of ERC-4337 include:
- Bundling (combining multiple transactions): ERC-4337 allows bundling multiple transactions into one and only processing them when all authentication conditions are met, improving efficiency and security.
- Flexible authentication: Users can choose from various authentication methods, such as passkeys, OTP, or biometric authentication, enhancing security and optimizing the user experience.
- Account recovery capabilities: ERC-4337 provides the ability to set account recovery rules through backup devices or trusted contacts, mitigating the risk of asset loss when users lose access to their accounts.
Integrating Passkeys into Smart Contract Wallets
ERC-4337 creates an ideal environment for integrating passkeys as a primary authentication method in smart contract wallets. Each transaction on the wallet can require passkey authentication, enhancing security without impacting the user experience. This not only strengthens the protection of users’ assets but also facilitates the automation of transactions and secure account management.
Thanks to Account Abstraction and ERC-4337, Ethereum has created conditions for EOA wallets to become more flexible and secure, making smart contract wallets an ideal solution for users with high security needs and the need to automate transactions.
However, it is important to note that passkeys are just one of many features that can be integrated into smart contract wallets to improve both the user experience and security. In the context of this article, we are only exploring a more optimized aspect of smart contract wallets.
Read more: ERC-4337 is about to pave the way for millions of crypto users.
How are Passkeys Integrated into ERC-4337?
Integrating passkeys into Ethereum applications through the ERC-4337 standard requires two main steps: user passkey authentication and setting up a smart contract wallet capable of verifying passkeys. This process involves both backend technology and the user interface (UI) experience.
User Passkey Authentication
To utilize passkeys, developers need to integrate the WebAuthn API to create and sign passkeys on the user’s device. When a user registers a passkey, a public key and private key pair is generated. The private key is securely stored on the user’s device (such as a phone or computer), while the public key is used to authenticate transactions.
In a smart contract wallet, passkeys are not only used for login but can also execute secure transactions. Users need clear UI guidance on how to register a passkey, including using authentication methods like fingerprint, facial recognition, or PIN codes.
For better account protection, the UI should also provide the option to register a backup device or trusted contact to recover the account in case the user loses access to their primary device.
Setting Up a Smart Contract Wallet for Passkeys
In ERC-4337, each transaction is executed through a UserOperation – a request containing information about the action the user wants to perform and signature data for authentication. These UserOperations are bundled into transactions and included in Ethereum blocks. The wallet’s smart contract has two main functions:
validateUserOp: This function verifies the signature and charges transaction fees.Execution function: This function executes the transaction based on the information provided.
Passkeys are integrated into the validateUserOp step, replacing traditional passwords or seed phrases. The passkey signature is used to authenticate the user’s identity and ensure that only valid transactions are executed. Using the WebAuthn API helps create public-private key pairs and securely store the private key on the user’s device, which is then used to securely sign transactions.
To ensure that the smart contract can verify the passkey signature, developers need to modify it to support P256 signature verification – a common signature type in passkeys. This process requires changing the validateUserOp function to integrate the P256 signature verification algorithm. Users do not need to understand the technical details, but they need to be assured that passkeys will protect their transactions with the highest level of security.
Some frameworks like Daimo’s p256-verifier can help ease the development burden by providing pre-built libraries for verifying P256 signatures, making integration faster and more efficient.
Smart Contract Wallet Creation Process with Passkeys
Essentially, the main components involved in the wallet creation process include:
- Dapp: The decentralized application that users interact with to perform transactions.
- WebAuthn: The protocol used to create and sign cryptographic keys through passkeys
- Passkey Signer Module: The module that performs transaction signing based on passkeys.
- Wallet Infra: Wallet infrastructure, responsible for managing wallet creation and processing transaction requests.
The user accesses a Dapp and initiates the process of creating a smart contract wallet. The Dapp sends a request to the wallet infrastructure to create a smart wallet for the user. The wallet infrastructure manages the wallet creation process, including generating cryptographic key pairs.
The wallet infrastructure sends a request to the Passkey Signer Module to generate a public-private key pair. This key pair will be the primary security mechanism for the smart wallet. WebAuthn on the user’s device generates this key pair.
After WebAuthn generates the key pair, the public key is returned to the Passkey Signer Module to be converted into an Ethereum wallet address (ETH address). This address will be used to store assets and conduct transactions on the Ethereum network.
Finally, the wallet infrastructure returns the wallet address to the Dapp, and the Dapp displays the smart wallet address to the user. Once the wallet is created, the user can start using the smart wallet to manage assets and execute transactions on the blockchain.
Creating Transactions with Passkeys
When a user initializes a smart wallet for the first time, the system generates an initCode. This code is a hex string concatenated from components within the smart account and encryption commands to create an account owned by the passkey. From the user’s perspective, this process can be done automatically via the UI when they set up the wallet for the first time.
During a transaction, the passkey is used to sign the UserOperation – the user’s request sent to the blockchain to execute the transaction. The WebAuthn API generates a signature from the passkey, and the transaction is then sent to the Ethereum network for processing. On the backend, the smart contract verifies the signature and only executes the transaction if the signature is valid.
Challenges of Implementing Smart Contract Wallets with Passkey Integration
High Development Costs
Integrating passkeys into smart contract wallets requires significant development resources due to the complexity of connecting the WebAuthn API and smart contracts on Ethereum.
According to estimates from blockchain developers and companies like Apptunix and Antier Solutions, the cost of developing a complex smart contract wallet can range from $50,000 to $100,000. This cost depends on the complexity of the features, API integrations (such as WebAuthn for passkey functionality), and the size of the development team.
Additionally, the cost of security testing for these wallets, especially those integrating new security features like passkeys, can range from $5,000 to $30,000, depending on the complexity and depth of the code that needs to be tested.
Operational Fees and Gas Costs
Gas fees on Ethereum are one of the major challenges when deploying smart contract wallets. Complex smart contracts, such as those integrating passkeys, can require multiple processing steps on the blockchain, increasing the gas cost for each transaction.
- Smart contract wallets may require multiple transactions, such as wallet initialization via Create2 and signature verification, leading to higher gas costs compared to regular wallets.
- A study from the Ethereum Foundation shows that the gas cost for a complex transaction can be up to $15-30 depending on the state of the Ethereum network.
Compatibility and Device Support
Not all devices support the FIDO2/WebAuthn standard, especially older devices or operating systems that lack support. This can create difficulties in the widespread deployment of wallets using passkeys, hindering users from accessing wallets and conducting transactions.
Although passkeys enhance security, for some users, using them can add a layer of complexity. Users need to understand the process of registering and managing passkeys, and in case of device loss, the account recovery process can be difficult if not prepared in advance.
Optimizing Gas Costs with EIP-4337 and EIP-7212
EIP-4337 and EIP-7212 have been proposed to address the issue of gas costs and improve the user experience when deploying smart contract wallets.
- EIP-4337 (Account Abstraction) helps optimize the transaction process, combining multiple processing steps into one, thereby reducing gas costs and improving the user experience. It also supports account recovery rules in case of access loss, enhancing security and ease of use for passkeys.
- EIP-7212 optimizes the P256 signature verification process, significantly reducing gas costs for passkey-related transactions while increasing authentication speed, making transactions faster and smoother.
Both of these improvements help make passkeys more efficient and cost-effective to use in smart contract wallets.
Read more: Misconceptions about Private Keys in Passkeys, EOA Wallets, and Smart Contract Wallets.
