PassKey

PassKey is a new standard for passwordless authentication based on public-key cryptography, designed to replace passwords with a simpler and more secure model. Instead of remembering and typing a password, users authenticate with a biometric (such as Face ID or fingerprint), a device PIN, or a trusted authenticator. The device generates and stores the private credential securely, and only a corresponding public key is shared with the service.

In the context of cryptocurrency custody, PassKey is a natural fit for protecting wallet access and transaction authorization. It brings both security and usability, ensuring that only legitimate users can initiate actions, while removing many of the risks and inconveniences of passwords and shared secrets.

Key Characteristics

Cryptographic authentication

When a PassKey is created, a key pair is generated on the user’s device. The private key never leaves the device and cannot be extracted. During authentication, the device signs a challenge from the service, proving possession of the private key without exposing it.

Biometric and device binding

PassKey is tied to the user’s device and secured with a biometric factor (fingerprint, facial recognition) or a device PIN. This ensures that even if someone steals the device, they cannot use the PassKey without unlocking it locally.

Cross-platform support

PassKey is built on the WebAuthn and FIDO2 standards. It works across platforms and browsers, and can sync through trusted cloud providers (such as iCloud Keychain or Google Password Manager), allowing users to log in on multiple devices without manual key transfer.

Phishing resistance

Unlike passwords or SMS codes, PassKey is bound to a specific domain. A phishing site cannot trick a PassKey into authenticating because the cryptographic challenge is tied to the legitimate service origin.

Security Benefits

Stronger than passwords

PassKey removes common password vulnerabilities: weak selection, reuse, database breaches, and phishing attacks. Authentication relies on cryptographic proof, not shared secrets.

Easy for users

No need to remember or manage complex credentials. Users simply approve with Face ID, fingerprint, or a device PIN, making secure authentication as seamless as unlocking a phone.

Resistance to credential theft

Because the private key never leaves the device, even a compromised server or intercepted network traffic cannot reveal the secret.

PassKey in Cryptocurrency Custody

Wallet access

PassKey authenticates users into the Secubit dashboard, replacing passwords with biometric-backed cryptography.

Transaction approval

In non-custodial or hybrid wallet models, PassKey protects a user’s approval key or MPC share. A transaction may require multiple PassKey-backed approvals, enforcing strong governance with a simple user experience.

Integration with standards

Since PassKey is based on WebAuthn, it integrates directly with browsers, mobile apps, and hardware authenticators. This makes it a natural fit for Secubit’s goal of easy integration and universal support.

How Secubit Uses PassKey

Secubit leverages PassKey as the default user authentication method for wallet operations. In custodial mode, PassKey is used to sign approvals for HSM. In non-custodial mode, Passkey provides the same approval signing plus PassKey protects the client’s local MPC key share by Secure Element, ensuring that only the rightful user can participate in signing.

By combining PassKey with HSMs and MPC, Secubit achieves a model where cryptographic security extends from the hardware root of trust all the way to the end-user device, providing institutional security with consumer-grade usability.

The Secubit Whitepaper