PR: feat: passkey std by guimroque · Pull Request #18 · Bako-Labs/bako-safe · GitHub
Demo app
Demo video
Implementation example
For a little over a year, I have been delving into the study of the webauthn.io library, which leverages the browser’s native Credentials API to enable passwordless authentication through a key pair. This modern approach reduces entry barriers and provides a simplified and secure experience for both users and developers.
With the necessary technical expertise, the signature pattern based on WebAuthn has been integrated into Bako Safe predicates. Currently, approximately 40% of the platform’s users leverage Passkeys, validating the potential of this streamlined experience to enhance onboarding and usability across the entire Fuel ecosystem.
Therefore, I propose a straightforward method to enable other dApps to integrate this powerful feature. Any suggestions are highly welcome.
Passkeys are built on the WebAuthn protocol (webauthn.io) to provide secure and efficient authentication management. WebAuthn is a W3C standard that facilitates authentication using asymmetric keys, eliminating the need for traditional passwords.
WebAuthn Details
- Asymmetric Keys: WebAuthn uses a pair of public and private keys, where the private key is securely stored on the user’s device, protected by hardware or secure software.
- Phishing-Resistant Credentials: Credentials created by WebAuthn are tied to the origin domain, making phishing attacks ineffective.
- Support for Multiple Authenticators: Integrates with devices such as biometrics (FaceID, fingerprint), YubiKeys, and smart cards.
Bako Predicates and WebAuthn Integration
Bako predicates have been designed to support WebAuthn signatures since the mainnet launch. Initially, this functionality was limited to the safe.bako.global dApp.
This proposal aims to enable any dApp to easily integrate a fast wallet connection. Additionally, this same wallet can be used across other dApps within the ecosystem, fostering greater interoperability and easier adoption.
Key Addresses in the Architecture:
- Passkey Public Address: Exclusively used for signing messages and transactions.
- Vault Address: A result of a Bako 1/1 multisig, where the passkey address acts as the signer. All assets should be directed to the vault address.
Functionality and Architecture of Passkey Integration
To ensure the security of the WebAuthn protocol, it is essential that users create Passkeys and perform signatures exclusively within the same domain. This practice strengthens the binding of credentials to their origin domain, preventing attacks and maintaining the consistency required by the library’s specification.
Based on this requirement, the module injects a popup directly onto the browser screen. This popup contains the necessary logic to interact with the navigator.credentials
API, ensuring that all operations follow the expected flow. The SDK acts as the main orchestrator, managing the flow of messages between the dApp, the popup (bako_page), and other system components. In this way, the popup’s state is synchronized in real time, providing a seamless and secure user experience.
Limitations
While Passkeys provide a robust and secure experience, it is important to consider some inherent limitations of the technology and its current implementation:
- Binding to the Creation Domain:
Passkeys are bound to the domain where they were created. This means, for example, that it is not possible to create an account onsafe.bako.global
and use it to sign in ongoogle.com
. - Use of Popups:
Depending on the browser, if the popup is triggered too long after a user’s action, the browser may block its opening. It is crucial that the interaction with the popup occurs immediately after the user’s action to avoid this issue. - Local Storage of Keys:
Currently, the keys are stored locally by the browser within the context of the dApp. For multiple dApps to use the same keys, sharing this information between dApps would be necessary. Internally at Bako, we are exploring solutions to provide this functionality in a simplified and decentralized manner, and the use of handlers like BakoID could be a viable approach.