Passkey
Passkey provides a secure and user-friendly alternative for submitting transactions to Sui. Built on the WebAuthn standard, passkey lets users authenticate and sign transactions using:
- Hardware security keys, such as YubiKeys
- Mobile devices, such as smartphones and tablets
- Platform-based authenticators, such as Face ID and Touch ID
Passkey simplifies authentication by removing the need to manage seed phrases or private keys manually. Instead, it relies on device-based authentication and cloud synchronization, allowing seamless, phishing-resistant access across multiple devices. You can also use passkey in a multisig setup, which provides more flexibility to build secure and recoverable wallet experiences.
By supporting the passkey signature scheme, Sui improves security and accessibility, making it easier for users to manage their accounts with hardened security. Passkey-based wallets are tied to the origin, meaning they cannot be phished or used on a different site. This makes passkey a more secure authentication option.
See the TypeScript SDK documentation to learn how to add passkey support to your application. For the product specification, see SIP-9.
Passkey support is available in beta in Sui Devnet and Testnet. The Mainnet release is not yet scheduled.
Benefits of using passkey
-
Sign transactions securely: Users can sign transactions in Sui using passkey, while the private key stays securely stored within the authenticator. This reduces the risk of key extraction attacks. Users can sign transactions in Sui using passkey, while the private key stays securely stored within the authenticator. This reduces the risk of key extraction attacks.
-
Authenticate across devices
Users can scan a QR code displayed on a desktop browser with a mobile device to approve transactions. Cloud-synchronized passkey (such as those stored in Apple iCloud or Google Password Manager) lets users authenticate across multiple devices without manual key transfers. -
Use hardware security keys
Users can sign transactions with external security keys, such as YubiKeys, to add another layer of protection against phishing and unauthorized access. -
Authenticate with platform-based security
Users can sign transactions directly on devices with built-in authenticators, such as Face ID on iPhones or Windows Hello on Windows PCs. This approach lets users sign transactions natively without needing an external security key. -
Recover access with cloud-synced passkey
Cloud-synced passkey helps users recover access if they lose a device. -
Work with multisig wallets
Combine passkey with other authentication types to build 2-of-2 or m-of-n multisig wallets. This enables secure recovery options and shared access patterns.
Limitations of passkey
-
Functionality varies by authenticator
Some security keys do not support biometric authentication, requiring users to enter a PIN instead. Because WebAuthn does not provide access to private keys, users must either store their passkey securely or enable cloud synchronization for recovery. -
Cloud synchronization introduces risks
Cloud-synced passkey improves accessibility but also creates risks if a cloud provider is compromised or if a user loses access to their cloud account. Users who prefer full self-custody can use hardware-based passkey that does not rely on cloud synchronization. -
Passkey cannot be exported
Users cannot transfer a passkey between different authenticators. For example, a passkey created on a security key cannot move to another device unless it syncs through a cloud provider. To avoid losing access, users should set up authentication on multiple devices.