Discover more from Clave
What is Secure Enclave, Passkeys, Webauthn - A General Review
Demystifying Biometric Authentication in Web3: A General Review of WebAuthn, Secure Enclave, and Passkeys Based Wallets
In the realm of web3, the concept of account ownership is fundamentally anchored in the principles of cryptography. This cryptographic foundation necessitates the secure storage of a 12-word mnemonic phrase, a critical component that grants users access to their funds. The requirement to securely store and manage these 12 words presents a substantial barrier to users, especially those who are new to the web3 environment. It is in addressing this challenge that technologies like WebAuthn and passkeys become pivotal. These technologies aim to streamline user interaction with cryptographic systems, enhancing security while mitigating the complexities associated with managing cryptographic keys. In the subsequent sections, we will delve into the evolution of WebAuthn, explore the implications of passkeys, and examine how Secure Enclave and similar technologies are shaping user-friendly approaches to secure account management in web3.
WebAuthn: Paving the Way for a Passwordless Internet
As the adoption of the internet continues to surge, managing keys has emerged as a significant challenge, underscoring the industry's need for a more secure and user-friendly authentication mechanism. WebAuthn stands at the forefront of addressing this issue. It represents a groundbreaking standard aimed at reshaping the landscape of the internet by enabling passwordless authentication, a transformative approach to user access and security.
Developed by the FIDO Alliance and (W3C), WebAuthn was conceived to mitigate the vulnerabilities and hassles associated with password-based systems. It offers a robust framework that leverages public-key cryptography, scoped specifically to domains, to authenticate users. This eliminates the reliance on passwords, thereby preventing different attack vectors.
The inception of WebAuthn marks a pivotal moment in the evolution of internet security. It not only fortifies defenses against cyber threats but also enhances user experience by obviating the need to manage multiple unique passwords across various websites and applications. This revolutionary standard alleviates the common frustrations of forgotten passwords, account lockouts, and the subsequent password resets, paving the way for a smoother, more secure internet experience.
WebAuthn has been embraced by numerous major websites and services, including Google, Facebook, and Microsoft, and is supported by most major browsers like Chrome, Firefox, Edge, and Safari. Its widespread adoption and continuous development underscore its pivotal role in shaping a more secure and user-centric internet. At Clave, we are at the forefront of adapting WebAuthn and Secure Enclave to be ready for web3, ensuring that the innovations in security and user authentication are in alignment with the evolving landscape of decentralized technologies, bringing forth a seamless and secure experience in the web3 environment.
Passkeys: WebAuthn but on Apple Devices
Passkeys are a revolutionary technology, grounded in the WebAuthn standard, which employs public key cryptography to establish a new paradigm in user authentication. When a user registers an account on an app or website, the device’s operating system generates a unique pair of cryptographic keys, specifically and securely, for that account.
Here’s how it works:
Private Key Creation: The user’s operating system creates a private key. This key is stored securely in different locations, which we will explore in detail in the following sections. It’s crucial that the private key is stored securely as it is fundamental to account ownership.
Public Key Creation: While the private key is securely stored, the operating system calculates the public key from it. This public key is shared with servers and is not kept secret, as it’s used to verify the user’s identity.
Server-Side Verification: The servers use the received public key to verify the ownership of the account, ensuring that the user is who they claim to be, thus completing the secure and user-friendly authentication process.
For Apple device users, features like Touch ID or Face ID can authorize the use of the passkey, authenticating the user swiftly and securely to the app or website. The beauty of passkeys lies in their simplicity and strength—there are no shared secrets transmitted, and they are highly resistant to phishing attacks and can be authenticated via Biometric Authentication.
The crucial aspect of Passkeys lies in the generation and storage of the Private Key. As per Apple's documentation (accessible at https://support.apple.com/en-us/102195), the Private Key is generated through the operating system and stored in the iCloud Keychain. Consequently, Passkeys cannot ensure hardware-level security and its security level is on par with that of iCloud Keychain.
Secure Enclave: Most Advanced Security Model for Key Management.
Storing Private Keys on the keychain is a widely accepted method to ensure their security. However, this approach is not without its challenges:
Passkeys stored in the keychain are recoverable only if the user has enabled iCloud on their device. This means that the moment a user signs in via iCloud, the recoverability of their Passkeys becomes possible. However, not all users might be aware of this, leading to potential data loss if they believe their Passkeys are recoverable when they're not.
Additionally, while the keychain provides a secure environment, it doesn't guarantee hardware-level security. To utilize a private key, it's momentarily copied in its plain-text form into the system memory. This brief exposure, albeit small, presents an attack surface. If an app is compromised, there's a risk that the key could be compromised as well.
The Secure Enclave is a dedicated, isolated microchip within Apple's chips designed for secure data and operations. Not only does it ensure that sensitive data, like private keys, remains protected, but it also facilitates biometric authentication processes, such as Touch ID and Face ID, adding another layer of security. Transaction signing within the Secure Enclave occurs in a separate hardware environment, ensuring maximum security.
Recognizing these challenges, we at Clave have chosen to leverage the Secure Enclave directly, instead of Passkeys. By doing so, we can generate a private key within the Secure Enclave and sign transactions in a separate hardware environment. The Private Key never leaves from Secure Enclave and remains protected. This approach ensures that our key management system's security is almost on par with hardware level, offering users the best of both worlds.
To secure your spot as an early participant in the Clave experience, follow us on X (@getclave) and join 100k+ people eagerly awaiting its release!