Passkeys and Crypto: A Practical Security Model
How WebAuthn passkeys map to on-chain signing and why they beat passwords for high-value accounts.
Passkeys use public-key cryptography tied to your device (or a synced keychain). For Astrolabe, they are the primary way users authenticate — without ever handling a seed phrase in the browser.
The threat model
Passkeys resist phishing: there is no reusable secret to type into a fake site. The browser enforces origin binding, so credentials only work on the real domain.
On-chain linkage
The passkey does not replace your Solana key — it authorizes actions on a smart account that holds assets and enforces policy. Separation of concerns keeps key material off the hot path.
User → Passkey (WebAuthn) → Session / policy → Smart account → Chain
Trade-offs
- Device loss still requires a recovery path (email, guardian, etc.)
- Cross-device sync depends on platform (iCloud Keychain, Google Password Manager)
We document recovery flows in depth on the product wiki and in upcoming episodes.