Passkeys and Crypto: A Practical Security Model

How WebAuthn passkeys map to on-chain signing and why they beat passwords for high-value accounts.

Passkeys use public-key cryptography tied to your device (or a synced keychain). For Astrolabe, they are the primary way users authenticate — without ever handling a seed phrase in the browser.

The threat model

Passkeys resist phishing: there is no reusable secret to type into a fake site. The browser enforces origin binding, so credentials only work on the real domain.

On-chain linkage

The passkey does not replace your Solana key — it authorizes actions on a smart account that holds assets and enforces policy. Separation of concerns keeps key material off the hot path.

User → Passkey (WebAuthn) → Session / policy → Smart account → Chain

Trade-offs

  • Device loss still requires a recovery path (email, guardian, etc.)
  • Cross-device sync depends on platform (iCloud Keychain, Google Password Manager)

We document recovery flows in depth on the product wiki and in upcoming episodes.