Skip to main content

Frictionless Wallets, Part 3: Biometric Login with Passkeys

3 min read

This is the final part of the series on making on-chain wallets feel like normal apps. Part one delegated non-financial signing to a device key-pair; part two replaced the seed phrase with a social login backed by a 2-of-3 secret. Part three removes the last piece of friction: unlocking the wallet with the device's biometric authenticator - Touch ID, Face ID, or a platform passkey - no seed phrase, no browser extension.

As with the rest of the series, this serves the Cardano ecosystem first and works across the chains EffectStream supports.

See it in action

The demo is a consumer dApp that authenticates users through a cross-origin wallet iframe. The dApp requests a connection, the wallet offers passkey registration or sign-in, the OS biometric prompt fires, and the user is connected - with a DID, an access key, and message signing, all without a seed phrase or an extension.

How it works

Three properties make the design worth copying:

  1. The dApp holds no key material. The wallet runs in a cross-origin iframe on its own domain. The embedding page can request connections and signatures, but keys never leave the wallet origin - the same isolation model browsers enforce between sites.
  2. The passkey unlocks a root key; the root key authorizes access keys. Registering creates a passkey with the platform authenticator (WebAuthn). That passkey gates a root key, and the root key signs an authorization for a per-app access key. The dApp sees the access key and the root key's authorization of it - a clean, auditable chain of custody.
  3. No seed phrase, no extension. The authenticator is the device's own - synced by the platform (iCloud Keychain, Google Password Manager), so the usual passkey recovery story applies.

The result, visible in the demo: a DID for the identity, the access key public key, the root-key authorization with its timestamp, and a message signed through the embedded iframe with both raw and DER signatures.

The series, complete

Together they make an on-chain app onboard and play like any consumer app - while keeping key custody honest, scoped, and revocable - for Cardano and every chain EffectStream supports.

Source