Breez, a lightning service supplier and Bitcoin software program lab, has launched Passkey Login into its Breez SDK. The function permits builders to construct self-custodial wallets that use passkeys for authentication and key derivation, eliminating the normal seed phrase requirement throughout regular use.
Seed phrase help stays accessible for customers preferring it, conserving backwards compatibility with trade requirements, however eradicating the “velocity bump” in Bitcoin wallets, which prompts customers to again up their 12 phrases.
Breez defined the rationale behind this new function in a press launch shared with Bitcoin Journal: “The seed phrase has been a barrier to self-custody since day one. It’s what scares normies away from conserving their very own bitcoin, and it’s a respectable purpose why individuals settle for the counterparty threat of exchanges and custodial apps.” Including that “Passkey Login doesn’t eradicate the tradeoffs of self-custody, nevertheless it reframes them round one thing individuals already perceive and use, specifically the identical biometric authentication that protects their banking app and their password supervisor. For many customers, that’s a way more intuitive safety mannequin than a bit of paper in a drawer.”
Passkeys: Per-Website Key Pairs in Fashionable {Hardware}
Passkeys — a reasonably new safety customary that’s gaining broad adoption on-line — are cryptographic credentials based mostly on the FIDO2 WebAuthn customary, collectively promoted by Apple, Google, Microsoft, and the FIDO Alliance since 2022. Every passkey consists of a novel public-private key pair generated for a particular web site or software.
The personal key stays saved within the safe aspect or comparable {hardware} on the person’s system, equivalent to Apple’s Safe Enclave, Android’s Titan chip, Home windows TPM, exterior safety keys like YubiKey or the person’s password supervisor.
Regular on-line Passkeys resemble the unique Bitcoin pockets.dat file launched by Satoshi Nakamoto in his early releases of the Bitcoin shopper, the place personal keys are saved regionally to the person’s system, whereas public keys are shared with third events.
Nonetheless, the FIDO2 customary implements this private-public key thought in a extra standardised and trendy means. Web sites ship a problem to the person, referencing the person’s identified public key for that account. The problem message is signed by the person’s personal key, authenticating their id in a privacy-preserving means. Every service will get a distinct public key for a similar person, so knowledge compromised on one web site doesn’t leak knowledge that can be utilized to entry different web sites, nor does it comprise any user-identifying knowledge.
FIDO2 is now extensively adopted, it leverages system safe parts, integrates with password managers (e.g., iCloud Keychain, Google Password Supervisor), browsers, and the World Large Net Consortium (W3C) WebAuthn API. Authentication happens by way of challenge-response signing, with the personal key sure to the area to withstand phishing.
Passkeys help biometric unlock (Face ID, fingerprint, PIN) and sync throughout units inside an ecosystem (e.g., by way of iCloud or Google)—over a billion activations reported by the FIDO Alliance as of mid-2025, with help on main platforms and lots of prime web sites.
FIDO2 was not Good Sufficient for Bitcoin Wallets
Customary passkeys excel at authentication (proving id to a service) however have been lacking key performance wanted by the trendy Bitcoin trade.
Bitcoin self-custody usually depends on a single supply of entropy (seed phrase) to generate all addresses and keys in a deterministic means, by way of requirements like BIP-39. Customers count on these 12 phrases alone to be sufficient to get well all balances and accounts on a Bitcoin pockets. The Passkey customary wanted to be prolonged to help this use case.
Breez’s Answer: Leveraging the PRF Extension
Breez addresses this through the use of the Pseudo-Random Operate (PRF) extension in WebAuthn Degree 3. PRF permits a passkey to supply a deterministic cryptographic output for any given enter throughout authentication.
As described in Breez’s announcement supplies, “That’s what the PRF extension of WebAuthn solves, and it’s the important thing ingredient in Passkey Login. PRF is a more moderen functionality, a part of the WebAuthn Degree 3 spec, that lets your passkey produce a deterministic cryptographic output for any given enter. Identical passkey, identical enter, identical output. At all times. The passkey by no means leaves your system’s safe enclave.”
Gadget Loss and Restoration
If a tool is misplaced, restoration will depend on the platform used to retailer the passkey. Synced passkeys — by way of iCloud Keychain, Google Password Supervisor, and so on — restore on a brand new system after regaining entry to the related account.
Breez gives an non-compulsory backwards-compatible path: customers can export a standard 12-word, BIP-39 mnemonic for his or her pockets, to allow them to get well their account in different Bitcoin wallets, following trade requirements. The press launch provides that “Passkeys additionally aren’t totally interoperable throughout platforms but. When you ever want to maneuver to a platform or pockets that doesn’t help passkeys, you have got a regular seed phrase to fall again on.”
The total technical specification for Passkey Login is public, and a reference app referred to as Glow demonstrates the function. Breez positions this as a step towards making Bitcoin self-custody extra accessible by aligning with acquainted biometric authentication utilized in banking and password managers, whereas preserving non-custodial management. Builders integrating the Breez SDK can now supply onboarding with out the normal “write down these phrases” step for supported environments.
The total technical specification for Passkey Login is public, and our reference app Glow is already working it, and it’s now accessible for all of the Breez SDK devs to make use of.