Passkey technology makes it possible to eliminate 12- or 24-word backup phrases from non-custodial Bitcoin wallets.
Breez has integrated Passkey Login into its SDK. This feature allows developers to build non-custodial wallets that use biometric authentication instead of the traditional 12- or 24-word seed phrase.
The technology does not completely remove support for seed phrases – these remain available for users who prefer them, ensuring backward compatibility with industry standards – but it removes what Breez describes as the “barrier to entry” that discourages less experienced users from adopting self-custody.
The company adds that Passkey Login does not eliminate the trade-offs of self-custody, but reframes them into something users already know and use daily: the same biometric authentication that protects their banking apps and password managers.
How it works
Passkeys are a relatively new security standard that is gaining widespread adoption online. They are based on the FIDO2 WebAuthn cryptographic standard, promoted jointly by Apple, Google, Microsoft, and the FIDO Alliance since 2022.
Each passkey consists of a unique public-private key pair generated for a specific website or application. The private key is stored in the secure hardware element of the user’s device—such as Apple’s Secure Enclave, Android’s Titan chip, Windows TPM, external security keys like YubiKey, or the user’s password manager.
Conceptually, this approach resembles the original wallet.dat file introduced by Satoshi Nakamoto in early versions of the Bitcoin client, where private keys were stored locally on the user’s device while public keys were shared with third parties. However, the FIDO2 standard implements this public-private key model in a more standardized and modern way.
Websites send a “challenge” to the user, referencing the known public key for that account. The message is signed by the user’s private key, authenticating their identity in a privacy-preserving way. Each service receives a different public key for the same user, so compromised data from one site cannot be used to access others, nor does it contain identifiable user information.
Breez’s solution
According to Breez, standard passkeys excel at authentication but lacked key features required for the Bitcoin industry.
Self-custody typically relies on a single source of entropy to deterministically generate all addresses and keys, using standards such as BIP-39. Users expect those 12 or 24 words to be sufficient to recover all balances and accounts in a wallet. The Passkey standard needed to be extended to support this use case.
Breez addresses this by leveraging the Pseudo-Random Function (PRF) extension in WebAuthn Level 3. PRF allows a passkey to produce a deterministic cryptographic output for any given input during authentication.
If a device is lost, recovery depends on the platform used to store the passkey. Synced passkeys – via iCloud Keychain, Google Password Manager, etc. – can be restored on a new device once access to the associated account is regained.
Breez also provides an optional backward-compatible path: users can export a standard 12-word BIP-39 mnemonic phrase for their wallet, allowing them to recover their account in other wallets in line with industry standards.
