Bitcoin Magazine
Breez SDK Launches Passkey Login for Seedless Bitcoin Wallets
Breez, a lightning service provider and Bitcoin software lab, has introduced Passkey Login into its Breez SDK. The feature allows developers to build self-custodial wallets that use passkeys for authentication and key derivation, eliminating the traditional seed phrase requirement during normal use.
Seed phrase support remains available for users who prefer it, keeping backwards compatibility with industry standards, but removing the “speed bump” in Bitcoin wallets, which prompts users to back up their 12 words.
Breez explained the rationale behind this new feature in a press release shared with Bitcoin Magazine: “The seed phrase has been a barrier to self-custody since day one. It’s what scares normies away from keeping their own bitcoin, and it’s a legitimate reason why people accept the counterparty risk of exchanges and custodial apps.” Adding that “Passkey Login doesn’t eliminate the tradeoffs of self-custody, but it reframes them around something people already understand and use, namely the same biometric authentication that protects their banking app and their password manager. For most users, that’s a much more intuitive security model than a piece of paper in a drawer.”
Passkeys: Per-Site Key Pairs in Modern Hardware
Passkeys — a fairly new security standard that is gaining broad adoption online — are cryptographic credentials based on the FIDO2 WebAuthn standard, jointly promoted by Apple, Google, Microsoft, and the FIDO Alliance since 2022. Each passkey consists of a unique public-private key pair generated for a specific website or application.The private key remains stored in the secure element or similar hardware on the user’s device, such as Apple’s Secure Enclave, Android’s Titan chip, Windows TPM, external security keys like YubiKey or the user’s password manager.
Normal online Passkeys resemble the original Bitcoin wallet.dat file introduced by Satoshi Nakamoto in his early releases of the Bitcoin client, where private keys are stored locally to the user’s device, while public keys are shared with third parties.
However, the FIDO2 standard implements this private-public key idea in a more standardised and modern way. Websites send a challenge to the user, referencing the user’s known public key for that account. The challenge message is signed by the user’s private key, authenticating their identity in a privacy-preserving way. Each service gets a different public key for the same user, so data compromised on one website does not leak data that can be used to access other websites, nor does it contain any user-identifying data.
FIDO2 is now widely adopted, it leverages device secure elements, integrates with password managers (e.g., iCloud Keychain, Google Password Manager), browsers, and the World Wide Web Consortium (W3C) WebAuthn API. Authentication occurs via challenge-response