pull down to refresh

The future of Bitcoin UX is here: Introducing Passkey Login for the Breez SDK ⚡️
445 sats \ 1 comment \ @_ds 18 Mar bitcoin

For as long as bitcoin wallets have existed, the seed phrase has been both a superpower and a liability. Those 12 or 24 words are the master key to your funds. Write them down, keep them safe, never lose them, never let anyone see them. Definitely do not save them to a hard drive, toss the hard drive into the trash, and then spend millions trying to get them back out before giving up, sad and much poorer.

It’s stories like this that scare so many potential users away from self-custody. A sticky note in a drawer, a screenshot in iCloud, a forgotten notebook. There are so many simple ways to blow this one crucial step, but the consequences are permanent.

The rest of the tech industry has been moving away from passwords for years. The stakes with bitcoin are higher, but the logic is the same. It’s time Bitcoin caught up.

The Missing Piece: PRFThe Missing Piece: PRF

Passkeys aren’t new. Apple, Google, and Microsoft jointly backed the standard in 2022, and the market has welcomed the move enthusiastically. According to the FIDO Alliance, over a billion people have activated at least one passkey, and as of May 2025, 69% of users have set one up. 48% of the top 100 websites now support them. They’re built into every modern phone and computer. The technology is proven. Bitcoin just hasn’t adopted it yet.

The missing piece was key derivation. Passkeys are great for authentication, but a bitcoin wallet needs to deterministically derive cryptographic keys, not just match a user with their account. Bitcoin presents a different problem, and until recently there was no standard way to solve it.

That’s what the PRF extension of WebAuthn solves, and it’s the key ingredient in Passkey Login. PRF is a newer capability, part of the WebAuthn Level 3 spec, that lets your passkey produce a deterministic cryptographic output for any given input. Same passkey, same input, same output. Always. The passkey never leaves your device’s secure enclave.

PRF is what separates passkeys-for-authentication from passkeys-for-key-derivation. Regular passkeys can verify who you are. PRF lets them generate secrets deterministically.

PRF support is still rolling out unevenly across various platforms. Android with Google Password Manager has the most complete support. Apple added PRF in iOS 18 and macOS 15 for iCloud Keychain. Windows Hello doesn’t support PRF at all yet, so only external hardware keys like YubiKeys work on Windows. Firefox support is also incomplete. It works well on Android and increasingly on Apple platforms, but not everywhere.

Logging in to the Breez SDK with a passkey requires PRF, so coverage today maps to where PRF works. As adoption grows (and it’s growing fast!), so does the utility.

The practical result: any device with a PRF-capable passkey can reconstruct your wallet keys from scratch and on demand.

How It WorksHow It Works

Your Passkey Derives Your KeysYour Passkey Derives Your Keys

When you set up Passkey Login, the app uses your passkey to compute a PRF output. That output becomes the root key for your wallet. From there, standard key derivation produces keys for the Breez SDK.

No randomness is stored. No backup is created. The passkey is the key generator, and it only works when you authenticate. The protocol also supports multiple wallets, each derived from a different label.

Nostr Keeps Track of Your LabelsNostr Keeps Track of Your Labels

Here’s where Nostr comes in, but not as a core security primitive. Instead, Nostr is a practical solution to a real problem: if your keys are derived from labels, how do you remember which labels you used when restoring on a new device?

The answer is to publish them. Under the hood, the app seamlessly creates a Nostr identity derived from the same PRF and uses it to post each label as a plain Nostr event. The user never sees or manages this identity. When you restore, the app reconstructs that same Nostr identity, queries the relays, retrieves the list of labels, and re-derives the keys on the spot.

No cloud backup. No iCloud. No Google Drive. No server. Just your passkey and a few public Nostr messages.

Trust and TradeoffsTrust and Tradeoffs

The app stores nothing. Keys are derived fresh on every use, with no local secrets and no encrypted backup file. There is a soft dependency on Nostr relays for label lookup, though Breez handles all of this out of the box.

The security is as strong as your passkey. If your passkey is cloud-synced, as most platform passkeys are, a compromised cloud account means compromised keys. And if you lose access to your passkey entirely, you lose access to your funds.

Passkeys also aren’t fully interoperable across platforms yet. That’s why the Breez SDK lets you export the mnemonic for any of your wallets. If you ever need to move to a platform or wallet that doesn’t support passkeys, you have a standard seed phrase to fall back on.

Why This MattersWhy This Matters

The seed phrase has been a barrier to self-custody since day one. It’s what scares normies away from keeping their own bitcoin, and it’s a legitimate reason why people accept the counterparty risk of exchanges and custodial apps.

Passkey Login doesn’t eliminate the tradeoffs of self-custody, but it reframes them around something people already understand and use, namely the same biometric authentication that protects their banking app and their password manager. For most users, that’s a much more intuitive security model than a piece of paper in a drawer.

For developers building on the Breez SDK, it means onboarding without the “write down these 12 words before you continue” speed bump, while still giving users full control over their keys.

The Future of Bitcoin UX Is HereThe Future of Bitcoin UX Is Here

The full technical specification for Passkey Login is public, and our reference app Glow is already running it, and it’s now available for all the Breez SDK devs to use.

The seed phrase has been one of the biggest UX barriers to bitcoin adoption, but we finally have the tools to overcome it. Passkey Login builds on authentication infrastructure that billions of people already use every day, and it makes using bitcoin feel as natural as unlocking your phone. That’s what drives the Breez SDK: pushing the boundaries of what’s possible until yesterday’s Bitcoin dreams become today’s reality.

write
compose
related posts
1 sat \ 0 replies \ @gbks 19 Mar

Very cool. I'll investigate this for Arké. Could make onboarding just a tad smoother, and manual seed backup is still possible for those who want it.

reply