Passkey Smasskey

In the land of locks and keys, the key’s twist tells the tale.

Thomas Jay Rush
4 min readFeb 18, 2024

I keep getting asked to create something called a passkey, which, of course, has no clear meaning in my mind. (Nothing does anymore, but that’s a different story.)

How could the word “passkey” possibly have a clear meaning in my mind? For 30 years, I have seen all sorts of variations on that theme. Passwords, passkeys, passphrases, passthises, passthats, passthesalts. What the hell?

So, as I’ve been trained to do, I asked Chat GPT to explain the word to me.

Here’s the result. My questions form the header of each section. The sections themselves show Chat’s response (edited for brevity).

What the fuck is a passkey?

ChatGPT
A passkey is a newer form of user authentication designed to replace traditional passwords... Unlike passwords, which rely on users creating, remembering, and frequently changing complex strings of characters, passkeys use cryptographic key pairs to authenticate users. Here’s a breakdown of how they work:

Cryptographic Key Pairs: A passkey involves a pair of cryptographic keys…

Authentication Process: When a user attempts to log in, the service requests the device to prove it has the private key corresponding to the public key stored on the server…

User Experience: For the user, logging in with a passkey can be as simple as unlocking their device…

Benefits Over Passwords: Passkeys are considered more… [They] do not require users to remember complex passwords, and are not stored on servers where they can be stolen through data breaches.

Multi-Device Use: Passkeys can be synchronized across devices…

Adoption and Standards: The concept of passkeys is part of a broader movement towards passwordless authentication…

In summary, passkeys represent a shift towards a more secure and user-friendly method of…authentication…

Who holds the private key for a passkey?

ChatGPT
The private key for a passkey is securely held by the user, specifically stored on the user’s device or devices. This key is never shared with or transmitted to external parties…

Devices store these private keys in secure storage areas, such as a…Secure Enclave…or other secure hardware elements…even if the device is compromised.

When a user attempts to authenticate with a service, the device uses the private key to sign a challenge from the service, proving possession of the private key without actually revealing it…

In what way is a passkey different than the private keys used in blockchains? Aren’t they both just private key/public key pairs?

ChatGPT
Passkeys and Ethereum address private keys indeed share the fundamental principle of using cryptographic key pairs (a private key and a public key) for security purposes, → but they serve different functions and operate within different contexts ←.

The above →highlighted← sentence is why I wrote this article. It should say, “There is no difference, but my tiny brain is too small to see that because I only mimic the human-written text I read. The humans clearly think there’s a distinction to be made, so I will parrot that.”

I’m here to say this: there is no difference.

Passkeys and blockchain key pairs are identically the same thing. As have been all private key/public key pairing systems since 1976. We should abandon the distinction. We should abandon separate wallet software such as Meta Mask / Rainbow and just use PassKeys. There should be a single, standard way to handle private keys. It’s our only way to make sure they serve the needs of users. A single standard, agreed to by all participants, is those same human’s only hope for a truly fair, private future.

The remainder of Chat’s answer to my above question was this:

ChatGPT
In summary, although passkeys and Ethereum private keys both utilize cryptographic key pairs, they are designed for different purposes in different ecosystems. Passkeys are focused on user authentication for access control, while Ethereum private keys are centered around securing and managing blockchain assets…

Heshe totally misses the point of my inquiry. Shehe focuses on the use cases and the context in which key pairs are used. Admittedly, these uses and contexts are different, but shehim neglects the obvious fact that both systems are fundamentally the same.

My suggestion: Clear away the underbrush, recognize that it’s a distinction without a difference, and mash the use cases and contexts together on purpose.

Back to my conversation with Chat…

What’s the saying about there being a difference but no distinction?

ChatGPT
The phrase you’re referring to is likely “a distinction without a difference.” This saying is used to criticize an argument that makes a nominal or superficial distinction between two things that, in reality, are not actually different in a meaningful or relevant way…

Please come up with a single sentence to summarize the above.

ChatGPT
While passkeys and Ethereum private keys operate on the principle of cryptographic key pairs, arguing about their differences in authentication versus transaction security might be seen as making a distinction without a difference, given that both fundamentally enhance security through the same underlying cryptographic mechanism.

Come up with a single, pithy “folk saying”.

ChatGPT
“In the land of locks and keys, whether for doors or treasures, the key’s twist tells the tale, not the pocket it’s kept in.”

Let’s not forget a weird image.

TrueBlocks is funded from personal funds and grants from Optimism Retro PGF (2022, 2023), The Ethereum Foundation (2018, 2022), Consensys (2019), Moloch DAO (2021), Filecoin/IPFS (2021), and our lovely GitCoin donors.

If you like this article and wish to support our work, please donate to our GitCoin grant using ETH or any other token or send us some cashola directly at trueblocks.eth or 0xf503017d7baf7fbc0fff7492b751025c6a78179b.

--

--

Thomas Jay Rush
Thomas Jay Rush

Written by Thomas Jay Rush

Blockchain Enthusiast, Founder TrueBlocks, LLC and Philadelphia Ethereum Meetup, MS Computer Science UPenn