Passkeys, Crypto, and Signing AI Content

Sep 28, 2023

After the meteoric rise and fall of web3, Apple and Google might have shipped a real crypto-for-everyone product. You might have noticed a new way to sign in on Apple or Google — instead of using a password, you can opt for a passkey, a password-less type of authentication. You can use your fingerprint, face, screen lock, or hardware security key to log in.

Under the hood, it’s just crypto (as in cryptography). There’s a public and private key pair that’s generated. The private keys are used to sign log-in challenges sent by the authenticating service. We’ve had hardware security keys and WebAuthn for a while but mostly used them as a second-factor authentication. They required you to buy an additional device (usually USB). They weren’t used as primary authentication because if you lost the device, you couldn’t recover your account.

Passkeys are essentially the same technology — with one key difference: private keys are synced to the cloud. You can still go through normal recovery routes if you lose your device. If you switch devices, that’s ok. If you’ve used an authenticator app recently, you might realize that some of them now sync to the cloud (avoiding the annoying problem of forgetting to back them up on an old phone and getting locked out of your accounts).

While cloud-synced private keys are the antithesis of decentralization, they might make a more important core workflow much easier: cryptographically signing things. It could be a transaction, a generated image, a tweet, an email, or anything in between. Others could verify the authenticity via public keys. Verification might be important in an era of zero-marginal cost content generation via AI and convincing AI-generated images, text, and music.

Of course, signing everything with a private key has been done many times before and failed at every step. There are PGP and GPG that have existed for 30 years and have failed to garner mainstream adoption. Keybase, a startup launched in 2014, offered a more user-friendly version of socially sharing and verifying encrypted or signed content. That, too, failed (they were acquired by Zoom in 2020, and the product wound down). And, of course, there’s the last iteration of web3 wallets, which suffered from various usability issues (to say the least).

This time, it might be different —

1. Device support. Devices that natively support hardware enclaves (FaceID, TouchID, Watch) and provide an easy API for products to sign messages.

2. Backing of Apple and Google (hard to bootstrap this user behavior, and hard to build a secure and trusted enough entity to sync the private keys).

3. AI-generated content. The proliferation of misinformation and generated content on the web that can’t be verified by a trusted source.