Infinex is beta testing a new Chrome browser extension that enables users to log in to the top 100 crypto sites across 20 chains using any old phone with fingerprint or face unlock.
Using a phone passkey tied to a Google or Apple account to log in and approve crypto transactions is arguably a lot easier for new users than learning about wallets and seed phrases, and more convenient for existing users than approving every transaction using a Ledger or Trezor.
“Figuring out the seed phrase security, and private key OpSec et cetera, is challenging for most people, and it has been a filter for getting people on chain,” founder Kain Warwick told Cointelegraph in Singapore last week.
But while passkey systems offer very good security, they are not as bomb-proof as dedicated crypto hardware wallets, which are almost impossible to hack.
As hardware wallet manufacturer Ledger points out, non-dedicated devices come with the risk that the screen could be compromised to trick users into signing malicious transactions, as seen in the recently patched Unity Android game platform vulnerability.
The secure enclave on the phone where passkeys are held is also a form of TEE that has been compromised by attackers who can gain physical access.
So they offer a middle ground for users who want more convenient access to their working capital, but it may not be an appropriate storage method for Bitcoin whales.
“It is just genuinely a better solution for the average user,” argued Warwick. “If you’ve got a billion dollars, then you probably should have a different OpSec approach.”
Infinex’s early supporters, known as Patrons, began testing the system today on around 40 DeFi apps, including Aave, Uniswap, Hyperliquid, Polymarket, Pump.fun, OpenSea and Jupiter on six chains: Ethereum, Solana, Base, Arbitrum, Optimism and Polygon.
Warwick conceded “there’s still a few little gremlins in there,” but he was confident they would be ironed out by the time the system is released to retail, with 100 DApps initially.
He said passkeys are already securing half a billion dollars in TVL on Infinex without incident.
Why aren’t passkeys used more often in crypto?
Despite their ease of use, the decentralized finance sector of the crypto industry has been surprisingly slow to adopt Google and Apple’s passkeys since centralized exchange Binance first implemented them in 2023, followed later by Coinbase and Gemini.
While you can upgrade a wallet with seed phrases to use passkeys, they don’t require a seed phrase for new users, are easier to move from device to device and offer secure recovery options.
Related: Phishing scams cost users over $12M in August — Here’s how to stay safe
Bitcoin Improvement Proposal 39 ushered in the wide adoption of seed phrases back in 2013, but while they are almost impossible to brute force, anyone who can gain access to the written backup, or trick users into sharing the phrase using phishing, can drain 100% of the wallet’s funds.
Other major wallets are starting to offer passkeys and biometrics. The smart wallet market leader, Safe, offers passkeys, but the majority of accounts there are multisignature, and it only supports EVM chains.
The Solana Seeker phone uses a thumbprint to approve transactions, but is Solana only and remains a relatively niche product with 150,000 units shipped. Phantom Wallet (and other phone wallets) offers biometric login to its crosschain wallet app, but still relies on private keys and seed phrases.
MetaMask is the dominant player in the space, with a market share exceeding 60% and 30 million monthly users. It still uses seed phrases and passwords to access its standard browser interface. Following the introduction of account abstraction earlier this year, MetaMask began offering passkeys for smart accounts; however, only a small proportion of ETH wallets have upgraded.
Passkeys offer greater phishing protection
Passkeys also help reduce the risk of phishing, which resulted in $12.5 million in cryptocurrency lost during August alone, according to ScamSniffer.
“The way the passkeys are created is it’s locked to a domain. So if you have a passkey for Amazon, you can’t accidentally log into a fake Amazon site that someone’s created,” explained Warwick.
But while that prevents a passkey from being compromised by a malicious site, users can still be tricked by phishers into signing something when using the extension. Infinex is filling the gap by utilizing whitelisted DApps and real-time threat monitoring through Blockaid.
Patrons who participated in the NFT-based fundraising round for Infinex have proven to be a willing group of beta testers this year.
Around 200 Patrons traded $100 million in volume over a month while beta testing the platform’s Hyperliquid integration, which was released to the public last week.
Magazine: They solved crypto’s janky UX problem — you just haven’t noticed yet