Account Abstraction + Passkeys — The End of Master Passwords

Every password manager has an ironic flaw: you need a password to protect your passwords. If you forget your master password, you lose everything. If someone guesses it, they get everything.

VaultKeepR solves this with a combination of two technologies: Account Abstraction (ERC-4337) and WebAuthn Passkeys. The result? You unlock your vault with your fingerprint or face. No master password. No recovery email. No "forgot password" flow.

Here's how it works — explained simply.

What Are Passkeys?

Passkeys are the successor to passwords. They're built on the WebAuthn standard, which uses public-key cryptography instead of shared secrets.

When you create a Passkey:

1. Your device generates a key pair — a public key and a private key.
2. The public key is shared with the service (or stored locally).
3. The private key never leaves your device. It's protected by your biometrics (fingerprint, face) or device PIN.

To authenticate, your device proves it holds the private key by signing a challenge. The private key is never transmitted. There's nothing to phish, nothing to leak, nothing to brute-force.

Where Are Passkeys Stored?

Passkeys are synchronized by your operating system:

Platform	Sync Method
Apple (iOS/macOS)	iCloud Keychain
Google (Android/Chrome)	Google Password Manager
Windows	Windows Hello

This means if you create a Passkey on your iPhone, it's automatically available on your Mac, iPad, and any other Apple device signed into the same iCloud account. Same principle applies for Android devices via Google.

What Is Account Abstraction?

In traditional blockchain systems, your "account" is directly tied to a private key. Lose the key, lose the account. There's no recovery mechanism, no "customer support," no reset button.

Account Abstraction (ERC-4337) changes this by turning your account into a smart contract. Instead of being a static key pair, your account becomes programmable code that can define its own rules:

• Who can sign transactions (your Passkey, a backup key, a social recovery guardian)
• When transactions are allowed (time locks, spending limits)
• How recovery works (multiple signers, Shamir fragments, NFC backup)

Think of it as upgrading from a simple padlock (private key) to a smart lock with multiple access methods, logging, and remote management.

How VaultKeepR Combines Both

Here's the complete flow:

1. Enrollment — One Fingerprint, Full Setup

When you first open VaultKeepR and choose passwordless mode:

1. Your device creates a Passkey linked to your biometrics.
2. VaultKeepR uses the PRF (Pseudo-Random Function) extension of WebAuthn to derive a deterministic 256-bit encryption key from the Passkey.
3. This key encrypts your vault using XChaCha20-Poly1305.
4. Simultaneously, an EVM wallet address is derived from the Passkey's credential ID, creating your on-chain identity.

Fingerprint → WebAuthn PRF → 256-bit Key → Encrypt Vault

                           → EVM Address  → On-chain Identity

No password was typed. No seed phrase was shown. Everything derives from the single biometric gesture.

2. Daily Use — Tap to Unlock

Every time you open VaultKeepR:

1. The app triggers a WebAuthn assertion (navigator.credentials.get()).
2. Your device asks for your fingerprint or face.
3. The PRF extension outputs the same deterministic key.
4. Your vault is decrypted locally.

The entire process takes under 1 second. There's no network request, no token exchange — just local cryptography.

3. Sync — Decentralized, Not Cloud

Your encrypted vault is backed up to IPFS (InterPlanetary File System) — a decentralized network where data is addressed by its content hash, not by a server location.

The Account Abstraction smart contract stores your latest vault CID (Content Identifier) on-chain. When you open VaultKeepR on a new device:

1. Your Passkey (synced via iCloud/Google) authenticates you.
2. VaultKeepR reads the CID from the smart contract.
3. The encrypted vault is fetched from IPFS.
4. Your PRF key decrypts it locally.

No centralized server ever sees your data. The smart contract only stores the CID — a hash, not your vault.

4. Recovery — Multiple Paths

What if you lose access? Account Abstraction gives you options that traditional password managers can't offer:

Scenario	Recovery Method
New device (same ecosystem)	Passkey syncs via iCloud/Google → instant access
New device (different ecosystem)	NFC backup tag → tap and restore
Lost all devices	Shamir recovery fragments → reconstruct key
Compromised Passkey	Revoke via smart contract + re-enroll

Traditional password managers give you one path: remember your master password. VaultKeepR gives you four independent recovery paths, any of which can restore full access.

Why This Is More Secure

No Password to Phish

Passkeys use public-key cryptography. There's no shared secret between you and VaultKeepR. A phishing site can't steal what doesn't exist.

No Password to Brute-Force

The PRF-derived key comes from hardware-protected credentials. There's no hash to crack in a database breach.

No Single Point of Failure

Account Abstraction decouples your identity from a single key. You can define multiple authentication methods, recovery guardians, and backup strategies — all enforced by smart contract logic.

Biometric Keys Never Leave Your Device

The private key backing your Passkey is stored in a Secure Enclave (Apple) or StrongBox (Android). It cannot be extracted, even by the operating system.

The PRF Extension — The Secret Ingredient

The PRF extension is what makes this architecture possible. Standard WebAuthn gives you authentication (proof of identity), but PRF gives you deterministic key material — a reproducible secret that can be used for encryption.

Without PRF:

Passkey → "Yes, this is the right user" (authentication only)

With PRF:

Passkey → "Yes, this is the right user" + 256-bit encryption key

This means your Passkey doesn't just prove who you are — it directly produces the key that encrypts and decrypts your vault. One biometric gesture does everything.

PRF Compatibility

PRF is supported on:

• macOS (Safari 18+, Chrome 120+)
• iOS 18+
• Android 14+ (via Google Password Manager)
• Windows (Windows Hello, Chrome 120+)

For devices that don't support PRF, VaultKeepR falls back to the traditional master password flow — so you're never locked out.

Comparing Authentication Models

Feature	Traditional PM	VaultKeepR (Passkey + AA)
Authentication	Master password	Biometric (fingerprint/face)
Key derivation	Password → Argon2id	PRF → deterministic key
Account model	Email + password	Smart contract (ERC-4337)
Recovery	"Forgot password" email	NFC / Shamir / Passkey sync
Phishing resistance	Low (password can be typed)	High (bound to origin)
Server dependency	Required	None (IPFS + on-chain)
Setup time	30 seconds	5 seconds (one tap)

Getting Started

Setting up passwordless mode in VaultKeepR takes exactly one step:

1. Open VaultKeepR
2. Tap "Set up with Passkey"
3. Authenticate with your fingerprint or face

That's it. Your vault is created, encrypted, and ready. Your Passkey syncs automatically to your other devices. Your EVM identity is derived. Your first NFC backup is one tap away.

No password to remember. No seed phrase to write down. No server to trust.

---

Ready to go passwordless? Download VaultKeepR and set up in 5 seconds.