VaultKeepR
← Back to blog

Passwordless Encryption — How WebAuthn PRF Eliminates Master Passwords

VaultKeepR Team3 min read
passkeysprf-extensionwebauthnencryptionpasswordlessaccount-abstraction

Passwordless Encryption: How WebAuthn PRF Eliminates Master Passwords

For decades, the golden rule of password managers has been: remember your master password. If you lose it, you lose your vault. If someone phishes it, they steal your life.

Even "passwordless" solutions usually fall back on a master password to encrypt your database, using biometric prompts merely as a local unlock shortcut.

VaultKeepR introduces true passwordless encryption. By leveraging the WebAuthn PRF (Pseudo-Random Function) extension, we derive your vault's encryption keys directly from your biometrics (Face ID, Touch ID, or Windows Hello).

There is no master password to remember, and thanks to Account Abstraction, you do not need to connect or manage any external crypto wallet.

The Secret: WebAuthn PRF Extension

Standard WebAuthn is an authentication protocol. When you use a passkey to log into a website, your device performs a digital signature to prove who you are. While this is highly secure, it does not produce a consistent secret key that can be used to encrypt or decrypt data.

This is why traditional password managers still require a master password: they need text input to run through a Key Derivation Function (like Argon2id) to create the encryption key.

The WebAuthn PRF extension changes this. It allows the browser or app to request a deterministic, symmetric key from the authenticator (like Apple's Secure Enclave or Android's StrongBox) during the passkey operation.

How the PRF Key Derivation Works

  1. Biometric Input: You scan your fingerprint or face.
  2. Authenticator Salt: The OS security module uses an internal salt combined with the domain name (origin).
  3. Deterministic Key Generation: The module outputs a unique 256-bit symmetric key.
  4. Zero-Knowledge Encryption: VaultKeepR uses this key to encrypt or decrypt your vault with XChaCha20-Poly1305.

The derived key is completely deterministic (it is identical every time you scan your biometrics on that device group) but never leaves the hardware security module of your device.

Why No External Wallet Is Needed

Many users assume that decentralized technology requires setting up a crypto wallet (like MetaMask or Ledger), writing down seed phrases, and buying cryptocurrency to pay for gas fees.

VaultKeepR removes this friction entirely:

  • Automatic Smart Account: When you scan your Face ID/Touch ID, our system automatically creates a Smart Account (ERC-4337) on Base L2 using your passkey credential.
  • Gasless Transactions: All interactions with the blockchain (such as publishing your encrypted vault metadata or registry updates) are sponsored by a Paymaster. You never pay transaction fees.
  • No Wallet UI: There are no seed phrases to write down, no browser extensions to install, and no complex transaction confirmations. The blockchain works silently in the background as a decentralized database.

Security Benefits of PRF Encryption

True passwordless encryption offers security properties that traditional systems cannot match:

  • Phishing Immunity: WebAuthn passkeys are cryptographically bound to the specific domain name of the service. A fake clone of VaultKeepR cannot trigger the generation of your encryption key.
  • No Database to Breach: There is no master password hash stored on any server. If our backend is completely compromised, there is nothing for attackers to brute-force.
  • Brute-Force Resistance: Since the key is derived inside dedicated hardware (Secure Enclave), an attacker cannot run high-speed offline dictionary attacks against your vault.
  • No Human Error: You cannot choose a weak password, reuse an existing one, or write it down where others can see it.

How to Get Started

To set up passwordless encryption on your device:

  1. Open VaultKeepR.
  2. Select Create Vault.
  3. Choose Passkey / Passwordless (Face ID / Touch ID).
  4. Scan your biometrics to confirm.

Your vault is created, your Smart Account is registered, and your data is encrypted — without a single password, email address, or external wallet connection.

Ready to experience true passwordless security? Try VaultKeepR Free and secure your digital life with the power of WebAuthn and Account Abstraction.

Share𝕏in

Ready to take control of your passwords?

VaultKeepR is the first decentralized password manager. Zero-knowledge. Wallet-native. Yours.

Try VaultKeepR →