Breez, a lightning service provider and Bitcoin software lab, has introduced Passkey Login into its Breez SDK. The feature allows developers to build self-custodial wallets that use passkeys for authentication and key derivation, eliminating the traditional seed phrase requirement during normal use.
Seed phrase support remains available for users who prefer it, keeping backwards compatibility with industry standards, but removing the “speed bump” in Bitcoin wallets, which prompts users to back up their 12 words.
Breez explained the rationale behind this new feature in a press release shared with Bitcoin Magazine: “The seed phrase has been a barrier to self-custody since day one. It’s what scares normies away from keeping their own bitcoin, and it’s a legitimate reason why people accept the counterparty risk of exchanges and custodial apps.” Adding that “Passkey Login doesn’t eliminate the tradeoffs of self-custody, but it reframes them around something people already understand and use, namely the same biometric authentication that protects their banking app and their password manager. For most users, that’s a much more intuitive security model than a piece of paper in a drawer.”
Passkeys: Per-Site Key Pairs in Modern Hardware
Passkeys — a fairly new security standard that is gaining broad adoption online — are cryptographic credentials based on the FIDO2 WebAuthn standard, jointly promoted by Apple, Google, Microsoft, and the FIDO Alliance since 2022. Each passkey consists of a unique public-private key pair generated for a specific website or application.
The private key remains stored in the secure element or similar hardware on the user’s device, such as Apple’s Secure Enclave, Android’s Titan chip, Windows TPM, external security keys like YubiKey or the user’s password manager.
Normal online Passkeys resemble the original Bitcoin wallet.dat file introduced by Satoshi Nakamoto in his early releases of the Bitcoin client, where private keys are stored locally to the user’s device, while public keys are shared with third parties.
However, the FIDO2 standard implements this private-public key idea in a more standardised and modern way. Websites send a challenge to the user, referencing the user’s known public key for that account. The challenge message is signed by the user’s private key, authenticating their identity in a privacy-preserving way. Each service gets a different public key for the same user, so data compromised on one website does not leak data that can be used to access other websites, nor does it contain any user-identifying data.
FIDO2 is now widely adopted, it leverages device secure elements, integrates with password managers (e.g., iCloud Keychain, Google Password Manager), browsers, and the World Wide Web Consortium (W3C) WebAuthn API. Authentication occurs via challenge-response signing, with the private key bound to the domain to resist phishing.
Passkeys support biometric unlock (Face ID, fingerprint, PIN) and sync across devices within an ecosystem (e.g., via iCloud or Google)—over a billion activations reported by the FIDO Alliance as of mid-2025, with support on major platforms and many top websites.
FIDO2 was not Good Enough for Bitcoin Wallets
Standard passkeys excel at authentication (proving identity to a service) but were missing key functionality needed by the modern Bitcoin industry.
Bitcoin self-custody typically relies on a single source of entropy (seed phrase) to generate all addresses and keys in a deterministic way, via standards like BIP-39. Users expect those 12 words alone to be enough to recover all balances and accounts on a Bitcoin wallet. The Passkey standard needed to be extended to support this use case.
Breez’s Solution: Leveraging the PRF Extension
Breez addresses this by using the Pseudo-Random Function (PRF) extension in WebAuthn Level 3. PRF enables a passkey to produce a deterministic cryptographic output for any given input during authentication.
As described in Breez’s announcement materials, “That’s what the PRF extension of WebAuthn solves, and it’s the key ingredient in Passkey Login. PRF is a newer capability, part of the WebAuthn Level 3 spec, that lets your passkey produce a deterministic cryptographic output for any given input. Same passkey, same input, same output. Always. The passkey never leaves your device’s secure enclave.”
Device Loss and Recovery
If a device is lost, recovery depends on the platform used to store the passkey. Synced passkeys — via iCloud Keychain, Google Password Manager, etc — restore on a new device after regaining access to the associated account.
Breez provides an optional backwards-compatible path: users can export a normal 12-word, BIP-39 mnemonic for their wallet, so they can recover their account in other Bitcoin wallets, following industry standards. The press release adds that “Passkeys also aren’t fully interoperable across platforms yet. If you ever need to move to a platform or wallet that doesn’t support passkeys, you have a standard seed phrase to fall back on.”
The full technical specification for Passkey Login is public, and a reference app called Glow demonstrates the feature. Breez positions this as a step toward making Bitcoin self-custody more accessible by aligning with familiar biometric authentication used in banking and password managers, while preserving non-custodial control. Developers integrating the Breez SDK can now offer onboarding without the traditional “write down these words” step for supported environments.
The full technical specification for Passkey Login is public, and our reference app Glow is already running it, and it’s now available for all the Breez SDK devs to use.
