Skip to content

A research project to use WebAuthn with Account Abstraction (ERC 4337)

Notifications You must be signed in to change notification settings

G7DAO/account-abstraction-webauthn

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

55 Commits
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Account Abstraction + WebAuthn (Passkeys)

This is a research project to use WebAuthn (FaceID/Fingerprint Authentication) with Account Abstraction (ERC 4337)

AA WebAuthn Flow

SDK

npm: ichigo-sdk (docs)

Goals

  • Simplify user onboarding flow for blockchain projects
  • Make blockchain accessible to millions of new users, with no friction

Vision

Installing a chrome extension, or a mobile app to use a wallet is a big blocker for user onboarding. Instead, we should use modern standards like WebAuthn and Account Abstraction to onboard users by using their FaceID/Fingerprint, without installing any additional app or extension. Software engineers should have a SDK, which can be integrated into any website in a few lines of code and use this new way of user onboarding/authentication.

Funding

Screenshot 2024-01-12 at 06 22 06

Idea / How it works

  1. User will generate a private key on their device by using a WebAuthn standard.
  2. Smart Wallet (ERC-4337 Account) will be created for the user on-chain and the public key will be included as a signer.
  3. Every time users will need to do a userOp on-chain, they will do the webauthn verification (FaceID/Fingerprint/etc.) and send the signature on-chian for verification. The signature will include the hash of this userOp.

For the example of the UX, please check the Live Demo of this project: https://ethglobal.com/showcase/avatar-protocol-z6md2

Important Facts

  • WebAuthn is a web standard and it's already available in every major browser. I'd highlight Safari on iOS and Chrome on Android. Also on desktop browsers.
  • To use WebAuthn you don't need an approval from authorities like Apple, Google, etc. Every web app can use it today.
  • Users don't need to download or install anything, WebAuthn is already there, in the device.
  • There is no way to export a private key from the device (generated by WebAuthn). All you can do is Unlock the private key by using your Fingerprint/FaceID and do the signature.
  • You can only access a private key for your domain. Cross-domain access isn't allowed by the standard.
  • It's possible to use the same private key across domains and devices. You will need YubiKey for it.

References

There are few projects which were an inspiration for starting this project. If you plan to work on the codebase here, I'd highly recommend checking them:

Base Smart Wallet:

Great Article:

Test Contracts

Sepolia

Description Address
WebAuthnAccountFactory 0x1c831bF4656866662B04c8FED126d432a007BD08
DummyWebAuthnAccountFactory (Creates account with zero validation, just for testing) 0x97c14a5793928f224732a020aecf41e1c8d9fe2f
WebAuthn256r1 (Deployed once. WebAuthn verification logic, shared between Accounts) 0x13250cf16eec77781dcf240b067cac78f2b2adf8
AvatarPack (Test ERC721 contract for minting items) 0x4b3b5d4abe57eb7a00bbe9cc3ee743509b04f4e9
Custom Paymaster 0xD1c5ea2610b894FA66333cb5F3b512ea037ba1F0
Deployer 0xaE0bDc4eEAC5E950B67C6819B118761CaAF61946
Entrypoint 0x5FF137D4b0FDCD49DcA30c7CF57E578a026d2789

Base Sepolia

Description Address
WebAuthnAccountFactory 0x1240FA2A84dd9157a0e76B5Cfe98B1d52268B264
WebAuthn256r1 (Deployed once. WebAuthn verification logic, shared between Accounts) 0x8Ad159a275AEE56fb2334DBb69036E9c7baCEe9b
AvatarPack (Test ERC721 contract for minting items) 0x10bb2Ee7761C2356F7D7e42311b0fDf8e5e4dCA1
Entrypoint 0x5FF137D4b0FDCD49DcA30c7CF57E578a026d2789

About

A research project to use WebAuthn with Account Abstraction (ERC 4337)

Resources

Stars

Watchers

Forks

Packages

No packages published