Skip to main content
Walley uses passkeys instead of passwords to authenticate you and authorize wallet actions. A passkey is a cryptographic credential generated and stored on your device — your browser never exposes the private key, and you never have to remember or type a password. Instead, you authenticate using your device’s biometric sensor (fingerprint, Face ID) or PIN.

How Passkeys Work

When you create a Walley wallet, your browser generates a cryptographic key pair using the WebAuthn standard. The private key is stored securely on your device and is marked non-extractable — it cannot be read or copied out of the browser’s secure storage. The public key is registered with Walley so it can verify your identity. Every time you sign a transaction or log in, your device uses the private key to produce a cryptographic signature. You authorize that operation using your biometric or device PIN. The private key itself never leaves your device.
Walley never receives or stores your private passkey material. The signing happens entirely within your device’s secure enclave or browser context.
  1. Walley sends a challenge (a random value) to your browser.
  2. Your browser prompts you for biometric or PIN confirmation.
  3. Upon confirmation, your device signs the challenge with your stored private key.
  4. Walley verifies the signature against your registered public key.
  5. Access is granted — no password is transmitted or stored at any point.

Why Passkeys Are More Secure Than Passwords

Passkeys eliminate entire categories of attacks that target password-based systems.

Phishing-Resistant

Passkeys are cryptographically bound to the origin (domain) they were created on. A fake site cannot trick your browser into using your Walley passkey — the domain check fails automatically.

No Password to Steal

There is no shared secret stored on a server. Even if Walley’s infrastructure were compromised, attackers would find no passwords or private keys to steal.

No Credential Stuffing

Because there is no reusable password, attackers cannot use credentials leaked from other services to access your wallet.

Biometric Authorization

Every signing action requires your physical presence and biometric or PIN confirmation. Remote attackers cannot authorize transactions without your device.

Passkeys Are Tied to Your Device

Your passkey lives on the specific browser and device where you created it. It does not automatically sync to other devices unless your device platform provides a secure passkey sync mechanism (for example, iCloud Keychain on Apple devices).
If you switch to a new device or browser where your passkey is unavailable, you cannot log in with the passkey alone. Use your recovery phrase to start a temporary session and regain access to your funds.
Set up your wallet on a primary device you use regularly and trust. If you ever replace that device, have your recovery phrase ready before you lose access to the old one.

What Happens If Your Passkey Is Lost

If you lose access to your passkey — for example, because your device is lost, wiped, or the browser profile is deleted — you can still access your wallet using your 24-word recovery phrase. This creates a temporary session that lets you interact with your wallet and move your funds. The recovery session does not automatically create a new passkey linked to your wallet. You will need your recovery phrase again for any future session where your passkey is unavailable. See Recovery Phrase for full details on how recovery works.