Binance Passkeys: Passkeys for the Crypto and Web3 World

1. Introduction: Binance Passkeys

With the emergence of Bitcoin in 2019, cryptocurrencies started to mark a new era of independence and technological innovation in the finance world. This new world, though primarily accessed by tech-savvy people, brings with it unique challenges and opportunities. A notable hurdle is the authentication process. Traditional crypto / web3 mechanisms often involve a public / private key system where losing your private key can mean the irreversible loss of funds. This is because, unlike traditional banking, there's often no central entity to turn to for account recovery.

Cryptocurrency exchanges like Binance and Coinbase try to mitigate these risks by acting as more centralized figures in the crypto ecosystem. They promise to offer a more user-friendly management of funds on behalf of users. However, this centralization comes with its own set of vulnerabilities, such as increased risk of hacking or system failures, as seen in the collapse of FTX. These events underscore the importance of exchanges not only providing top-tier, bank-level security but also making the authentication process accessible to those people who are less familiar with asymmetric cryptography to access accounts.

Now that passkeys become the new standard in user authentication, they could bridges the gap between strong security needs and user convenience. Leveraging the same foundation of blockchain technology public key cryptography passkeys offer a robust and user-friendly method of securing accounts. Binance began supporting passkeys across various devices and browsers in March 2023 , catering to its tech-savvy audience while improving defenses against the common plagues of the crypto world: scams and hacks. Binance is a very early-adopter and was certainly the most significant crypto player at that time. This move not only highlighted Binance's commitment to security but also marked a significant moment for the adoption of web3 technologies.

In this article, we analyze Binance's rollout of passkeys, examining the technical implementation, product flows, and the strategic thinking behind this move. Our goal is to provide a comprehensive overview that educates and inspires software developers and product managers to implement Binance-like passkey authentication.

2. Summary of Binance Passkeys Analysis

In the following, we provide you with an overview of our passkey analysis finding of Binances passkey implementation. Features marked with a ⭐ are considered the top-feature of this category and are most important for a great and secure passkey experience.

Binance has introduced passkeys

Join them

3. Product Flows and UX of Binance Passkeys

This section analyzes the product flows of Binances passkeys across a variety of platforms, including web apps, as well as native Android and iOS apps. The availability of passkeys extends across all major operating systems - iOS, Android, macOS, and Windows. Notably, our examination uncovered a bug within the setup of passkeys in Windows, which we will elaborate on subsequently.

A highlight is the user support offered by Binance, particularly for navigating through common errors and troubleshooting scenarios available on their support site (see this article for more passkey troubleshooting help).

The following parts analyze sign-up, passkey creation, passkey management, and login processes within Binance's passkey integration.

3.1 Sign-up

A pure passkey-only sign-up at Binance is not (yet) possible. Currently, you need to confirm your email via OTP and then need to provide a password. After that you can add a passkey to your account.

3.2 Passkey Creation

The process of creating a passkey on Windows 11 using the Chrome web app begins by navigating to the profile section, selecting "Account," then "Security," and finally "Manage" next to the Passkeys section.

Users are presented with a list of their existing passkeys, offering an opportunity to create a new one for the device by clicking on "Add Passkey." The creation process prompts the user for an additional factor of authentication, defaulting to Time-based One-Time Passcode (TOTP) via an authenticator app, with the alternative being an OTP sent via email. Upon providing the TOTP, users are introduced to the benefits of passkeys, leading to a click on "Continue," which then triggers the Windows Hello popup (Face ID / Touch ID popup on Apple devices or equivalent local authentication on Android devices) to create the passkey.

The WebAuthn username is set as the user's email address, with the relying party ID set to "binance.com."

However, a bug occurs immediately post-creation on Windows devices. Despite the passkey's successful creation - visible within the Windows passkey management UI - it fails to appear in the Binance account's passkey list. This discrepancy is accompanied by error messages (with a typo), persistent across multiple attempts and unique to Binance, as similar operations on other services do not encounter this issue.

Further investigation through the browser console revealed an attempt to finalize passkey registration through a POST call to Binance's API at https://accounts.binance.com/bapi/accounts /v1/private/account/fido2/finish- register (the passkeyRegisterFinish call in the WebAuthn registration ceremony) which returned a HTTP 200 status code, suggesting a successful operation. Yet, the API response indicated a "certificate path validation failed" error.

The issue was not exclusive to Chrome. Firefox and Edge on Windows encountered the same problem. Interestingly, a YubiKey could be successfully added, hinting that Binance might only support passkeys that are not device-bound. In addition, in later tests, we saw that on Windows 10 the registration process works, therefore the error being exclusively on Windows 11 devices.

Contrastingly, on macOS, iOS and Android, the passkey creation process works. On the iOS web app however, issues were noted with the excludeCredentials feature, allowing the creation of multiple passkeys even when one already existed from this device. Moreover, on macOS we could also create on the same device multiple passkeys. When we created the first passkey in Chrome (and stored it in iCloud Keychain), we were able to create another passkey in Safari (also storing it in iCloud Keychain). However, when analyzing the iCloud Keychain, there was only one passkey for Binance visible, which caused some confusion.

In general, it became obvious that the exclusive passkey creation process has potential to be reworked and improved to avoid user confusion.

After a successful passkey creation, an email notification is sent out to the user:

This overview points to a mixed experience in passkey creation across platforms, with specific challenges identified on Windows and iOS that merit further attention for a smoother, more consistent user experience.

3.3 Passkey Management

To manage your passkeys, navigate to "Account" > "Security" > "Two-Factor Authentication (2FA)" > "Passkeys". Here, users are presented with a detailed overview of all passkeys created for their account. A notable feature within this section is the option "Must verify using passkey for important scenarios. " This innovation introduces an additional layer of security for actions deemed high-risk, without compromising the overall user experience.

Activating this feature ensures that passkey verification becomes a prerequisite for executing critical actions within the account. However, it's important to recognize the implications of this setting. If access to passkeys is lost, it will make some actions in Binance impossible. Therefore, this option is best suited for individuals utilizing synced passkeys. Also, following the activation of this feature, passkey verification becomes obligatory for login attempts and withdrawals, emphasizing the importance of maintaining access to passkeys across all frequently used devices. Should access to passkeys be compromised, reaching out to Customer Support for a reset becomes a necessary recourse.

Editing a passkey is made user-friendly. A simple click on the edit icon next to a passkey triggers a modal, enabling the renaming of the passkey.

Meanwhile, the process of deleting a passkey comes with its own set of warnings, so that users are prevented from accidently removing this secure and convenient authentication method. Interestingly, upon deletion, withdrawals and peer-to-peer (P2P) transactions are temporarily disabled for 24 hours as a precautionary measure based on assessed risk levels. Furthermore, the deletion process incorporates an additional security step, requiring confirmation via a passkey, thereby reinforcing the system's security framework.

Passkey are the recommended option for 2FA, as depicted in the following Android screenshot:

3.4 Login

Let's have a look at the login process in detail.

3.4.1 Conditional UI & Cross- Device Logins

The login process across platforms and devices currently does not implement Conditional UI, which presents a great opportunity for enhancing user experience. When attempting to log into an account with an existing passkey, Binance recognizes this and prompts for the passkey immediately following the submission of the user's email address / phone number.

The login experience between the web app and the native app, on Android is notably smooth (contrary to iOS, see problem below), without the capability to create multiple passkeys for a single account on one device even though its web and native platform. This restriction reduces confusion and enhances security by limiting the number of passkeys per user / per device.

In the login process on Windows, even though no passkey was successfully created with Windows Hello on Windows 11, users are still prompted to sign in with a passkey through cross-device authentication immediately after entering their email address. This assumes that a passkey was successfully created on another platform. On Windows 10 the registration process worked as expected with the Windows Hello passkeys.

Overall, while the login process benefits from the automatic detection and utilization of passkeys, the absence of Conditional UI across devices suggests room for improvement.

3.4.2 iOS App: Cross-Device Login after Passkey Registration on macOS

In our tests, we observed challenges with the iOS app's cross-device login functionality, particularly following a successful registration and passkey addition on a desktop (macOS) environment. Our test process began with the creation of a new Binance account on Windows 10 using social Login, where we were able to add a passkey without issues. Subsequently, we logged in via social login in Safari on macOS. In the next step, we added a passkey to the account, which Binance recognized as a cross-device passkey. This successful creation and recognition was confirmed by the visibility of the passkey in the passkey settings on an iPhone connected to the same iCloud account.

However, the transition to the iOS platform revealed significant complications. Attempts to log in resulted in a persistent error -"Login not possible, Passkey error 608104 in Widget" - that could not be resolved despite various troubleshooting efforts, including reinstalling the app on the iPhone. This error prevented the use of passkeys on iOS entirely, which represents a critical use case for apps where its common that users install the native iOS app after account creation on macOS.

Furthermore, the experience fell short of expectations set by other applications such as KAYAK, which are able to trigger passkey requests natively, without relying on the autofill feature integrated into the iOS keyboard.

This inconsistency highlights a potential area for development, with a focus on seamless cross-device login processes and the integration of a more intuitive and responsive UI that can adapt to various states of user authentication across platforms. The resolution of the error 608104 is important , as it currently stands as a barrier to a frictionless user experience, which is a huge problem for new users who begin their journey on macOS and transition to iOS.

4. Technical Passkey Implementation Details

To use passkeys in Binance, users should have the Binance application version 2.60 or higher installed on devices running iOS 16 and above or Android OS 9 and above. The web app is applicable with all passkey- ready devices. In addition to these requirements, Binance also supports hardware security keys (e.g. YubiKeys), broadening the spectrum of security options available to its users.

4.1 Analysis of PublicKey CredentialCreation Options

We analyzed Binances PublicKeyCredentialCreationOptions. Our review revealed that Binance discourages the use of the residentKey option. This design choice suggests Binance's consideration for hardware security keys, which are typically non-resident keys, indicating a thoughtful approach to security compatibility. However, as described in this blog post, quite often the authenticator itself decides if it wants to use resident or non-resident keys.

Become part of our Passkeys Community for updates and support.

Join

PublicKeyCredentialCreationOptions.json
{
  "attestation": "direct",
  "authenticatorSelection": {
    "residentKey": "discouraged",
    "userVerification": "preferred"
  },
  "challenge": "T6l0KbewCabrlI9gS4U_stfq9la7PvopTtPhmYwelzhwqxWDQiWfz89lZ4eVwR2U_btxHuZVsVBhjSRJT9jCXg",
  "excludeCredentials": [
    {
      "id": "DUak294rRW6tJDaspoKrJg",
      "transports": [
        "usb",
        "nfc",
        "ble",
        "hybrid",
        "internal"
      ],
      "type": "public-key"
    }
  ],
  "extensions": {
    "credProps": true
  },
  "pubKeyCredParams": [
    {
      "alg": -65535,
      "type": "public-key"
    },
    {
      "alg": -257,
      "type": "public-key"
    },
    {
      "alg": -258,
      "type": "public-key"
    },
    {
      "alg": -259,
      "type": "public-key"
    },
    {
      "alg": -37,
      "type": "public-key"
    },
    {
      "alg": -38,
      "type": "public-key"
    },
    {
      "alg": -39,
      "type": "public-key"
    },
    {
      "alg": -7,
      "type": "public-key"
    },
    {
      "alg": -35,
      "type": "public-key"
    },
    {
      "alg": -36,
      "type": "public-key"
    },
    {
      "alg": -8,
      "type": "public-key"
    },
    {
      "alg": -43,
      "type": "public-key"
    }
  ],
  "rp": {
    "id": "binance.com",
    "name": "Binance"
  },
  "user": {
    "displayName": "Chrome V122.0.0.0 (Windows)",
    "id": "MTxwMjAxMTY",
    "name": "vincent.delitz@corbado.com"
  }
}

Interestingly, Binance supports an extensive array of cryptographic algorithms (12 in total), a significant different from many other relying parties, which typically support only one or two.

Additionally, the WebAuthn Display Name has a format we havent seen so far by using a transformed user agent, such as "Chrome V122.0.0.0 (Windows)."

4.2 Analysis of PublicKey CredentialRequest Options

In the analysis of PublicKeyCredentialRequestOptions, the noteworthy element is the use of allowCredentials. This setting plays a crucial role in the authentication process, though no other specific settings within this context were identified as particularly influential or unique to the Binance implementation.

{
  "allowCredentials": [
    {
      "id": "AX3lhlvxFhV75SnTpo-ccNHYvmqxxxXnL1hia1IJBZjLqlluJCZ5RsuuQGIggYZPsrVASOjmw_o8A5dBe-cPy_A",
      "transports": [
        "hybrid",
        "internal"
      ],
      "type": "public-key"
    },
    {
      "id": "D8jAUYYqyPenDwvoqFj35ELirZ7-bQKwerse7sHw6fkkIWaQYiDwqmeRL4JLNrb4ipYIGPsJKbPhpaqHk_6pNw7Gw",
      "transports": [
        "usb",
        "nfc"
      ],
      "type": "public-key"
    },
    {
      "id": "YrP9RffjrEgjJ0U3fdstc6sXvkQBY",
      "transports": [
        "hybrid",
        "internal"
      ],
      "type": "public-key"
    },
    {
      "id": "zDUXuuu4rNqjsdfeFE7tqu6_y-MKwY",
      "transports": [
        "hybrid",
        "internal"
      ],
      "type": "public-key"
    },
    {
      "id": "1_2IthTIwerdWBZOmQfikKI5m7WAw",
      "transports": [
        "hybrid",
        "internal"
      ],
      "type": "public-key"
    }
  ],
  "challenge": "SVW1--hiFYwLyFiT97htnRecSdYVJg_zqnEL3w6vnsnz4-KE0c9Z-ytKGdT5e2hVb6kwTsODvc5M8S9pnbL9-Fw",
  "rpId": "binance.com",
  "userVerification": "preferred"
}

5. The Strategic Advantage of Passkeys for Binance

Binance embarked on the integration of passkeys in March 2023 as a very early adopter. This move was closely preceded by Binance joining the FIDO (Fast IDentity Online) Alliance , a step that positions Binance not just as a participant but as a proactive stakeholder in the development and implementation of the passkeys / WebAuthn standards. By aligning with the FIDO Alliance, Binance gains leverage in influencing future adaptations of passkey and WebAuthn technologies that align with its strategic objectives.

Binance itself emphasizes the involvement in FIDO as improving user trust and confidence in Binance services. In the volatile and security-sensitive area of the crypto and web3 world, establishing and maintaining trust plays a very important role.

Moreover, Binance's strategy reflects a broader trend in the technology and financial sectors towards embracing passwordless authentication mechanisms. This shift not only enhances security but also significantly improves the user experience by eliminating the need for users to remember complex passwords or undergo cumbersome authentication processes. By adopting passkeys, Binance positions itself at the forefront of this trend, signaling its commitment to adopting cutting-edge technologies that prioritize user security and convenience.

6. Conclusion: Binance Passkeys

The integration of passkeys by Binance marks a great advancement in crypto / web 3 security and user authentication. By adopting the new login standard, Binance not only enhances the security landscape of its platform but also significantly improves the user experience, offering a seamless and more intuitive authentication process. The strategic decision to join the FIDO Alliance ahead of rolling out passkeys in March 2023 underscores Binance's commitment to being at the forefront of technological innovation and security in the cryptocurrency industry.