Passkeys Guide `coming soon`

Passkeys let your users sign transactions with Face ID or Touch ID instead of a password or seed phrase. The private key is generated and stored in the device's Secure Enclave — Pollar never sees it.

How it works

With the default AWS KMS model, Pollar encrypts and manages the user's private key server-side. When a user enables a Passkey, the key migrates from KMS to their device's Secure Enclave:

Before Passkeys (KMS model)
  Private key → encrypted with AWS KMS → stored server-side
  Signing → Pollar Server decrypts key → signs → discards

After Passkeys (WebAuthn model)
  Private key → generated on device → stored in Secure Enclave
  Signing → user authenticates with Face ID / Touch ID → device signs locally
  Pollar receives only the signature — never the key

This means Pollar has zero custody of the key after Passkey setup. No KMS call, no audit trail needed — the key never touches Pollar infrastructure.

User flow

User logs in with Google, GitHub, or email OTP as usual
After login, your app prompts: "Enable Face ID for faster sign-in"
User taps the button — device generates a keypair in the Secure Enclave
Pollar updates the wallet to use the new Passkey-backed key
All future transaction signatures happen on-device via biometrics

Implementation `coming soon`

'use client';
import { usePollarPasskey } from '@pollar/react';

export function PasskeySetup() {
  const { setupPasskey, passkeyStatus, loading } = usePollarPasskey();

  if (passkeyStatus === 'active') {
    return <p>✓ Face ID / Touch ID active</p>;
  }

  return (
    <button onClick={() => setupPasskey()} disabled={loading}>
      Enable Face ID
    </button>
  );
}

setupPasskey() triggers the WebAuthn registration flow:

Pollar Server generates a challenge
Device's Secure Enclave signs the challenge with a new keypair
Public key is sent to Pollar Server and associated with the wallet
Private key never leaves the device

Account recovery

If the user loses their device, Pollar provides three recovery layers:

Layer	Mechanism	Covers
1	Native cloud sync (iCloud Keychain / Google Password Manager)	~80% of cases
2	Secondary Passkey registered on a backup device	Multi-device users
3	Social re-keying via OAuth re-auth + Stellar `setOptions`	Total device loss

Security properties

Property	KMS model	Passkeys model
Key stored server-side	Yes (encrypted)	No
Pollar can access key	With CloudTrail audit	Never
Requires biometrics to sign	No	Yes
Works offline	No	Yes (signing only)
Recovery if device lost	N/A	3-layer recovery

Browser and device support

WebAuthn (the underlying standard) is supported on:

iOS 16+ (Face ID, Touch ID)
Android 9+ (fingerprint, face unlock)
macOS with Touch ID
Windows Hello
Any device with a FIDO2 hardware key

Enabling Passkeys for your app

When available, Passkeys can be enabled per-app from Dashboard → Configuration → App Settings → Key Management. The feature is opt-in — existing users are not affected until they set up a Passkey themselves.