Modern Wallet Security: Understanding Cloud Backups vs Passkeys

See all posts

Introduction

Cryptocurrency wallets are getting closer to what everyday users expect from modern apps. Two approaches are leading the way in making wallets both secure and easy to use: wallets that use encrypted cloud backups managed by providers, and those that use passkeys. While both rely on trusted providers to handle backup and recovery, they differ in important ways. For more background on traditional crypto wallet types and their security models, see our wallet framework guide.

The Foundation: Account Abstraction

Account abstraction is a key innovation that changes how wallet security can work. It separates the way transactions are verified from specific cryptographic requirements. This makes it possible to use passkeys, enable recovery through trusted contacts, and add extra security steps like two-factor authentication. Without account abstraction, passkeys wouldn't work for wallet security since traditional wallets need specific types of cryptographic signatures that passkeys can't provide. Learn more about how account abstraction enables modern wallet features.

Two Paths to Modern Wallet Security

Provider-Managed Cloud Backup

Modern wallets using cloud backup store your encrypted private key in cloud storage (like iCloud or Google Drive). The wallet provider keeps the key needed to decrypt it, making recovery smooth without requiring you to manage extra secrets. In this setup, your wallet provider handles the encryption and decryption, while your encrypted backup stays in your personal cloud storage. To recover your wallet, you need both access to your cloud storage and the wallet provider's systems. Currently, you can only sign transactions from mobile devices, as web browsers don't have direct access to device security features like secure enclaves. The security of this approach depends on both your cloud storage provider and wallet provider maintaining their security and staying operational.

Passkey-Based Security

Passkeys work differently by connecting directly with platform identity systems (Apple, Google, or password managers). Instead of storing a backup in your cloud storage, the entire system for managing your keys lives within the platform's infrastructure. This lets you sign transactions from both mobile and desktop devices, with automatic syncing across your devices and platform-managed backup and recovery. You don't need a separate wallet provider.

Trust Models Compared

Both approaches need you to trust providers, but there's an important difference in how much trust is required. With passkeys, the platform provider has complete control of your key material within their infrastructure, managing both storage and transmission. This means placing significant trust in the platform provider's security systems. With encrypted cloud backups, the trust is split: the wallet provider only has the decryption key, while your encrypted backup stays in your personal cloud storage. This separation means no single provider has access to everything needed to control your wallet, which could reduce the impact if any single provider is compromised.

Recovery Options and Safety Nets

Guardian-Based Recovery

A major advantage of smart contract wallets is that you can set up guardians - trusted people or organizations who can help you recover wallet access if your main access method fails. This works with both cloud backup and passkey approaches, reducing your dependence on any single provider through recovery involving trusted friends, family, or institutions. Guardian-based recovery includes time delays to prevent unauthorized access and ensures that losing access to cloud storage, platform accounts, or provider services doesn't mean losing your funds forever.

Recovery Process Differences

The recovery processes work quite differently. With provider-managed cloud backup, you need to download an encrypted backup from your cloud storage, and the wallet provider's systems handle decryption. This requires both cloud access and the wallet provider to be available, and you can only recover to mobile devices. With passkeys, recovery happens entirely through platform systems, which handle all aspects of getting your keys back and can recover to both mobile and desktop devices, though you're completely dependent on the platform being available. Both approaches can be made stronger by setting up guardian recovery as a backup plan.

Key Considerations

Comparing Trust Models

The two approaches require different kinds of trust. With provider-managed cloud backup, trust is split: the wallet provider only handles decryption systems, while your cloud storage provider only stores the encrypted backup. This means if either provider has a security breach, your wallet remains safe. With passkeys, you're placing more complete trust in your platform provider, as they handle all aspects of your keys within their identity infrastructure. This includes trusting their syncing and backup systems, their long-term support of passkey standards, and their security against unauthorized recovery. In both cases, setting up guardians can reduce these trust requirements by providing a backup recovery option.

At a Glance: Cloud Backup vs Passkeys

Aspect Provider-Managed Cloud Backup Passkeys
Primary Trust Anchor Wallet provider (decryption key) + Cloud storage provider (encrypted backup) Platform provider (entire key material)
Key Storage Encrypted in personal cloud storage Within platform's secure infrastructure
Device Support Mobile-focused Cross-device (mobile and desktop)
Recovery Process Requires cloud access + provider systems Managed entirely by platform
Sync Security Encrypted transmission via cloud storage Encrypted transmission via platform sync
Provider Dependencies Split between wallet and cloud providers Single platform provider
Guardian Recovery Available as backup Available as backup
Account Abstraction Required No Yes

Looking Forward

Passkeys and cloud backups both represent significant improvements over seed phrases for crypto wallet security. Passkeys in particular offer an exciting step forward in usability - they're built into our devices, work seamlessly across platforms, and make using crypto feel as natural as logging into any modern app.

However, it's important to understand the underlying trust model. While cloud backups distribute trust across multiple providers, passkeys consolidate it within platform providers like Apple and Google. This creates a more streamlined experience but means users must fully trust their platform's security - against both external attacks and potential internal compromises. As our industry adopts passkeys, we need to think carefully about how much trust this places in platform providers with our digital assets.