Building “Keyless” Wallets Using Secure Enclaves and MPC

Hey, it seems like there’s a bit of a mix-up between the platform keys and the chain curves. So, here's the scoop: iOS and Android are both using P-256 for their passkeys, but your L1 is still holding on to secp256k1.
Last time you dove into using that bridge library, you hit a snag with a legal issue that popped up saying something like “no attestation chain.” On top of that, your test users faced an “unsupported algorithm” error. Quite the double whammy, huh? (eip.info).

Hey, just wanted to give you a quick update: the root rotation for Android's Remote Key Provisioning (RKP) is underway right now. Hey there! Just a heads up that from February all the way until April 10, 2026, RKP devices are going to be moving over to a new Android Attestation root. Just wanted to keep you in the loop! Just a heads-up: if you don't stay on top of this, your current trust store might start running into issues with attestation verification on newer devices. If you overlook this, it could seriously throw a wrench in your fraud prevention efforts in production. (developer.android.com).

Hey, just a heads up--your security team probably isn’t going to give the green light for pure-software MPC after what came to light with the GG18/GG20 situation. They're really interested in the FIPS 140-3 HSM boundaries and the enclave attestation when it comes to the architecture. It’s more than just a slide deck for them; they want to dive deeper into the details. (fireblocks.com).

• Missed deadlines: So, Ethereum is gearing up for its big 2025 Pectra mainnet upgrade (that’s EIP‑7702 for those in the know), and it’s really changing the game for wallet user experience. Now, users can easily delegate smart behavior from their EOAs without the annoying hassle of having to switch addresses. If your platform isn't equipped with those cool 7702-style smart features, you might notice your users slowly starting to check out what the competition has to offer. Take a look at this: blog.ethereum.org. You won’t want to miss it!
• Broken auth after rotation: If your Android verifier isn't quick to catch on to the new attestation root, you might run into some issues with device-bound keys being rejected. This is particularly a problem for RKP-only Android devices running version 16 and above.
  This glitch can really cause a mess, leading to a pile-up in support requests, delays in KYC processes, and even blocked withdrawals. If you’re looking for more info, you can check this out: developer.android.com.
• NIST/FIPS procurement hurdles: Lately, it seems like your requests for proposals (RFPs) are stressing the need for a “FIPS 140‑3 Level 3 HSM” and some solid verification for enclave attestation when it comes to key materials, even for those MPC shares. If you can’t link those shares back to HSM or enclave sources, your vendor risk teams might put the brakes on your deal. Want the whole story? Check it out here: AWS Docs. It's got all the details you need!

We build keyless wallets by mixing together device attestation, MPC threshold signing, and smart account permissions. It's a cool combo that really enhances security and usability! So what’s the outcome? You can wave goodbye to those old seed phrases, get a reliable device identity you can actually trust, and benefit from a recovery system that procurement teams will totally support. It’s a game changer!

1) Requirements and Compliance Framing (1-2 weeks)

• Chains and Signature Schemes: Alright, so when it comes to Ethereum and rollups, let's keep using secp256k1 for now. But I think it’d be great to throw in some P-256 verification too (thanks to RIP-7212 and EIP-7951) on Layer 2s, and if we can swing it, let's try to get it on Layer 1 for those passkey flows. Sounds good? If you want to dive deeper into it, just click here for more details!
• Bitcoin/Taproot: So, let's dive into Schnorr and BIP‑340. These are pretty awesome for FROST threshold signatures! If you're curious to learn more about it, you can check it out here.
• Solana/TON: So, when it comes to these platforms, Ed25519 is really the way to go. A lot of the newer WebAuthn setups are starting to favor EdDSA, but I think we should stick with Ed25519 whenever possible. It just makes things a bit easier! If that doesn't work out, we can always fall back on using session keys along with on-chain verifiers instead. If you want to dive deeper into the topic, you can check out more details here.
• Regulatory Anchors: So, we're diving into an HSM boundary, specifically FIPS 140‑3 Level 3. Basically, we want to handle custody and recovery shares using managed HSMs like AWS and Azure. If you want to dive deeper into the details, feel free to click on this link: here. Happy reading! Hey, just a quick reminder to keep enclave attestation in mind for your MPC online nodes. It’s a good idea to use AWS Nitro Enclaves along with those KMS attest policies. Trust me, it makes a difference! If you’re looking to really dig in, just click here for all the details!

2) Device Trust and “Passkey-First” Login (2-4 Weeks)

• iOS/macOS: How about we take advantage of Managed Device Attestation (MDA) to connect a hardware-generated keypair to the Secure Enclave? This way, we can grab an Apple-signed attestation certificate chain! Don’t worry, we’ve got the verification covered on our server! We’ll link your wallet profile to that specific device for you. If you're looking for more info, you can check it out here.
• Android: When it comes to Android, we’ll want to take a look at Key Attestation. We’ll be using KeyMint or StrongBox for that. Hey, if you haven't already, now's a great moment to update your trust stores since Google is planning a root rotation in 2026. It'll be worth it to get ahead of the game! Hey everyone! Just wanted to give you a quick update: by April 10, 2026, all RKP devices will be switching over to the new ECDSA P-384 root. So, keep that in mind! I think it’d be great if we could set up a dual-root trust system and include some CRL checks too. It could really help us out. If you want to dive deeper into this topic, you can find more details here.
• Passkey UX: Let’s go ahead and launch the WebAuthn Client Capabilities along with Conditional Create. So, with this setup, browsers can whip up passkeys right after you log in with a password. This makes switching over super easy and also lets you see how well they handle backups in case you need them. This will really help reduce the number of prompts and increase enrollments. If you're curious about this topic, you can find more information here. It's definitely worth checking out!

3) Curve Mismatch Resolution (The Practical Way)

If you're working with rollups and L2 stacks that already have P‑256 precompiles in place, you can easily verify those P‑256 signatures right on the blockchain using RIP‑7212 and EIP‑7951. With this method, you can use a hardware-backed passkey to easily authorize actions in your wallet. It’s a straightforward way to keep things secure while you manage your transactions. If you're curious and want to dive deeper into the specifics, you can find more info here. Enjoy exploring!

If you’re diving into Ethereum L1, you might want to check out EIP‑7702. It lets you use smart-account delegation while keeping your EOA address intact. Pretty handy, right? This means the execution goes through a contract that can handle the algorithm for the passkey. Another option to think about is using ERC-4337 accounts, which can validate P-256 with the help of an on-chain verifier module. If you want to dive deeper into this topic, check it out here. There’s some great info waiting for you!

If you’re dealing with chains that can’t handle passkey curves, you have the option to connect passkeys to temporary “session keys.” So, users can prove they own something using WebAuthn, and in the meantime, the dapp gets an ERC-7715 permission grant. Pretty cool, right? So, it’s able to work with this info within certain boundaries, such as amounts, targets, and expiration dates, using something called the ERC-7710 DelegationManager. If you want to dive into the details, just check it out here. It's all laid out for you!

4) Threshold Signing: Where It Really Counts

If you're diving into chain-native ECDSA, I’d definitely recommend checking out the newer and more dependable ECDSA TSS options, especially the CGGMP21 and 24 variants. They're pretty solid choices! Honestly, these are so much better than the older GG18/GG20 versions. Those had some pretty well-documented issues with Paillier that just made things tricky. Typically, we set up about 2 to 3 online signing nodes. These nodes do a great job of spotting any aborts and taking care of precomputation, plus they handle key refreshes smoothly too. Take a look at it over on docs.rs!

If you're diving into the Schnorr/EdDSA world--like with Bitcoin Taproot or some Layer 2 solutions--FROST is definitely worth checking out. You can find all the details in IRTF RFC 9591. Trust me, it’s a solid resource! It's definitely a solid pick for reliable, asynchronous signing. Even if you run into a few hiccups here and there--like churn or some partial failures--you can count on it to keep things running smoothly. You might want to think about adding ROAST for some extra strength. It could really beef things up!

5) Hardware Roots of Trust for MPC Shares

• Share Hardening:
• Hot Path: So, the MPC signers are running in AWS Nitro Enclaves. They snag those one-time data keys from KMS, but only if the enclave attestation document passes muster with the policy--kind of like doing those PCR/Image checks. This setup links the runtime directly to the code identity. (Learn more here).
• Cold Path: The recovery share hangs out in a super secure FIPS 140-3 Level 3 HSM cluster, whether it's on AWS CloudHSM or Azure Managed HSM.
  It's really important to switch up and manage the export policies with a quorum. (Check it out).
• Device-Side Shares: When it comes to iOS, the keys are non-exportable, meaning you can’t take them out. Plus, if you ever wipe your device, those keys are gone for good thanks to the Secure Enclave’s secret wiping process. Setting up multi-passkey enrollment is a smart move to avoid those annoying user lockouts. It really helps keep everything running smoothly! (More details here).

6) Smart-account UX that your PM will love

• ERC‑7715 permissions: With this, you can easily set up neat features like “autopay up to X USDC each month” or “trade within pool Y while keeping slippage at or below Z% until T.” And guess what? You won’t have to deal with those pesky reminder notifications! Oh, and you can totally redeem it using the ERC‑7710 DelegationManager. You can actually run some simulations before you hit that submit button, which is pretty cool! Plus, if you need to change your mind later, it's super easy to revoke permissions, whether you want to do it on-chain or through your policy settings. Check it out here.
• Pectra/EIP‑7702: This cool feature lets you stick with your current EOA address while handing off some tasks to smart code, just in time for batching. It's a handy way to streamline your processes! It’s awesome for covering those sponsored or stablecoin fees and honestly, recovering from any issues is super easy! The early numbers look really good! Since the launch, we've been seeing weekly authorizations in the five-figure range, which means it’s picking up steam pretty quickly. If you want to get into the nitty-gritty, check this out here.
• Counterfactual signatures: This feature allows you to sign in before making your first transaction, kind of like logging in early to get everything ready. It's all made possible through ERC-6492. This really helps keep those pesky arbitrary-call issues at bay that we've encountered out there. By narrowing down the deployment target and doing some simulations ahead of time, we can avoid a lot of headaches. If you want to dive deeper into it, you can check it out here.

7) Instrumentation, SLOs, and Runbooks

Let’s keep things simple with a few important SLIs. We’re looking at the success rate for passkey enrollment, the time it takes for attestation, how often UserOps succeed, the success of EIP-7702 delegation, the availability of MPC shares, and of course, that critical “time-to-first-transaction.” These metrics really help us gauge how we're doing! ”.

Alright, let’s break down the runbooks. Here’s how it works: whenever the Android attestation root changes, we need to automatically reload the trust stores. If there’s any update to the Apple MDA OIDs, we’ll pin and roll with that. And if a signer decides to jump ship, we’ll pivot to either the ROAST path or an identifiable-abort option. Plus, if we spot any inconsistencies in precompiles between different L2s, we’ll ensure they get directed to networks that can handle EIP-7951. Got it? Cool! For more details, take a look here: developer.android.com. It's got all the info you need!

• Hey there, Heads of Product in the Fintech and Payments space! Hey there! Just a quick reminder to weave in a few important keywords in your PRD. Make sure you include “EIP-7702 batched transfers,” “RIP-7212/EIP-7951 P-256 passkeys on L2,” “ERC-7715 subscriptions,” “3DS2/SCA passkey-first fallback,” “session keys,” and don’t forget about “time-to-first-transaction < 60s.” These will really help hit the nail on the head! ”.
• This one's for all the Enterprise IAM and Security Architects out there. Hey there! Just a heads-up that you’ll want to pay special attention to a few key terms in this discussion. First up is “Managed Device Attestation (Apple),” which is super important if you're using Apple devices. Then we’ve got “Android RKP root rotation (P‑384)”; definitely a mouthful but crucial for Android security.

Also, don't miss out on “StrongBox/KeyMint attestationSecurityLevel=TrustedEnvironment/StrongBox.” It's a bit technical, but it's all about keeping your data secure within trusted environments. Moving on, there's “AWS Nitro Enclaves + KMS Recipient attestation,” which is essential for cloud security.

Let’s not forget about the “FIPS 140‑3 Level 3 HSM.” This one's a bit of a heavyweight in the hardware security module world! And lastly, make sure to note “SIEM‑grade attest logs.” These logs are super important for monitoring and security.

So, keep these terms in mind as they’re vital for understanding modern security protocols! “Want more info? Just head over to this link: support.apple.com. You’ll find all the details you need!”

• For Procurement/Vendor Risk Just make sure you’re paying attention to these important phrases: “Key custody boundary evidence,” “change-controlled root stores,” “RTO/RPO for MPC quorum,” and “PCI DSS 4.” You're all set with the latest updates, including the "0 mapping," the "ISO/IEC 27001:2022 artifact pack," and the "cryptographic bill of materials (CBOM)." If you're looking for more details, check this out: (docs.aws.amazon.com). It’s got everything you need!

When it comes to practical examples for 2026, it's really about imagining the future while staying grounded in reality. Check out these awesome scenarios to spark your creativity!

1. Smart Cities

Just picture this: you’re living in a city where everything is linked together seamlessly. By 2026, smart cities are set to take full advantage of IoT (Internet of Things) tech to really enhance everyday life. We’re just scratching the surface with cool innovations like smart traffic lights that change depending on how busy the roads are, or streetlights that dim when there's no one around. It's pretty exciting to think about all the possibilities! If you want to see how cities are getting ready for this change, take a look here. It's pretty interesting!

2. Electric Vehicles (EVs)

By 2026, the electric vehicle (EV) revolution is really picking up steam! You’re going to notice charging stations popping up all over the place, and there’s going to be a huge variety of electric cars to choose from. With longer ranges and quicker charging times, it won't be long before everyone trades in their gas-guzzling cars for stylish, eco-friendly rides. On top of that, a bunch of governments are throwing in some nice incentives to make it even more appealing. If you’re curious about what’s in store for electric vehicles, check it out here. It'll give you all the details you need!

3. Remote Work

By 2026, remote work is going to have taken some pretty interesting turns. These days, companies are putting more emphasis on actual results instead of just counting the hours you clock in. Thanks to tech that makes virtual collaboration possible, teams can be spread out all over the place but still feel like they're right there together. Picture this: VR meetings that feel just like you're sitting across the table from someone! How cool is that? If you want to dive deeper into the latest trends in remote work, definitely check it out here. Trust me, it’s worth a look!

4. Sustainable Living

Sustainability is definitely going to be a big deal in 2026! People are really leaning into eco-friendly practices and making greener choices. We're seeing a big change in the way we live, from homes decked out with renewable energy to communities diving headfirst into zero-waste projects. It’s pretty cool to watch! Get ready to spot more urban farms and community gardens popping up in your neighborhood, bringing fresh produce straight to your doorstep! If you're looking to explore sustainable living practices, check out this link here. It’s a great resource to help you dive in a little deeper!

5. Health Tech

Healthcare is really stepping into the future! By 2026, we're going to see some amazing advancements in personalized medicine and wearable health tech. These gadgets will help spot health problems before they become serious, and they’ll also be able to offer treatments that are specifically tailored to your DNA. It's like having a health buddy that knows you inside and out! Telehealth is set to become the standard, making it way easier for people to get the healthcare they need. Want to stay in the loop with the newest health tech? Just click here to check it out!

Conclusion

These real-life examples and details really give us a sneak peek into what we can expect in 2026. The future is shaping up to be pretty thrilling, especially when it comes to how we get around, work, live, and even look after our health. Make sure to keep an eye on these trends as they unfold!

Ethereum Consumer Wallet with Passkeys, No Seed Phrase

• Goal: Make it super easy to sign in with just one tap, give users customizable permissions, and allow payments with stablecoins for fees.
• Design: We're rolling out WebAuthn passkeys on both iOS and Android. Hey, let’s go ahead and check out Apple MDA or Android Key Attestation. It’s a good idea to keep that attestation evidence on hand for a bit before it runs out. Check out more here. Okay, so here’s the deal: for Base, OP-Stack, or any other Layer 2s that have those P-256 precompiles all set up, we’ve got to check passkey signatures directly on the blockchain. This is all thanks to RIP-7212 and EIP-7951. So, with EIP-7702, we can hand off some responsibilities from EOA to smart behavior. This is pretty cool because it’ll make batching easier and help us handle fees more smoothly. If you want to dive deeper into it, feel free to check out more details here. So, for things like autopay and limit orders that happen regularly, we're going to use ERC‑7715. Plus, we’ll also have a method to take those permissions back if you need to, which will be covered by ERC‑7710. Hey, before we go ahead and hit submit, let's give redemption a little test run! If you want more info about it, just check it out here.
• Why it Works:
• You can provide your users with a seamless “keyless” experience, thanks to hardware keys and attestation. Plus, you’ll keep procurement happy by meeting their requirements for auditability. And on top of that, you get to skip the pain of dealing with ECDSA curve mismatches on L2s that are using the precompile. How great is that? At L1, we focus on making the user experience as seamless as possible through delegation and session permissions.

Bitcoin/Taproot Treasury Controls with Mobile Co-signers

Goal

We're looking to make it super easy for executives to co-sign transactions directly from their phones, all while ensuring they have the strong security that comes from real hardware protections.

Design

So, here's what we're considering for the plan:

We're using FROST to set up either a 2-out-of-3 or a 3-out-of-5 Schnorr signing. So, we’ll be keeping one share on a secure server enclave, kind of like AWS Nitro. Then, there’s another one on a protected admin device, like StrongBox or SE. And just to be extra safe, we’ll stash one in a recovery HSM vault.
Feel free to dive into the details in the RFC 9591 document. It's got all the info you need!

The enclave will only receive the MPC presign material once the KMS gives the green light that its attestation document is valid. Oh, and just so you know, the phone co-signers will come with solid hardware support and will be fully verified. If you want to dive deeper into this, check out the AWS Nitro Enclaves Documentation. It's got all the details you need!

Outcome

So, what's the final outcome? Well, we don’t have just one device to worry about stealing, which is a relief! Plus, every signature round has a full audit trail, so we can easily track everything. And thanks to FROST, we’re able to keep the interactive rounds nice and brief. How cool is that?

Institutional ECDSA MPC with FIPS Boundary and Modern Protocols

• Goal: Build a programmable treasury that keeps our key lifecycle safe from vendor risks.
• Design: We're planning to set up an ECDSA system that's in line with CGGMP21/24 standards. This will feature some cool stuff like identifiable aborts and a key refresh process. We've chosen to avoid GG18 and GG20 because we ran into some problems with the Paillier modulus. If you want more info, you can find all the details here. So, for online signing, we’re going to use Nitro Enclaves. And when it comes to recovery shares, we’ll make sure they’re safely stored in HSMs that meet the FIPS 140‑3 L3 standards. All about keeping things secure! Also, every time we share materials, it’ll be tracked according to the confirmed KMS Recipient policies. If you want to dive deeper, check out this AWS documentation. It's got all the details you need!

Best Emerging Practices for 2026 Builds

• Time to Update Your Android Attestation Trust Stores: Don’t delay! Go ahead and add that new RKP attestation root (ECDSA P-384) right away. Just remember to keep the old legacy root around until April 10, 2026. Don't forget to double-check the attestationSecurityLevel and take a look at the CRLs while you’re at it! (developer.android.com).
• Make Use of Apple Managed Device Attestation: If it’s really important to know where your device is coming from--especially for work-managed setups or any regulated tasks--this is the way to go. It securely links the verified key to a particular Secure Enclave and the IDs of the device's board. (support.apple.com).

Looking for Passkeys on Ethereum? Check out networks that support RIP-7212/EIP-7951. When it comes to Layer 1, think about playing around with session keys using ERC‑7715 or ERC‑7710. You could also delegate what you need through EIP‑7702. It's all about finding what works best for you! (gov.optimism.io).

• Say Goodbye to Legacy GG18/GG20: Honestly, just avoid these! You’re much better off using the MPC‑CMP or CGGMP21/24 implementations, which offer clear aborts and also document side-channel mitigations. Trust me, it’ll make your life a lot easier! Don’t forget to stay on the lookout for those vendor patches as well! (fireblocks.com).
• Get Ready for a Gradual PQC Change: It's time to start wrapping your head around this! Hey, just a heads up! Android is going to roll out ML-DSA attestation keys in the near future. So, it's a good idea to make sure your verification pipeline is flexible and easy to tweak when that happens. Better to be ready than to scramble later, right? (developer.android.com).
• Counterfactual Signatures: When it comes to pre-deploy authentication, go for ERC-6492. Just be careful with that "factoryCalldata" stuff! Simulating can really help you steer clear of any bypass problems you might already know about. (eips.ethereum.org).

Mini-Implementation Snippets

Here are some super handy code snippets to kick off your various projects. They should make getting started a breeze! You can totally tweak them to suit your preferences!

1. Basic Login Functionality

def login(username, password):
    if username == "admin" and password == "password":
        return "Login successful!"
    else:
        return "Login failed. Try again."

2. Fetching Data from an API

fetch('https://api.example.com/data')
    .then(response => response.json())
    .then(data => console.log(data))
    .catch(error => console.error('Error fetching data:', error));

3. Simple HTML Form

<form action="/submit" method="POST">
    <label for="name">Name:</label>
    <input type="text" id="name" name="name" required>
    
    <label for="email">Email:</label>
    <input type="email" id="email" name="email" required>
    
    <input type="submit" value="Submit">
</form>

4. Looping Through an Array in Python

fruits = ["apple", "banana", "cherry"]
for fruit in fruits:
    print(f"I love {fruit}!")

5. CSS for a Responsive Navbar

.navbar {
    display: flex;
    justify-content: space-around;
    background-color: #333;
}

.navbar a {
    color: white;
    padding: 14px 20px;
    text-decoration: none;
    text-align: center;
}

.navbar a:hover {
    background-color: #ddd;
    color: black;
}

6. SQL Query to Fetch Users

SELECT * FROM users WHERE active = 1;

Go ahead and make any adjustments to these snippets so they work better for your project! Enjoy coding!

When you're setting up WebAuthn options, it’s a good idea to go with hardware-backed P-256 whenever possible. Just trust me; it really makes a difference!

{
  "publicKey": {
    "rp": { "name": "Acme Wallet" },
    "user": { "id": "<32B-random>", "name": "user@example.com", "displayName": "User" },
    "challenge": "<32B-random>",
    "pubKeyCredParams": [{ "type": "public-key", "alg": -7 }], // ES256 (P-256)
    "authenticatorSelection": { "residentKey": "preferred", "userVerification": "required" },
    "attestation": "direct",
    "timeout": 60000
  }
}

• Server verification notes: For iOS and macOS, just remember to accept the Apple MDA chain, which is basically the Enterprise Attestation Root. And hey, don't overlook checking the freshness code and the sepOS/board OIDs too! It’s super important. For more info, feel free to check it out here.
• Android: When working with Android, make sure to check out the KeyDescription. It's key to keep an eye on the attestationSecurityLevel--you're looking for it to be either TrustedEnvironment or StrongBox. That's where the real security comes into play! Oh, and don’t forget to pin the new RKP root! It’s super important to keep an eye on the revocation lists too, just to make sure everything stays secure. If you're interested in diving deeper into this topic, check out this link. You'll find a lot of useful info there!

ERC‑7715 Permission Grant (Conceptual)

Alright, let’s jump into what ERC-7715 is all about. This one focuses on the whole idea of granting permissions. This standard is all about simplifying how developers and users handle permissions in a decentralized environment. It’s designed to make life a bit easier for everyone involved. Here’s the scoop:

What is ERC-7715?

So, ERC-7715 is basically a token standard designed for managing permission grants on the Ethereum network. You can think of it as a way to make assigning and managing permissions a whole lot easier. This means users can feel more secure and really in control of their stuff.

Key Features

• Fine-Tuned Control: You can customize what different actions can do by setting specific permissions. This gives you a lot of flexibility!
• Revocable Access: If you ever want to tweak a permission or take back access, it's super simple to do.
• Interoperability: It's built to fit seamlessly with current Ethereum standards, making it easy to connect with other tokens and dApps out there.

Use Cases

Check out these real-world scenarios where ERC-7715 could really come in clutch:

1. Decentralized Finance (DeFi): With DeFi, you can give certain permissions to dApps without losing total control. It’s a great way to enjoy some flexibility while keeping your ownership intact! 2. NFT Marketplaces: Artists can pick specific platforms to sell or display their creations while still keeping most of their rights intact. 3. Collaborative Projects: Teams have the flexibility to decide who gets to use what features in a shared space.

Conclusion

To wrap things up, ERC-7715 aims to improve the way permissions work within the Ethereum ecosystem. By giving users more control and flexibility, it really opens the door to improved experiences and safer interactions overall. Hey! If you're diving into permissions for your projects, you should really keep this standard on your radar. It's pretty important!

await window.ethereum.request({
  method: "wallet_requestExecutionPermissions",
  params: [{
    chainId: "0x1",
    to: "0xSessionAccount",
    permission: { type: "erc20-token-allowance", isAdjustmentAllowed: false, data: {
      token: "0xA0b86991...", allowance: "0x2386F26FC10000" // 0.01 USDC
    }},
    rules: [{ type: "expiry", data: { timestamp: 1751328000 } }] // Jul 31, 2025
  }]
});

Before you go ahead and redeem via the ERC‑7710 DelegationManager, it's a good idea to run a simulation first. It’ll help you ensure everything goes smoothly! If you’re looking for more info, check it out here: eips.ethereum.org.

Why This Unlocks ROI (with Fresh Metrics You Can Cite Internally)

• Conversion and Success Rates: Microsoft reports that using passkeys for sign-ins is really effective--about 98% of the time compared to just 32% for the usual password and MFA combo. Plus, they can be up to 8 times quicker! That's a huge win for anyone who wants to save time and hassle! This upgrade really boosts the chances of someone going from signing in to making their first transaction. If you want to dive deeper into this topic, just click here. It's a pretty informative read!
• Adoption: By 2025, you can expect to see almost a million passkeys being registered every day on Microsoft's consumer platforms. That’s a huge jump! The FIDO Alliance is seeing some exciting growth too, especially among major users of this technology. Take a look at all the info here!
• Checkout and Auth Reliability: So, here’s the scoop - payment networks and banks are actually noticing a nice boost of about 2-3 percentage points in their success rates now that passkeys are stepping in to replace those annoying OTP hurdles.
  It may seem like a little thing, but those percentage gains can really pile up, especially when you’re working with big numbers. If you want to dive deeper into this, you can check out more details here. Happy reading!
• Feature Uptake: Wow, after the Pectra update, wallets saw a huge surge with over 11,000 EIP-7702 authorizations in the first week alone! That's pretty impressive! It's clear that users are really excited to jump on board with smart-account features as soon as they roll out. If you want to explore this topic further, check it out here. There’s some really interesting stuff waiting for you!

How We Engage (and What We Deliver)

• Design, Construction, and Integration: We're really getting into the nitty-gritty of smart accounts and how permissions work. We're talking about concepts like EIP-7702, ERC-4337, and those newer ERC-7710/7715 standards. Plus, we can't forget about on-chain verifiers such as EIP-7951 and RIP-7212, and those cool MPC signer clusters. It's an exciting space with a lot to explore! Typically, you can expect this to take around 6 to 10 weeks, thanks to our awesome custom blockchain development services and blockchain integration know-how. We're all about getting things done efficiently while still delivering top-notch results! For more info, feel free to hop over to a post at blog.ethereum.org. It's got all the details you need! When it comes to keeping things secure, we've got you covered with some really solid services. Our offerings include things like attestation verification, enclave policies, and HSM key ceremonies, plus an audit pack that rounds it all out. If you're curious to learn more, check out our security audit services! At Growth Plumbing, we take care of everything from dapp sessions and 7715 permission prompts to paymaster flows and even KPI instrumentation. If you're interested in diving deeper into what we offer, check out our web3 development services!
• Relevant Links:
• Check out our custom blockchain development services if you're looking to create something unique in the blockchain space!
  • blockchain integration
  • security audit services
  • web3 development services
  • smart contract development
  • cross‑chain solutions development Hey there! If you're diving into the world of consumer DeFi UX, you should really take a look at our DeFi development services and our dapp development accelerators. They might just have what you need!

What will this cost/time? A reference timeline we actually hit

• 0-2 weeks: We’re starting strong with device attestation verifiers such as iOS MDA and Android Key Attestation. Plus, we’ll also dive into some root updates along the way! Hey, just a quick reminder that we need to get those passkey flows set up in staging. Plus, let’s dive into creating those signed test vectors too. Thanks! If you want to dive deeper into the details, just click here. You'll find all the info you need!

Alright, so here's the plan for the next few weeks. In about 3 to 6 weeks, we’ll be jumping into the next phase where we’ll be exploring ERC-7715 permissioning. Plus, we’ll also start getting the ERC-7710 redemption process all set up. Exciting stuff ahead! We might also check out EIP-7702 delegation or consider bringing in ERC-4337 builders. Sounds like a plan, right? Also, we’re going to take care of some on-chain P-256 verification on Layer 2 wherever it’s available. If you're looking for more details, just check it out here.

• 6-10 weeks: And then, we’ll finish things off with the MPC signer cluster, where we’ll dive into using Nitro Enclaves and getting that HSM recovery set up. We're also going to whip up some runbooks and SLOs, plus we'll prep for the big production cutover with some toggles in place. If you want to dive deeper, just check it out here. You’ll find all the info you need!

A Quick Note on ZK and Privacy

We’re always working to cut down on Personally Identifiable Information (PII) in the attestation evidence. When a relying party just needs something like "hardware-backed, current OS," we store a salted digest of the attestation claims and take care of the authorization process off the blockchain. This way, we keep track of everything in a way that we can verify. This design really nails the least-privilege principle, which is all about giving people just the access they need. Plus, it leaves a little trail we can follow if any fraud pops up. Pretty smart, right?

Final Thought -- Keyless is Now an Enterprise Pattern, Not an Experiment

You've got some fantastic tools at your fingertips, just waiting to be used! Passkeys are becoming pretty mainstream now, which makes things a lot smoother. Plus, with Ethereum’s 7702, using smart wallets feels like a breeze--no more messing around with address changes! And if you look around, you’ll notice P‑256 verification popping up in all sorts of Layer 2 solutions. Exciting times ahead! The last part of the puzzle is all about putting together device attestation, those solid MPC shares backed by trustworthy hardware, and the on-chain permission standards. That’s exactly what we’re working on bringing to life! (developer.chrome.com).

CTA (personalized and specific)

Hey! If you're leading the Product or IAM team at a fintech or payment app with over 5 million active users every month, and you're gearing up to roll out a passkey-first wallet that meets the EIP-7702 standards before that Android RKP transition on April 10, 2026, we’ve got your back!

Go ahead and snag a time for a 45-minute architecture review. Hey there! In just a week, we’re going to hook you up with a personalized build-or-buy plan that suits your needs. Plus, we’ll throw in a detailed comparison of attestation trust stores (you know, like Apple’s MDA and Android’s RKP) and an L2 selection matrix for P-256 verification. Exciting stuff, right? Can't wait to share it with you! By doing this, you’ll really get a handle on your project scope and stay on track with your timeline. Excited to dive in? Just hop on over to our [blockchain integration] page to get the ball rolling!

If you want to dive deeper, take a look at developer.android.com for more details. It's got all the info you need!

Appendix -- quick reference to the 2025-2026 changes you’ll care about

• Apple Managed Device Attestation docs (last updated on January 28, 2026). Take a look at this link: (support.apple.com). It has some great info!
• Timeline and steps for Android Key Attestation and RKP root rotation. You can find more info over at developer.android.com. Check it out!
• EIP‑7702 (Pectra, set to launch on the mainnet on May 7, 2025). Hey, check this out! You can get all the juicy details over at this link: blog.ethereum.org. Don't miss it!
• RIP‑7212/EIP‑7951 P‑256 verification is coming your way, and it's set to work with the OP Stack "Fjord" and a bunch of other Layer 2 solutions. Plus, there's a proposed mainnet for EIP‑7951 on the horizon! Learn more at: (gov.optimism.io).
• ERC‑7710/7715 delegation and permissions (these are drafts that many top wallets are currently working with). If you're looking for the details, you can find them right here: eips.ethereum.org.
• So, there's this FROST RFC 9591 (from IRTF), which is all about using Schnorr threshold schemes. Plus, we've got ROAST thrown in there for some extra robustness! You can check out all the details by heading over to datatracker.ietf.org.

Just a quick heads up about the GG18/GG20 vulnerability--it's probably a good idea to switch to CGGMP21/24 or MPC-CMP instead.
If you want to dive deeper into this topic, check it out here: fireblocks.com. It's got all the details you need!

At 7Block Labs, we're all about guiding you through the entire launch process from beginning to end--no cheesy "crypto-bro" shortcuts here!