--- url: 'https://www.corbado.com/blog/binance-passkeys' title: 'Binance Passkeys: Passkeys for the Crypto and Web3 World' description: 'Explore how Binance’s implementation of passkeys is shaping the future of authentication in the cryptocurrency world, balancing UX with robust security.' lang: 'en' author: 'Vincent Delitz' date: '2024-03-14T00:00:00.000Z' lastModified: '2026-03-25T10:42:23.818Z' keywords: 'Binance' category: 'Passkeys Reviews' --- # Binance Passkeys: Passkeys for the Crypto and Web3 World ## Key Facts - Binance launched passkeys in **March 2023** as the most significant crypto player at that time, joining the **FIDO Alliance** just before rollout to influence WebAuthn standards. - Binance supports **12 cryptographic algorithms** in its credential creation options, far exceeding most relying parties that typically support only one or two. - A **Windows 11-specific bug** causes passkey creation to fail with a 'certificate path validation failed' error despite HTTP 200 responses; Windows 10 registration works correctly. - The **"Must verify using passkey for important scenarios"** feature gates high-risk actions like withdrawals behind passkey confirmation, best suited for users with synced passkeys. - Binance does not implement **Conditional UI** in its login flow, missing an opportunity to streamline authentication UX across platforms and devices. ## 1. Introduction: Binance Passkeys With the emergence of Bitcoin in 2019, cryptocurrencies started to mark a new era of independence and technological innovation in the finance world. This new world, though primarily accessed by tech-savvy people, brings with it unique challenges and opportunities. A notable hurdle is the authentication process. Traditional crypto / web3 mechanisms often involve a **public / private key** system where **losing your private key can mean the irreversible loss of funds**. This is because, unlike traditional [banking](https://www.corbado.com/passkeys-for-banking), there's often no central entity to turn to for account recovery. Cryptocurrency exchanges like Binance and [Coinbase](https://www.corbado.com/blog/coinbase-passkey) try to mitigate these risks by acting as more centralized figures in the crypto ecosystem. A [Binance review](https://www.bitdegree.org/crypto/binance-review) reveals how the platform enhances security with advanced features like passkeys and [two-factor authentication](https://www.corbado.com/blog/passkeys-vs-2fa-security), offering users a more secure and streamlined experience within the crypto space. They promise to offer a more user-friendly management of funds on behalf of users. However, this centralization comes with its own set of [vulnerabilities](https://www.corbado.com/glossary/vulnerability), such as increased risk of hacking or system failures, as seen in the collapse of FTX. These events underscore the importance of exchanges not only providing top-tier, bank-level security but also making the authentication process accessible to those people who are less familiar with asymmetric cryptography to access accounts. Now that passkeys become the new standard in user authentication, they could bridges the gap between strong security needs and user convenience. Leveraging the same foundation of blockchain technology **public key cryptography** passkeys offer a robust and user-friendly method of securing accounts. **Binance began supporting** passkeys across various devices and browsers in **March 2023** , catering to its tech-savvy audience while improving defenses against the common plagues of the crypto world: scams and hacks. Binance is a very early-adopter and was certainly the **most significant crypto player at that time**. This move not only highlighted Binance's commitment to security but also marked a significant moment for the adoption of web3 technologies. In this article, we analyze Binance's rollout of passkeys, examining the technical implementation, product flows, and the strategic thinking behind this move. Our goal is to provide a comprehensive overview that educates and inspires software developers and product managers to implement Binance-like passkey authentication. ## 2. Summary of Binance Passkeys Analysis In the following, we provide you with an overview of our passkey analysis finding of Binances passkey implementation. Features marked with a ⭐ are considered the top-feature of this category and are most important for a great and secure passkey experience. ![](https://www.corbado.com/website-assets/65f2d27470877843000b2c09_binance_passkeys_analysis_summary_4c5a2737ec.jpg) ## 3. Product Flows and UX of Binance Passkeys This section analyzes the product flows of Binances passkeys across a variety of platforms, including web apps, as well as native [Android](https://www.corbado.com/blog/how-to-enable-passkeys-android) and [iOS](https://www.corbado.com/blog/webauthn-errors) apps. The [availability of passkeys](https://www.corbado.com/faq/are-passkeys-available) extends across all major operating systems - [iOS](https://www.corbado.com/blog/webauthn-errors), [Android](https://www.corbado.com/blog/how-to-enable-passkeys-android), macOS, and Windows. Notably, our examination uncovered a bug within the setup of passkeys in Windows, which we will elaborate on subsequently. A highlight is the user support offered by Binance, particularly for navigating through common errors and [troubleshooting](https://www.corbado.com/blog/passkey-troubleshooting-solutions) scenarios available on their support site (see this article for more passkey [troubleshooting](https://www.corbado.com/blog/passkey-troubleshooting-solutions) help). The following parts analyze sign-up, [passkey creation](https://www.corbado.com/blog/passkey-creation-best-practices), passkey management, and login processes within Binance's passkey integration. ### 3.1 Sign-up A pure passkey-only sign-up at Binance is not (yet) possible. Currently, you need to confirm your email via OTP and then need to provide a password. After that you can add a passkey to your account. ### 3.2 Passkey Creation ![](https://www.corbado.com/website-assets/65f2d28c98fbff9c6edd0f7a_binance_passkey_creation_desktop_e2c0652ee5.jpg) The process of creating a passkey on [Windows 11](https://www.corbado.com/blog/passkeys-windows-11) using the Chrome web app begins by navigating to the profile section, selecting "Account," then "Security," and finally "Manage" next to the Passkeys section. ![](https://www.corbado.com/website-assets/65f2d29a59b3c21183603fa8_binance_passkey_management_c632cd8e9f.png) Users are presented with a list of their existing passkeys, offering an opportunity to create a new one for the device by clicking on "Add Passkey." The creation process prompts the user for an additional factor of authentication, defaulting to Time-based One-Time Passcode (TOTP) via an [authenticator](https://www.corbado.com/glossary/authenticator) app, with the alternative being an OTP sent via email. Upon providing the TOTP, users are introduced to the benefits of passkeys, leading to a click on "Continue," which then triggers the [Windows Hello](https://www.corbado.com/glossary/windows-hello) popup (Face ID / Touch ID popup on Apple devices or equivalent local authentication on [Android](https://www.corbado.com/blog/how-to-enable-passkeys-android) devices) to create the passkey. ![](https://www.corbado.com/website-assets/65f2d2ca90d5d2ece98cfaff_binance_passkey_explainer_2ab8a2c312.jpg) The WebAuthn username is set as the user's email address, with the [relying party](https://www.corbado.com/glossary/relying-party) ID set to "binance.com." However, a bug occurs immediately post-creation on Windows devices. Despite the passkey's successful creation - visible within the Windows passkey management UI - it fails to appear in the Binance account's passkey list. This discrepancy is accompanied by error messages (with a typo), persistent across multiple attempts and unique to Binance, as similar operations on other services do not encounter this issue. ![](https://www.corbado.com/website-assets/65f2d2d9c0428e4672ac6a43_binance_passkey_windows_error_66decbed4c.png) ![](https://www.corbado.com/website-assets/65f2d2dff0f8eddf0e44b438_binance_passkey_windows_error_detail_e4748e22c6.png) Further investigation through the browser console revealed an attempt to finalize passkey registration through a POST call to Binance's API at [https://accounts.binance.com/bapi/accounts /v1/private/account/fido2/finish- register](https://accounts.binance.com/bapi/accounts/v1/private/account/fido2/finish-register) (the passkeyRegisterFinish call in the WebAuthn registration ceremony) which returned a HTTP 200 status code, suggesting a successful operation. Yet, the API response indicated a "certificate path validation failed" error. The issue was not exclusive to Chrome. Firefox and Edge on Windows encountered the same problem. Interestingly, a [YubiKey](https://www.corbado.com/glossary/yubikey) could be successfully added, hinting that Binance might only support passkeys that are not device-bound. In addition, in later tests, we saw that on Windows 10 the registration process works, therefore the error being exclusively on [Windows 11](https://www.corbado.com/blog/passkeys-windows-11) devices. Contrastingly, on macOS, [iOS](https://www.corbado.com/blog/webauthn-errors) and Android, the [passkey creation](https://www.corbado.com/blog/passkey-creation-best-practices) process works. On the iOS web app however, issues were noted with the [excludeCredentials](https://www.corbado.com/glossary/excludecredentials) feature, allowing the creation of multiple passkeys even when one already existed from this device. Moreover, on macOS we could also create on the same device multiple passkeys. When we created the first passkey in Chrome (and stored it in [iCloud Keychain](https://www.corbado.com/glossary/icloud-keychain)), we were able to create another passkey in Safari (also storing it in [iCloud Keychain](https://www.corbado.com/glossary/icloud-keychain)). However, when analyzing the [iCloud Keychain](https://www.corbado.com/glossary/icloud-keychain), there was only one passkey for Binance visible, which caused some confusion. ![](https://www.corbado.com/website-assets/65f2d2fdaa0ca09b88e87c0d_binance_multiple_passkeys_same_macos_c894e6747e.png) In general, it became obvious that the exclusive [passkey creation](https://www.corbado.com/blog/passkey-creation-best-practices) process has potential to be reworked and improved to avoid user confusion. After a successful passkey creation, an email notification is sent out to the user: ![](https://www.corbado.com/website-assets/65f2d3105da85cf50ccf98d7_binance_passkeys_email_notification_78ef7dde2e.jpg) This overview points to a mixed experience in passkey creation across platforms, with specific challenges identified on Windows and iOS that merit further attention for a smoother, more consistent user experience. ### 3.3 Passkey Management To manage your passkeys, navigate to "Account" > "Security" > "Two-Factor Authentication ([2FA](https://www.corbado.com/blog/passkeys-vs-2fa-security))" > "Passkeys". Here, users are presented with a detailed overview of all passkeys created for their account. A notable feature within this section is the option **"Must verify using passkey for important scenarios.** " This innovation introduces an additional layer of security for actions deemed high-risk, without compromising the overall user experience. ![](https://www.corbado.com/website-assets/65f2d326296eb90ade60cb24_binance_passkey_high_risk_action_0e38c2630c.jpg) Activating this feature ensures that passkey verification becomes a prerequisite for executing critical actions within the account. However, it's important to recognize the implications of this setting. If access to passkeys is lost, it will make some actions in Binance impossible. Therefore, this option is **best suited for individuals utilizing synced passkeys**. Also, following the activation of this feature, passkey verification becomes obligatory for login attempts and withdrawals, emphasizing the importance of maintaining access to passkeys across all frequently used devices. Should access to passkeys be compromised, reaching out to Customer Support for a reset becomes a necessary recourse. Editing a passkey is made user-friendly. A simple click on the edit icon next to a passkey triggers a modal, enabling the renaming of the passkey. ![](https://www.corbado.com/website-assets/65f2d33bea91bdfaed1f0007_binance_edit_passkey_2ba0561192.png) Meanwhile, the process of deleting a passkey comes with its own set of warnings, so that users are prevented from accidently removing this secure and convenient authentication method. Interestingly, upon deletion, withdrawals and peer-to-peer (P2P) transactions are temporarily disabled for 24 hours as a precautionary measure based on assessed risk levels. Furthermore, the deletion process incorporates an additional security step, requiring confirmation via a passkey, thereby reinforcing the system's security framework. ![](https://www.corbado.com/website-assets/65f2d34d78239f4884084dfc_binance_delete_passkey_warning_f4aaa57a36.jpg) [Passkey are the recommended option for 2FA](https://www.corbado.com/blog/psd2-passkeys/are-passkeys-two-factor-authentication), as depicted in the following Android screenshot: ![](https://www.corbado.com/website-assets/65f2d35959b3c2118360ffde_binance_passkeys_android_settings_73b5702717.jpg) ### 3.4 Login Let's have a look at the login process in detail. #### 3.4.1 Conditional UI & Cross- Device Logins The login process across platforms and devices currently **does not implement** [**Conditional UI**](https://www.corbado.com/blog/webauthn-conditional-ui-passkeys-autofill)**,** which presents a great opportunity for enhancing user experience. When attempting to log into an account with an existing passkey, Binance recognizes this and prompts for the passkey immediately following the submission of the user's email address / phone number. The login experience between the web app and the [native app](https://www.corbado.com/blog/native-app-passkeys), on Android is notably smooth (contrary to iOS, see problem below), without the capability to create multiple passkeys for a single account on one device even though its web and native platform. This restriction reduces confusion and enhances security by limiting the number of passkeys per user / per device. In the login process on Windows, even though no passkey was successfully created with [Windows Hello](https://www.corbado.com/glossary/windows-hello) on [Windows 11](https://www.corbado.com/blog/passkeys-windows-11), users are still prompted to sign in with a passkey through cross-device authentication immediately after entering their email address. This assumes that a passkey was successfully created on another platform. On Windows 10 the registration process worked as expected with the [Windows Hello passkeys](https://www.corbado.com/blog/windows-hello-passkeys-replace-passwords). Overall, while the login process benefits from the automatic detection and utilization of passkeys, the absence of [Conditional UI](https://www.corbado.com/glossary/conditional-ui) across devices suggests room for improvement. #### 3.4.2 iOS App: Cross-Device Login after Passkey Registration on macOS In our tests, we observed challenges with the iOS app's cross-device login functionality, particularly following a successful registration and passkey addition on a desktop (macOS) environment. Our test process began with the creation of a new Binance account on Windows 10 using [social Login](https://www.corbado.com/glossary/social-login), where we were able to add a passkey without issues. Subsequently, we logged in via [social login](https://www.corbado.com/glossary/social-login) in Safari on macOS. In the next step, we added a passkey to the account, which Binance recognized as a **cross-device passkey**. This successful creation and recognition was confirmed by the visibility of the passkey in the passkey settings on an iPhone connected to the same iCloud account. ![](https://www.corbado.com/website-assets/65f2d36d9e92c7e5c1b6e223_binance_passkey_management_windows_hello_92fcce6a78.jpg) However, the transition to the iOS platform revealed significant complications. Attempts to log in resulted in a persistent error -**"Login not possible, Passkey error 608104 in Widget"** - that could not be resolved despite various [troubleshooting](https://www.corbado.com/blog/passkey-troubleshooting-solutions) efforts, including reinstalling the app on the iPhone. This error prevented the use of passkeys on iOS entirely, which represents a critical use case for apps where its common that users install the [native iOS app](https://www.corbado.com/blog/native-app-passkeys) after account creation on macOS. ![](https://www.corbado.com/website-assets/65f2d37a874a73d804640c28_binance_passkey_error_cross_device_authentication_98cc60b2e3.jpg) Furthermore, the experience fell short of expectations set by other applications such as [KAYAK](https://www.corbado.com/blog/kayak-passkeys), which are able to trigger passkey requests natively, without relying on the autofill feature integrated into the iOS keyboard. This inconsistency highlights a potential area for development, with a focus on seamless cross-device login processes and the integration of a more intuitive and responsive UI that can adapt to various states of user authentication across platforms. The **resolution of the error 608104 is important** , as it currently stands as a barrier to a frictionless user experience, which is a huge problem for new users who begin their journey on macOS and transition to iOS. ## 4. Technical Passkey Implementation Details To use passkeys in Binance, users should have the Binance application version 2.60 or higher installed on devices running iOS 16 and above or Android OS 9 and above. The web app is applicable with all passkey- ready devices. In addition to these requirements, Binance also supports [hardware security keys](https://www.corbado.com/blog/best-fido2-hardware-security-keys) (e.g. [YubiKeys](https://www.corbado.com/glossary/yubikey)), broadening the spectrum of security options available to its users. ### 4.1 Analysis of PublicKey CredentialCreation Options We analyzed Binances [PublicKeyCredentialCreationOptions](https://www.corbado.com/glossary/publickeycredentialcreationoptions). Our review revealed that Binance discourages the use of the residentKey option. This design choice suggests Binance's consideration for [hardware security keys](https://www.corbado.com/blog/best-fido2-hardware-security-keys), which are typically non-resident keys, indicating a thoughtful approach to security compatibility. However, as described in this blog post, quite often the [authenticator](https://www.corbado.com/glossary/authenticator) itself decides if it wants to use resident or non-resident keys. ```json filename="PublicKeyCredentialCreationOptions.json" { "attestation": "direct", "authenticatorSelection": { "residentKey": "discouraged", "userVerification": "preferred" }, "challenge": "T6l0KbewCabrlI9gS4U_stfq9la7PvopTtPhmYwelzhwqxWDQiWfz89lZ4eVwR2U_btxHuZVsVBhjSRJT9jCXg", "excludeCredentials": [ { "id": "DUak294rRW6tJDaspoKrJg", "transports": ["usb", "nfc", "ble", "hybrid", "internal"], "type": "public-key" } ], "extensions": { "credProps": true }, "pubKeyCredParams": [ { "alg": -65535, "type": "public-key" }, { "alg": -257, "type": "public-key" }, { "alg": -258, "type": "public-key" }, { "alg": -259, "type": "public-key" }, { "alg": -37, "type": "public-key" }, { "alg": -38, "type": "public-key" }, { "alg": -39, "type": "public-key" }, { "alg": -7, "type": "public-key" }, { "alg": -35, "type": "public-key" }, { "alg": -36, "type": "public-key" }, { "alg": -8, "type": "public-key" }, { "alg": -43, "type": "public-key" } ], "rp": { "id": "binance.com", "name": "Binance" }, "user": { "displayName": "Chrome V122.0.0.0 (Windows)", "id": "MTxwMjAxMTY", "name": "vincent.delitz@corbado.com" } } ``` Interestingly, Binance supports an extensive array of cryptographic algorithms (12 in total), a significant different from many other relying parties, which typically support only one or two. Additionally, the WebAuthn Display Name has a format we havent seen so far by using a transformed [user agent](https://www.corbado.com/blog/client-hints-user-agent-chrome-safari-firefox), such as "Chrome V122.0.0.0 (Windows)." ### 4.2 Analysis of PublicKey CredentialRequest Options In the analysis of [PublicKeyCredentialRequestOptions](https://www.corbado.com/glossary/publickeycredentialrequestoptions), the noteworthy element is the use of [allowCredentials](https://www.corbado.com/glossary/allowcredentials). This setting plays a crucial role in the authentication process, though no other specific settings within this context were identified as particularly influential or unique to the Binance implementation. ```json { "allowCredentials": [ { "id": "AX3lhlvxFhV75SnTpo-ccNHYvmqxxxXnL1hia1IJBZjLqlluJCZ5RsuuQGIggYZPsrVASOjmw_o8A5dBe-cPy_A", "transports": ["hybrid", "internal"], "type": "public-key" }, { "id": "D8jAUYYqyPenDwvoqFj35ELirZ7-bQKwerse7sHw6fkkIWaQYiDwqmeRL4JLNrb4ipYIGPsJKbPhpaqHk_6pNw7Gw", "transports": ["usb", "nfc"], "type": "public-key" }, { "id": "YrP9RffjrEgjJ0U3fdstc6sXvkQBY", "transports": ["hybrid", "internal"], "type": "public-key" }, { "id": "zDUXuuu4rNqjsdfeFE7tqu6_y-MKwY", "transports": ["hybrid", "internal"], "type": "public-key" }, { "id": "1_2IthTIwerdWBZOmQfikKI5m7WAw", "transports": ["hybrid", "internal"], "type": "public-key" } ], "challenge": "SVW1--hiFYwLyFiT97htnRecSdYVJg_zqnEL3w6vnsnz4-KE0c9Z-ytKGdT5e2hVb6kwTsODvc5M8S9pnbL9-Fw", "rpId": "binance.com", "userVerification": "preferred" } ``` ## 5. The Strategic Advantage of Passkeys for Binance Binance embarked on the integration of passkeys in March 2023 as a very early adopter. This move was closely preceded by **Binance joining the FIDO (Fast IDentity Online) Alliance** , a step that positions Binance not just as a participant but as a proactive [stakeholder](https://www.corbado.com/blog/passkeys-stakeholder) in the development and implementation of the [passkeys ](https://www.corbado.com/passkeys)/ [WebAuthn](https://www.corbado.com/webauthn) standards. By aligning with the [FIDO Alliance](https://www.corbado.com/glossary/fido-alliance), Binance gains leverage in influencing future adaptations of passkey and WebAuthn technologies that align with its strategic objectives. Binance itself emphasizes the involvement in FIDO as improving [user trust](https://www.corbado.com/faq/fallback-management-user-trust-passkey-retention) and confidence in Binance services. In the volatile and security-sensitive area of the crypto and web3 world, where users often manage a diverse [crypto portfolio](https://coinledger.io/crypto-portfolio-tracker), **establishing and maintaining trust** plays a very important role. Moreover, Binance's strategy reflects a broader trend in the technology and financial sectors towards embracing [passwordless authentication](https://www.corbado.com/glossary/passwordless-authentication) mechanisms. This shift not only enhances security but also significantly improves the user experience by eliminating the need for users to remember complex passwords or undergo cumbersome authentication processes. By [adopting passkeys](https://state-of-passkeys.io/), Binance positions itself at the forefront of this trend, signaling its commitment to adopting cutting-edge technologies that prioritize user security and convenience. ## 6. Conclusion: Binance Passkeys The integration of passkeys by Binance marks a great advancement in crypto / web 3 security and user authentication. By adopting the new login standard, Binance not only enhances the security landscape of its platform but also significantly improves the user experience, offering a seamless and more intuitive authentication process. The strategic decision to join the [FIDO Alliance](https://www.corbado.com/glossary/fido-alliance) ahead of rolling out passkeys in March 2023 underscores Binance's commitment to being at the forefront of technological innovation and security in the cryptocurrency industry. ## Frequently Asked Questions ### What are the minimum device requirements to use passkeys with the Binance app? Binance requires app version 2.60 or higher on iOS 16 and above or Android OS 9 and above for mobile passkey support. The web app works with any passkey-ready device and Binance also supports hardware security keys such as YubiKeys as an alternative. ### What is Binance passkey error 608104 and can it be fixed? Error 608104 appears in the Binance iOS app when trying to sign in with a passkey created on macOS and cannot be resolved even by reinstalling the app. This is a critical barrier for users who create their Binance account on macOS and then switch to iOS, blocking passkey authentication entirely on that device. ### What happens to my Binance withdrawals if I delete a passkey? Deleting a passkey from your Binance account temporarily disables withdrawals and peer-to-peer (P2P) transactions for 24 hours as a risk-based security measure. The deletion process also requires passkey confirmation and displays warnings to prevent accidental removal. ### Does Binance support a passkey-only sign-up flow? No, Binance does not currently support passkey-only sign-up. Users must first verify their email via OTP and set a password before they can add a passkey to their account. ### Why does Binance set residentKey to 'discouraged' in its WebAuthn implementation? Binance discourages resident keys in its PublicKeyCredentialCreationOptions to maintain compatibility with hardware security keys like YubiKeys, which typically use non-resident keys. This reflects a deliberate design choice to support a broader range of authenticators rather than limiting to platform authenticators only.