Security Key Derivation and Backup

From the presentation today, it sounds like security keys are not necessarily deterministically derived from the seed phrase. From a backup perspective, this requires ensuring that the settings backup file is not lost (in addition to the seed phrase). From a sovereignty perspective, this also makes it difficult to use the keys outside of Passport Prime (if it breaks).

Can you please consider instead deriving the security keys in a deterministic way from the master seed phrase? This would reduce the data in the settings backup, reduce the risk associated with losing the settings backup, and increase sovereignty (since they could always be derived from the seed phrase which can be stored on metal, especially if the derivation algorithm is published).

I understand this won’t work for TOTP but for the more secure Security Keys this seems like a significant architecture improvement with no risk. It would also allow them to be truly deleted instead of archived (since they can always be re-derived).

From a technical perspective, I believe this is how Ledger handles this with their FIDO app.

To clear up a possible misunderstanding from the presentation: security keys on Prime are derived deterministically from the master seed. The keys themselves are not random. Your instinct that this is the right approach is correct, and it is how Prime already works.

Where backup remains necessary is more specific. For each registered credential, the device stores metadata that is not derivable from the seed alone: the relying party identity, user information, signature counters, and the derivation indices used. Without that metadata, the device has no record of what credentials exist or how to map an incoming authentication request to the right key. The seed gives you the ability to derive any key, but not the knowledge of which keys to derive.

Your Ledger comparison is a useful reference point and worth unpacking properly, because the two approaches involve a genuine architectural tradeoff rather than one being strictly better.

Ledger’s implementation (following SLIP-0013) is fully stateless. The credential ID that the website stores and presents during authentication contains a nonce, and the device uses the master seed plus that nonce to derive the signing key on the fly. The device retains nothing between sessions. Restore from seed, and the next time any registered site presents a credential ID, the correct key is reconstructed automatically. No backup needed for credentials.

The tradeoff is that a stateless device has no awareness of its own credential state. It cannot show you what is registered, cannot let you manage individual credentials, and cannot support passwordless login flows where the authenticator presents credentials to the site rather than the other way around. That last point is significant: the modern FIDO2 standard introduced discoverable credentials specifically to enable passwordless authentication, where you tap the device without entering a username first. That capability requires the authenticator to store credential metadata, which is exactly what Prime does.

Prime is built toward full FIDO2 support, including passwordless flows. That is the reason for the on-device metadata storage, and it is a deliberate choice rather than an oversight. The backup dependency is the cost of that capability.

That said, the underlying concern in your request is valid. A design that embeds enough information in the credential ID to re-derive the key from seed alone, even without the full metadata backup, would meaningfully reduce the consequences of losing a backup. It is a reasonable thing to want, and your feedback on it is noted.

Thanks for the detailed response! That makes sense and I agree that FIDO2 support is key. Would it be possible to “restore” the keys by rederiving them given the site names and usernames? If so, I think this is more than sufficient. Ideally, this could be an option on device to rederive keys by entering the necessary site URL and username. This would then provide peace of mind that even if the metadata was lost you wouldn’t lose access (I would never want a single point of failure so the alternative is a non-passport secondary key).

Interesting idea, and I think it’s worth raising with the team to see whether it’s technically feasible alongside the existing metadata-driven flow.

It may be doable, and I’ll flag it internally, but given how easy it already is with the existing MB setup (or manual metadata backup for non-MB users), it would be a lower priority item for us.