A passkey is a private key stored inside your device's secure enclave — a tamper-resistant chip whose entire job is to hold cryptographic secrets without ever exposing them to the rest of the system. iPhones have it (Secure Enclave). Android phones have it (StrongBox / TEE). Modern Windows and macOS laptops have it (TPM, Secure Enclave).
When you "sign in with passkey", you don't type anything. The device challenges the enclave: "prove you have the key." The enclave signs, returns the signature, the wallet accepts. Your face or fingerprint authorizes the enclave to do the signing. No password is typed. No seed phrase is shown.
For 80% of users, this is dramatically safer than a seed phrase. For the other 20%, it has specific limitations worth understanding.
The five real differences
1. Phishing resistance
Passkeys are bound to the origin of the website that registered them. If you registered your passkey with app.gopnik.io, that passkey will refuse to sign for app-g0pnik.io (the lookalike phishing domain). The browser refuses to even offer the passkey to a wrong-origin site.
A seed phrase has no such binding. You can paste it into anything. Phishers know this and design their fake sites accordingly.
Verdict: passkey wins. Especially against the #1 cause of retail crypto loss (phishing).
2. Portability
A seed phrase is twelve words. You can write them down, take them anywhere, import them into any wallet that supports the same derivation standard, on any device. Total portability.
A passkey is bound to the secure enclave that generated it. You can't "copy" it to another device. You can register a new passkey on the new device (same account, different key — most platforms support this), but you can't move the original.
Verdict: seed wins. Especially for users who switch devices frequently or want a hardware-wallet-style cold backup.
3. Recovery
Lose your seed phrase → lose your account, permanently.
Lose your passkey (phone destroyed, no other registered devices) → lose your account, unless you set up recovery in advance. Apple/Google offer iCloud Keychain / Google Password Manager which can sync passkeys across your devices on the same account. That's a recovery path, but it puts your key inside an Apple/Google managed environment — they don't see the key, but they decide when to release it to a new device of yours.
Verdict: complicated. If you trust Apple/Google as a recovery custodian, passkey + sync is the easiest setup. If you don't, seed phrase + manual backup is the right call.
4. Cross-platform
Seed: works in any compatible wallet. Apple wallet, Linux laptop, Windows tablet, doesn't matter.
Passkey: works inside the platform's secure enclave. Modern passkeys (with iCloud Keychain / Google Password Manager sync) cross same-vendor devices, but not cross-vendor. iOS → Android = re-register.
Verdict: seed wins for ecosystem-agnostic users. Passkey is fine for single-ecosystem users.
5. Coercion resistance
If someone holds you up and demands your wallet: with a seed phrase, you can give them a decoy seed phrase that opens an empty wallet (using BIP-39 passphrase, optional 25th word). With a passkey, biometric coercion is the failure mode — they can compel you to put your finger on the device.
Verdict: seed wins for the very specific high-net-worth-at-physical-risk threat model. For most users, this isn't the relevant risk.
The Gopnik recommendation
For first-time users: passkey, with iCloud Keychain / Google Password Manager sync enabled if you trust the cloud provider. Phishing resistance is the most valuable property; sync recovery is good enough for most amounts.
As your portfolio grows past ~€10,000: add a paired hardware wallet (Ledger / Tangem). Your daily wallet stays passkey; large moves go through the hardware wallet's confirmation screen.
For institutional / family-office users: seed-based multisig (the Custody 301 territory). The trade-off framework here is completely different — see that course.
What Gopnik will not do
We won't store your passkey or your seed phrase on our servers. We can't. The passkey lives in your device's enclave; the seed phrase lives on whatever paper or metal you wrote it on. If we could see them, we'd be a centralized exchange — and we don't want that liability either.
If you forget your password, we can't reset it. We can only point you back to your recovery flow (passkey re-registration or seed import). If neither works, the funds remain on chain — visible, untouchable, forever.
That's self-custody. Next lesson: a concrete recovery playbook so this doesn't happen to you.