Authentication Key

The Authentication Key is a mandatory verification method listed in a DID's document. It is used to:

• Prove control of the DID (e.g., signing a challenge).
• Authorize updates to the DID document itself.
• Authenticate to verifiable credential presentations and other services. Its corresponding private key is held securely by the DID controller.

The specific cryptographic key type is defined by the DID method. Common implementations include:

• Ed25519: Used by did:key and did:web methods for fast, lightweight signatures.
• secp256k1: The standard for Ethereum-based methods like did:ethr and did:pkh.
• RSA: Sometimes used in enterprise or did:web contexts for compatibility. The publicKeyJwk or publicKeyMultibase property in the DID document encodes the key material.

In the did:key method, the DID identifier is the encoded public key itself. The Authentication Key is therefore the primary and often only key in the document.

• Example DID: did:key:z6MkhaXgBZDvotDkL5257faiztiGiC2QtKLGpbnnEGta2doK
• Usage: Simple, self-contained identities without a blockchain, ideal for peer-to-peer authentication and verifiable credentials.

For methods anchored to blockchains, the Authentication Key is often linked to a smart contract or on-chain registry.

• did:ethr: The authentication key is typically an Ethereum Externally Owned Account (EOA) or a key managed by a smart contract. Control can be transferred by updating the contract.
• did:ion (Sidetree/IPFS): Keys are listed in the DID document, which is anchored to the Bitcoin blockchain via cryptographic hashes. Key updates create new document versions.

A critical feature is the ability to rotate compromised authentication keys without changing the DID itself.

• DID Document Update: The current authentication key signs an update operation to add new keys and revoke old ones.
• Recovery Mechanisms: Methods like did:ethr use smart contracts for multi-sig recovery, while did:ion can use alsoKnownAs references or recovery keys defined in the document.

When a holder presents a Verifiable Credential, they must prove they are the legitimate subject. This is done by:

• The verifier sending a challenge (a cryptographically random nonce).
• The holder's wallet signs the challenge with the private key corresponding to the DID's Authentication Key.
• The verifier checks the signature against the public key in the resolved DID document. This process is defined by the Data Integrity or JWT proof formats.

An authentication key is a cryptographic public key or derived address that serves as a verifiable identity for a user or smart contract on a blockchain. It is the component presented to the network to prove the right to initiate a transaction from a specific account. The corresponding private key is used to create digital signatures that prove control over the authentication key.

• Primary Role: Acts as the on-chain identifier for an account.
• Verification: Nodes validate that a transaction's signature corresponds to the stated authentication key.
• Immutability: The key itself is public and does not change, while authorization logic (like multi-signature schemes) can be updated.

Authentication keys are often derived from a master seed phrase and can be rotated for enhanced security without changing the on-chain account address.

• Hierarchical Deterministic (HD) Wallets: Use a single seed to generate a tree of keys. The authentication key is a leaf on this tree.
• Key Rotation: Critical after a suspected compromise. Systems like Aptos and Sui allow the authentication key to be updated while preserving the account's state and address, by changing the underlying public key.
• Separation of Concerns: The account address (a hash of the initial public key) can remain static, while the current authentication key controlling it can be changed.

Authentication can require multiple keys, distributing trust and control. A multi-signature authentication key defines a policy (e.g., 2-of-3) that must be satisfied.

• Threshold Signatures: A transaction requires M signatures out of N predefined public keys.
• On-Chain Policy: The authentication key for the account is often a smart contract or native module that encodes the signing logic.
• Use Cases: Corporate treasuries, DAO vaults, and enhanced personal security where a single private key is a single point of failure.

The security of the authentication key depends entirely on the safeguarding of its corresponding private key. Compromise leads to total loss of assets.

• Cold Storage: Private keys generated and stored entirely offline (hardware wallets, paper wallets).
• Hot Wallets: Software-based wallets connected to the internet, convenient but higher risk.
• Secret Management: Use of secure enclaves (e.g., TPM, SGX) or distributed key generation to avoid a single plaintext copy of the key.
• Never Share: The private key should never be entered on websites or shared with third parties.

In blockchain systems, authentication (proving you control the key) is distinct from authorization (defining what the key can do).

• Authentication: "This transaction is signed by the private key for account 0xABC."
• Authorization: "The key for account 0xABC is permitted to withdraw up to 100 tokens per day." Authorization rules are often enforced by smart contract logic or protocol-level permissions, which the authenticated key must still satisfy.

Schemes exist to recover control of an account if the primary authentication key is lost, without relying on a central entity.

• Social Recovery: Designate "guardians" (trusted individuals or devices) who can collectively authorize a change to the account's authentication key.
• Time-Locked Escrow: Use smart contracts to send assets to a fallback address after a predefined period of inactivity.
• Inheritance Planning: These mechanisms are crucial for ensuring digital assets are not permanently locked due to a lost key, addressing a major user security concern.

An authorization key is a public key derived from an authentication key that grants specific permissions for a resource, such as a smart contract or vault. It is a core component of account abstraction models, separating the proof of identity (authentication) from the rules governing asset control.

• Flexible Permissions: Can be scoped to specific functions, spending limits, or time periods.
• Key Rotation: Allows the underlying authentication key to be changed without disrupting authorized sessions or smart contract integrations.

A multi-signature scheme requires cryptographic signatures from multiple private keys to authorize a transaction. It is a form of M-of-N authentication, where a predefined threshold (M) of approvals from a set of keys (N) is needed.

• Enhanced Security: Distributes control, preventing a single point of failure.
• Governance: Commonly used for DAO treasuries and institutional wallets.
• Implementation: Managed via smart contracts (e.g., Safe) or native protocols (e.g., Bitcoin's P2SH).

A session key is a temporary, limited-authority key used in account abstraction and gaming dApps to improve user experience. It allows pre-approved transactions for a set period or specific contract interactions without requiring a signature for every action.

• UX Improvement: Enables seamless interactions in games or DeFi protocols.
• Risk Mitigation: Permissions are strictly scoped (e.g., only to swap tokens on a specific DEX up to a limit).
• Automatic Expiry: Keys are invalidated after the session ends or the allowance is consumed.

Ed25519 is a specific elliptic curve digital signature algorithm known for its speed, security, and small signature size. It is the standard for authentication keys in several blockchain networks, including Sui, Solana, and Aptos.

• Performance: Offers fast verification and deterministic signature generation.
• Standardization: Provides a consistent, battle-tested cryptographic primitive.
• Key Pair: Generates a 32-byte public key (authentication key) and a 64-byte signature from a 32-byte private seed.

Account Abstraction is an Ethereum standard that decouples transaction validation from a fixed Externally Owned Account (EOA) model. It allows smart contracts to act as user accounts, enabling features like:

• Flexible Authentication: Use of social recovery, multi-factor auth, or quantum-resistant signatures.
• Sponsored Transactions: Gas fees can be paid by a third party.
• Batch Operations: Multiple actions in a single user-signed transaction.

Public Key Infrastructure is the overarching framework of policies, hardware, and software used to create, manage, distribute, and revoke digital certificates and public keys. In blockchain, it underpins the trust model for authentication keys.

• Certificate Authorities (CAs): Trusted entities that verify and sign public keys (less common in decentralized systems).
• Decentralized Identifiers (DIDs): A PKI method where the blockchain itself acts as the root of trust.
• Key Management: Encompasses generation, storage, rotation, and revocation of cryptographic keys.