Tempo verifies passkey signatures at the protocol level, before EVM execution begins. Users can sign blockchain transactions with Face ID, fingerprint, or any FIDO2 authenticator. No smart contract wallet required. The account is a standard EOA, not a contract.
How this differs from Ethereum
On Ethereum, passkey support requires the EIP-4337 smart contract wallet stack: a smart contract account that verifies P256 signatures on-chain, a bundler to submit UserOperations, and an EntryPoint contract to orchestrate execution. Every signature verification costs gas for the on-chain P256 precompile or Solidity verifier.
Tempo skips all of that. The protocol natively verifies three signature types during transaction validation:
| Signature type | What it is |
|---|---|
| secp256k1 | Standard Ethereum ECDSA |
| P256 | The elliptic curve behind passkeys, Apple Secure Enclave, Android Keystore |
| WebAuthn | Full FIDO2 assertion verification including authenticator data and client data challenge |
All three derive addresses the same way: keccak256(pubKeyX || pubKeyY)[12:]. A P256 key and a secp256k1 key produce different addresses, but the derivation formula is identical.
In practice
A user creates a passkey through their browser or mobile device. The passkey's P256 public key derives a Tempo address. That address is a normal EOA. It works with every contract and protocol on Tempo.
When the user signs a transaction, their device prompts for biometric confirmation (Face ID, fingerprint, or device PIN). The resulting P256 or WebAuthn signature is submitted as part of a Tempo Transaction (type 0x76). The protocol validates the signature and executes the transaction.
The signature verification happens in the consensus layer, without contracts, bundlers, or relayers.
Session keys with passkeys
Biometric prompts on every transaction would make for a poor UX. Tempo's Account KeychainA protocol precompile that lets root keys provision scoped access keys with spending limits and expiry times. solves this: after authenticating with a passkey, the user provisions a session key that can sign transactions for a limited time and budget, without further biometric prompts.
For example: a passkey authorizes a session key that can spend up to $500 USDC for 1 hour. During that window, the session key handles transactions silently. After the window expires or the budget is spent, the passkey must re-authenticate.
The tradeoff
Tempo's approach bakes passkey support into the protocol, which makes it simpler and cheaper than Ethereum's smart contract wallet approach. The cost is flexibility: adding a new signature type (e.g., a post-quantum scheme) requires a network upgrade on Tempo, while on Ethereum it only requires deploying a new verifier contract. For the current set of signature types (secp256k1, P256, WebAuthn), Tempo's approach is strictly simpler.
Related content
- How to Use Access Keys and Session Keys on Tempo: provision scoped keys after passkey authentication
- What Is the Account Keychain on Tempo?: protocol-level key management
- What Is a Tempo Transaction?: the transaction type that carries passkey signatures