Add Pass3 application

[andrwlt]

Pass3

Pass3 is a crypto wallet, engineered for simplicity without compromising security. It leverages Passkeys for effortless wallet setup and employs a social guard system for account recovery in case of device loss. Built as a mobile-first web application, Pass3 ensures seamless functionality across both mobile and desktop platforms.

Grant level

• Level 1: Up to $10,000, 2 approvals
• Level 2: Up to $30,000, 3 approvals
• Level 3: Unlimited, 5 approvals (for >$100k: Web3 Foundation Council approval)

Application Checklist

• The application template has been copied and aptly renamed (project_name.md).
• I have read the application guidelines.
• Payment details have been provided (bank details via email or BTC, Ethereum (USDC/DAI) or Polkadot/Kusama (USDT) address in the application).
• The software delivered for this grant will be released under an open-source license specified in the application.
• The initial PR contains only one commit (squash and force-push if needed).
• The grant will only be announced once the first milestone has been accepted (see the announcement guidelines).
• I prefer the discussion of this application to take place in a private Element/Matrix channel. My username is: @_______:matrix.org (change the homeserver if you use a different one)

[CLAassistant]

All committers have signed the CLA.

[Noc2]

Thanks a lot for the application. Looks like an interesting project. Could you add more technical details to the specification of the milestone tables? For example, how exactly do you combine passkey with the private key of the Polkadot account? What does asset management mean (e.g., listing pallets that you will support)?

[semuelle]

pinging @andrwlt

[andrwlt]

Hi @Noc2 and @semuelle,
Sorry for the late response. I have updated the application by adding more technical details. Can you please take a look and let me know if I am missing something? Thank you.

[Noc2]

Thanks for the update, and sorry for the late reply. I will mark it as ready for review. But could you potentially reduce the price? The application seems rather expensive to me compared to your previous project: #776

[andrwlt]

Hi @Noc2,
Thank you for your response.
Regarding your question, I don't believe we can reduce the cost. In the previous application, a portion of the cost was covered by our team. However, after 1.5 years of self-funding, we genuinely need support from W3F to continue building products in the ecosystem.

[keeganquigley]

Hi @andrwlt thanks for the application. One question I have off the bat: is the Apple Passkey system open-source? If not, I wonder if it might conflict with our guidelines regarding relying on closed-sourced systems.

[andrwlt]

Hi @keeganquigley
Thank you for your question. I recognize your concerns regarding our reliance on Apple Passkeys due to its closed-source nature. However, I'd like to clarify that Pass3 is designed to utilize Passkeys in general and is not exclusively tied to Apple Passkeys, though it is compatible with Apple devices. These Passkeys are founded on the WebAuthentication (often referred to as "WebAuthn") standard, leveraging public key cryptography. This ensures that Pass3 is compatible with any device that has implemented the WebAuthentication standard. For more information on this standard, please refer to:

• https://www.w3.org/TR/webauthn-2/
• https://developer.mozilla.org/en-US/docs/Web/API/Web_Authentication_API
• https://support.apple.com/en-vn/HT213305

[keeganquigley]

Hi @andrwlt sorry for the late reply:

• Thanks for clarifying, yes I think that's fine as long as your app will be compatible with other systems based on the WebAuthn standards. I think it's great to be able to implement features like login in via Apple TouchID.
• Will the registered email address be encrypted?
• What type of encryption will be used for the cloud backup? For example, Coinbase uses AES-256 GCM
• I agree that the price seems high compared to similar proofs-of-concept. Would you be willing to remove some of the optional features such as the cloud backup and the custom wallet profile? Perhaps that could allow for a smaller scope focusing mainly on the passkey system.
• We don't usually care too much about the GH actions since we don't fund getting code production ready. So it's probably safe to remove this or add it to the 0c. testing and guide deliverable.

[andrwlt]

Hi @keeganquigley,
Thank you for your feedback. To address your queries:

• Indeed, the scope of milestone 1 includes biometric login functionality via Apple TouchId or FaceId.
• Although email addresses might not appear overtly sensitive, we prioritize user security. As such, we encrypt them before storage in our database.
• Regarding the cloud backup, we plan to employ AES-256 encryption for the backup key.
• We recognize your concerns about the costs. Based on extensive user research, we believe these features are essential for simplifying the use of crypto wallets for average users within the Polkadot ecosystem. Our month-long study has highlighted the challenges users face when starting their journey in this space, and the features we've outlined are a direct response to those insights. However, if cost reduction becomes imperative, we can consider omitting milestone 3 from the current application scope. We could then seek a follow-up grant once our project concept aligns more closely with your vision.

[keeganquigley]

Thanks @andrwlt for the thorough answers. Yes, I think I'd personally be more apt to approve it if milestone 3 was omitted and moved to a follow-up grant. That way we can see the core implementation in action first, before all the additional features are implemented. Let me know if this works for you.

[andrwlt]

Hi @keeganquigley,
I've removed milestone 3 from the application. Additionally, I've updated the details regarding cloud backup encryption and move CI/CD to section 0.c. Please let me know if I need to update anything else. Thank you.

[semuelle]

Thanks for the update, @andrwlt. Happy to support your proposal.

[keeganquigley]

Thanks for the updates @andrwlt much appreciated. LGTM.

[andrwlt]

@semuelle @keeganquigley Thank for your supports.

[takahser]

@andrwlt, apologies for the delay on my end.

A few points and questions for clarity:

• I've noticed that this proposal bears resemblance to the hashed-wallet mobile app which also received a grant and has been delivered. It might be beneficial to address this in the Ecosystem Fit section, highlighting the differences in your solution.
• Considering the similarities with the hashed wallet, perhaps it's worth looking into reusing their implementation? You could explore forking or even collaborating with the grantee, given that their repo hasn't had recent activity since March.
• Could you share the long-term vision for this project? Do you see the team maintaining it post-grant? If so, what drives that intention?
• In a previous comment, you referenced a "month-long user research". Is it possible to share some insights from that study? A private share would work if public disclosure isn't feasible.
• Regarding your team's proficiency: What experience do you hold in web UIs or, more pertinently, mobile apps? The lo-fi wireframes are a good start, but any validation of your capability would be appreciated.

[andrwlt]

hi @takahser, thank you for your inquiry. To address your questions:

• While some teams have received grants for the social recovery wallet, and the hash wallet may resemble ours, our objectives differ. Our focus is on addressing the complexities crypto wallets pose for average users by introducing a keyless wallet, as detailed in our application. Although the hash-wallet team utilizes Flutter, we intend to develop ours as a Progressive Web Application. This approach ensures that users aren't required to install anything while still enjoying a seamless experience. While we can gain insights from the hash-wallet's approach, forking the project doesn't align with our vision.
• Our journey has been marked by trials, errors, and lessons. After our previous grant, we directed our efforts towards Libra, an off-chain payment infrastructure for the Polkadot System. Upon market introduction, we identified the challenges everyday users face with cryptocurrencies, especially those unfamiliar with Web3. This led to our renewed mission: simplifying Web3 for everyone. Pass3 is our initial effort towards this, aiming to streamline user onboarding to Web3. Following its beta release, we aim to gather user feedback to further refine Pass3. Our vision includes exploring gas-less transfers and wallet linking, but future developments will be heavily influenced by user feedback.
• You can find preliminary details of our project research here. However, please note that it might be disorganized and may not encompass all our offline discussions.
• To validate our team's expertise, kindly check out our latest product at: https://golibra.xyz/. I also provided the team experience information in the application.

Please let me know if I am missing anything else.

[takahser]

@andrwlt honestly for a wallet application with passkey integration that would only work on mobile anyway I see more value in a native mobile application, due to several advantages such as native push notifications, biometric authentication access (fingerprint/face id), enhanced offline usage, app store visibility and general device integration, also potentially with other wallet applications.

I reached out to the maintainers of hashed wallet and they'd be very happy to collab with you guys. I think there is much more value in streamlining the development efforts and building on the existing code base to enhance this native app, rather than rewriting everything. Personally, I'd be very interested to support a joint-effort like that, but I'm not really keen on supporting the current proposal.

[Noc2]

I think @takahser proposal makes a lot of sense. Have you considered working together with another wallet provider in the ecosystem?

[andrwlt]

Hi @takahser and @Noc2,

Thank you for sharing your perspective. We recognize and concur with your suggestion that collaborating with existing wallet providers will be more efficient than starting from scratch. However, at this time, our team is hesitant to partner with others due to potential challenges arising from our team culture and workflow. For instance, our team values face-to-face interactions for quick discussions, which would be hindered by collaborating with a remote team and could slow down the development process.

We are contemplating a balanced approach, such as modifying the proposal to develop an SDK for wallets that implement WebAuthentication and FIDO standards. This SDK could then be used by various wallet providers. However, if we choose this path, it will necessitate further research to ensure its versatility across multiple use cases.

[takahser]

@andrwlt

However, at this time, our team is hesitant to partner with others due to potential challenges arising from our team culture and workflow.

Just to be clear, your team would most likely be the main contributor to that project for the scope of the passkey feature. So I don't think there should be any challenges of that nature. If you're interested I can make an Element group and discuss with the other team there to clear up any questions.

[andrwlt]

hi @takahser, thank for clarifying. I've sent you a message on Matrix.

[takahser]

Closing this, as demanded by @andrwlt on Element.
For transparency: They decided to pivot and will be back with a new proposal soon.
@andrwlt feel free to link this PR in the new proposal, once you open the PR 👍

[andrwlt]

Thank you @takahser. We greatly value the council's evaluation, feedback, and support 🙏