With this ecosystem update, we’re rolling out one of the upgrades I’m most excited about. Passkey support is arriving across the Tratok ecosystem, and the encryption foundation that everything sits on is getting a refresh at the same time. The short version is that signing in is about to get faster, stronger, and a lot more pleasant.
What’s actually shipping
Three components, working together. Each matters on its own. Together they’re a meaningful step up for everyone using the platform.
Passkey support. With this update, you can sign into Tratok using a passkey on any supported device. No password to remember, no SMS code to wait for, no authenticator app to fish out. Just your face, your fingerprint, or your device PIN. We’ll get into what passkeys are and why they’re a leap forward in a moment.
Encryption foundation refresh. Underneath all of it, the cryptographic primitives that protect authentication, wallet operations, transaction signing, and session tokens are being moved to a stronger set of standards. This is the unglamorous part of the upgrade, but it’s the part that makes everything else possible. It’s also what brings us in line with how the financial industry protects custodial systems and high-value transactions today.
A quick one-time password refresh. Because we’re upgrading the way password hashes are derived, your existing password needs to be re-entered once so the new hash can be created from your live input. It’s a 30-second step. You only do it once. Then you’re on the upgraded foundation, and (if you set up a passkey at the same time) you may never need to type a password into Tratok again.
Why we’re shipping this now
Two reasons, both pointing in the same direction.
Regulatory. As the ecosystem hosts wallets and facilitates TRAT utility token transactions between users, we’re held to a higher security bar than a generic web service. The 2026 framework set out exactly what that bar looks like for platforms in our category, and we’re meeting it ahead of the deadline rather than chasing it. Doing things by the book, on time, with proper governance is part of how we operate.
Standards. Even where regulation is silent, the cryptography and authentication patterns we’re moving to are simply the leading industry standard to protect serious value. Bringing the platform up to that baseline is the appropriate posture for any system handling wallets and token transfers. We’re glad to be there.
So, what is a passkey, exactly?
If you’ve already signed into your bank’s mobile app or your Apple or Google account using just your fingerprint or face, you’ve already used a passkey. The user experience is that simple.
Underneath, a passkey is a cryptographic credential that lives on your device. It’s actually two related keys, mathematically linked. The private half stays on your device, locked behind your fingerprint, Face ID, or device PIN. The public half lives on our servers. When you sign in, your device proves it has the private key without ever revealing it.
Each passkey is also tied to the exact site it was created for, which means a phishing site simply cannot accept it. The cryptography handles the trust check that humans are notoriously bad at handling under pressure. That’s a meaningful win.
How much better are Passkeys?
Here’s how passkeys stack up against the password and 2FA flows that most users are familiar with.
- ✕ Vulnerable to phishing
- ✕ SIM swap risk
- ✕ Password stored on server
- ✕ Slower at the counter
- ✕ User has to remember it
- ✕ Still phishable
- ✓ No SIM swap risk
- ✕ Password stored on server
- ✕ Two-step entry needed
- ✕ User has to remember it
- ✓ Phishing-resistant by design
- ✓ No SIM swap risk
- ✓ No secret on our server
- ✓ One biometric tap
- ✓ Nothing to remember
Three properties of passkeys deserve a closer look, because they’re what actually changes the security picture for everyone using the platform.
Phishing resistance, built into the protocol
Passkeys are bound to the actual domain at the cryptographic layer. The wrong site simply cannot accept the credential. There is no convincing fake page to type into, because there is nothing for the user to type. The phishing attack vector closes by design, not by user vigilance, which is the way it should be.
No shared secret on our side
With passwords, even hashed ones, the same value lives on your device, in our database, and often in your password manager. Three places it could leak from. With passkeys, the secret half lives only on your device. Our database stores only the public half, which is mathematically useless to anyone trying to impersonate you. That’s a fundamentally cleaner architecture.
No code to type or to lose
No SMS code to wait for. No authenticator app to dig out of a folder. No six-digit number to type before the timer expires. The cryptographic challenge happens silently between your device and our server, and the only thing the user sees is the biometric prompt. The verification step that used to slow you down becomes the easiest part of signing in.
Authentication that matches the value behind it
For most websites, password and 2FA is fine. For wallets and token transfers, the level of protection should match the value being moved around, and that’s exactly what this upgrade brings.
Token transactions on chain are final by design. That’s a feature, not a problem. The whole point of blockchain settlement is that once it’s done, it’s done. But it does mean the authentication protecting your wallet should be operating at the same level as the financial industry uses for its most sensitive operations. With passkeys, it now is.
For TRAT holders, for users running corporate accounts with delegated wallets, for anyone managing ecosystem assets that matter to them, this upgrade is a meaningful step forward. The same standard the major banks are rolling out for their own customers is now what protects your account here.
Contactless transfers are about to feel almost magical
The contactless transfer feature, which lets users send TRAT to each other in real-world settings (paying for a check-in, splitting a bill at dinner, sending a tip to a guide), benefits from this upgrade more than any other part of the platform. It’s already one of the more delightful capabilities Tratok offers. After this update, it’s going to be one of the fastest, smoothest in-app payment experiences you can have anywhere.
Old flow: open the app, type your password, wait for the SMS or app code, type the code, approve the transfer. Four interactions and a 30-second wait, at exactly the moment when speed matters.
New flow: open the app, glance at your camera or touch your fingerprint sensor, transfer approved. One interaction. About two seconds. And the underlying verification is meaningfully stronger than what came before, not weaker.
In good company, by design
Passkeys are built on the FIDO2 / WebAuthn standard, which is the same standard underlying:
For a platform that handles wallets and token transfers, this is exactly the company we want to be in. We’re not innovating the protocol. We’re adopting what the rest of the serious-about-security world has already settled on.
What you’ll do after the update
The whole flow takes less than a minute. You only do it once.
On your first sign-in after this update reaches your account, you’ll see a one-time prompt to set a fresh password under the new encryption.
If you’re on a supported device (recent iPhone, Android, Mac, Windows 11, or any device with a hardware authenticator), you’ll see an option to add a passkey alongside the password. Take 30 seconds and do it. Future you will thank you every single time you sign in.
If you stay on a password-based account, your existing 2FA continues to do its job. If you go passkey-only, the passkey itself is the strong second factor and traditional 2FA is no longer needed. Either path is well-supported. The passkey path is genuinely better.
That’s it. You’re on the new system. Sign in is faster, security is stronger, and you have one less password to remember.
A few quick questions worth answering
The rollout is in progress across the ecosystem now. The actual setup on your end takes about one minute the first time you sign in after the update reaches your account. After that, you’re done.
Not at all. If you hold TRAT in your own wallet (MetaMask, Trust Wallet, hardware wallet, anything self-custodial), nothing about your holdings or your access changes. This upgrade only touches authentication into Tratok ecosystem services. Your private keys live where they’ve always lived.
No problem. You’ll continue with password and 2FA on the upgraded encryption, which is itself a meaningful improvement. Passkeys are an option for supported devices, not a requirement. The encryption upgrade is for everyone. Passkey adoption is opt-in.
Yes, and you should. You can register a passkey on each device you sign in from. They sync via your platform’s keychain (iCloud Keychain on Apple, Google Password Manager on Android, Microsoft Account on Windows), so set up on one and you have access on the others. iPhone, iPad, MacBook all sharing one keychain? Set it up once, all three are covered.
Your passkeys are still on your other trusted devices via your keychain, so a lost phone is no different from a phone left at home. If you lose every device at once (the same scenario that would lock you out of your bank, your email, and most of your digital life), account recovery falls back to email verification, the same path that exists for forgotten passwords today. You’re actually in a slightly better position than the old model on this.
This is the kind of upgrade we’ve been wanting to ship for a long time. Faster sign-in, stronger security, less to remember, all wrapped into a flow that takes about two minutes the first time and roughly two seconds every time after.
When the prompt appears in your account, take 30 extra seconds and try the passkey option. I’d be very surprised if you went back.
C