At Consensus 2026, Cardano’s Charles Hoskinson argued that everyday users “should probably never have their private keys,” contending that modern phones already contain stronger, more practical signing hardware than many dedicated devices. His remarks spotlight a growing shift in crypto self-custody toward device-bound credentials, passkey-based onboarding, and smart-wallet controls that keep keys non‑exportable while centering security on user intent and approval flows.

Technology Overview

Private key management has inhibited retail adoption since Bitcoin’s early days. The conventional seed phrase—12 or 24 words—too often gets forgotten, photographed, synced to cloud notes, or otherwise mishandled. Hardware wallets addressed the most acute risk by generating and storing keys that never leave the device in plaintext. Yet that improvement came with added friction: a separate gadget, a companion app, and a multi‑step signing flow that many mainstream users avoid.

Hoskinson’s case rests on the secure subsystems already embedded in consumer phones. Apple’s Secure Enclave is a dedicated, isolated component designed to safeguard sensitive material even if the application‑processor kernel is compromised. Android’s Keystore can bind non‑exportable keys to a Trusted Execution Environment or secure element; StrongBox variants add a dedicated CPU and stricter isolation. Samsung’s Knox leverages TrustZone, and its work profile architecture has been described as operating like a separate system, with DualDAR applying additional encryption layers for managed data. In short, the hardware needed to protect private keys now ships by default in the devices people carry every day.

Those hardware capabilities dovetail with the rapid normalization of passkeys. According to FIDO, there are now 5 billion active passkeys worldwide, with 75% of consumers having enabled at least one. This mainstream acceptance of device‑bound, biometric‑unlocked credentials lowers the learning curve for wallets that avoid recovery phrases entirely and instead rely on hardware‑protected keys surfaced through familiar phone authentication.

Coinbase’s smart wallet operationalizes that model by letting users onboard without a recovery phrase, using Apple or Google passkeys to create a non‑exportable credential bound to secure hardware. From the user’s perspective, Face ID, a fingerprint, or a PIN becomes the everyday interface, replacing the need to ever handle raw key material.

How It Works

In a phone‑based, hardware‑backed wallet, the key is generated inside the device’s secure environment and remains non‑exportable. Wallet prompts, biometrics, and PIN‑gated approvals mediate access to signing. Apple’s secure intent mechanism goes further by allowing hardware to physically confirm user intent in ways that even privileged software cannot spoof, while Android Keystore supports per‑operation authentication requirements to tighten control of each signature.

That model differs from both seed‑phrase wallets and dedicated hardware wallets. With seed phrases, the secret exists in a form that can be copied, screenshotted, or phished—making extraction comparatively easy if a user slips. Phone‑resident keys are significantly harder to extract, but a compromised app or operating system may still attempt to coax the device into signing something unintended. Dedicated hardware wallets, by contrast, isolate both the key and the user’s decision surface. Ledger’s secure element drives a trusted display on the device itself, enabling transaction verification even if the connected phone or computer is compromised. Trezor similarly presents transaction details on a trusted screen, and its newer Safe 3, Safe 5, and Safe 7 models incorporate secure elements—addressing outdated critiques that such devices lack secure silicon.

The trade‑off is usability. Dedicated devices deliver cleaner isolation and a clearer threat model at the cost of extra steps and hardware. Phone‑based approaches keep keys in secure silicon most users already own, streamlining everyday payments and routine self‑custody, but they lean heavily on the quality of approval UX and intent verification.

Industry Impact

The wallet stack is also adapting to machine‑driven activity. As AI agents begin to initiate payments, a viable pattern is bounded delegation—authorizing an agent to spend within preset limits and time windows under full audit, without exposing the credential that controls the broader wallet. Base’s Spend Permissions documentation frames AI‑agent purchases as a core use case for recurring, limited‑scope authorizations. Coinbase’s AgentCore Payments and AWS’s stablecoin agent tooling reflect the same model, enabling transactions under budget controls and comprehensive logs rather than giving agents direct private‑key access.

On Ethereum, account abstraction is laying the groundwork at scale. EIP‑4337 has enabled over 26 million smart wallets and 170 million UserOperations, bringing features like programmable controls and alternative fee strategies into production. Looking ahead on the same trajectory, Pectra’s EIP‑7702 extends programmable wallet behavior to externally owned accounts, opening the door to batching, gas sponsorship, recovery logic, and custom controls. Taken together, the infrastructure for permission‑based, agent‑compatible wallets is already materially in place.

Risks and Limitations

Hoskinson’s framing underscores an important caveat: key non‑extractability and transaction security are separate promises. A device may keep a private key safely locked inside secure hardware, yet a compromised app or OS can still trick a user—or the system—into authorizing a malicious signature. Recent incidents illustrate how damaging that gap can be. Analysis of a Bybit breach concluded that attackers deceived signers into approving a harmful transaction; the private key never left the hardware, but the authorization still went through. More broadly, Chainalysis observed that impersonation scams grew over 1,400% in 2025, with AI‑enabled scams generating 4.5 times the returns of traditional approaches. In a phone‑native model where users never see their keys, transaction intent, approval clarity, and spend limits become the primary security surface.

Future Implications

If wallets deliver clear intent UX—standardized spend caps, revocable delegation, and unambiguous prompts—phone‑primary self‑custody could credibly account for 70% to 85% of new retail users by 2028. Seedless onboarding would become the default, account abstraction would shift from advanced feature to baseline expectation, and the recovery phrase would remain as an optional configuration for those who want it. Conversely, if mobile signing incidents, phishing, confusing approval flows, or brittle recovery mechanics continue to generate highly visible losses, phone‑based self‑custody could stall at 20% to 35% of the retail market, with users labeling such episodes as “hacks” and retreating to exchanges.

Either path raises an uncomfortable but unavoidable dependency question. If self‑custody moves into the secure hardware embedded in smartphones, then Apple, Google, Samsung, and major wallet SDK providers become central actors in crypto’s security architecture. The model remains non‑custodial in a technical sense, but the reliability of wallet security increasingly hangs on OS APIs, enclave access policies, and app distribution rules. That reality does not negate Hoskinson’s core point—most users already carry capable signing hardware—but it does redefine self‑custody as a problem of verifiable intent, transparent permissions, and platform‑level assurances rather than personal key handling.