Skip to main content

Security and Self-Custody on Picnic: How Your Access Keys Protect Your Account

Real Nick
Updated

What is self-custody?

At Picnic, your funds are stored in a smart wallet that exists directly on a public blockchain. This means that Picnic does not hold or control your money — you are the one who authorizes each transaction.

Unlike traditional banks and brokers, where your funds are kept on servers controlled by the company, at Picnic, the ownership of your assets is yours from day one. No Picnic employee can access or move your funds.

This model is called self-custody: you are the sole responsible party and controller of your account.

How security works at Picnic

Picnic uses access keys (also known as passkeys) as the primary means of authentication and transaction authorization.

An access key is a cryptographic credential that is stored in the secure hardware of your device (mobile or computer) and is protected by your biometrics — your face or fingerprint.

In practice, it works like this:

  1. When you log in or authorize a transaction, Picnic requests confirmation of your access key.
  2. Your device requests your biometrics (Face ID, Touch ID, fingerprint, or facial recognition).
  3. After biometric confirmation, the cryptographic signature is generated directly on your device.
  4. This signature is sent to the blockchain, authorizing the operation.

At no point does the private key leave your device. Picnic never sees, stores, or has access to this key.

Why are access keys more secure?

  • Phishing resistant: The access key is linked to the domain where it was created. If someone creates a fake site imitating Picnic, your device will not recognize that domain, and the key simply will not be offered.
  • No passwords to leak: There is no password to be stolen, guessed, or reused.
  • Hardware protected: The private key resides within the security chip of your device and cannot be copied, exported, or extracted.
  • Mandatory biometrics: Even with physical access to your device, without your biometrics, the key cannot be used.

Synchronization between devices

Access keys automatically sync between your devices through your platform's password manager:

  • iPhone/iPad/Mac: sync via iCloud Keychain.
  • Android/Chrome: sync via Google Password Manager.
  • Password managers: if you use a manager like 1Password or Bitwarden, your access keys can be synced through it.

This means that, in most cases, switching phones or accessing from a computer does not require any recovery process — your access simply follows your devices.

And the email?

Previously, logging into Picnic was done via email, through an intermediary infrastructure. With access keys, email is no longer part of the main authentication path.

Now, email functions only as a recovery mechanism. If you lose access to your device and your access key, you can initiate account recovery via email. In this case, there is a security period of 7 days before new access is granted — to ensure that any unauthorized attempts can be detected and canceled.

App biometric lock vs. access key: what’s the difference?

There are two layers of biometric protection at Picnic, and it’s important to understand the difference:

Access Key App Biometric Lock
What it is A cryptographic credential that authenticates and authorizes transactions A quick access lock for the app
Where it lives On the blockchain — registered as the signer of your wallet Only on your device — it is a local app setting
What it protects The ownership and control of your account and funds Access to the app interface
Mandatory? Yes — mandatory starting April 6, 2026 No — it is an optional feature that you can enable in settings
Works across devices? Yes — syncs through your platform's password manager No — works only on the device where it was activated

In summary: the access key is the real security of your account, registered on the blockchain. The biometric lock is a local convenience that prevents someone from opening the app on your phone without authorization.

We recommend keeping both protections active.

Timeline

Access keys are already available for setup. Starting April 6, 2026, they will be mandatory for all accounts created with email.

Setting it up takes about 30 seconds:

  1. Open Picnic.
  2. Tap on the access key setup banner.
  3. Confirm with your face or fingerprint.

Summary

  • Your funds are in a wallet on the blockchain — Picnic does not have access to them.
  • Access keys protect your account with encryption and biometrics directly on your device.
  • The private key never leaves your device and cannot be copied.
  • Email now functions only as a recovery mechanism, with a 7-day security period.
  • The app biometric lock is a separate local protection — it does not replace the access key.

If you have questions, contact support within the app or send an email to oi@usepicnic.com.

Related articles