App-Specific vs. Global Keys
In Web2 applications, users often employ the same password for multiple applications. Similarly, in Web3 applications integrated with the Arcana Auth SDK, developers may choose to enable users to use a single wallet address across all integrated applications by configuring the global keys option instead of using the default 'app-specific' keys.
Global keys offer a streamlined user experience akin to Web2 applications by providing the same user keys/wallet address across Web3 apps. However, global keys also introduce a security risk, especially if there are financial implications in the app. If a malicious actor breaches one such app and gains access to a user's global keys, they could potentially access the user's digital assets across all other applications using global keys.
Based on the app-specific requirements for privacy, security, and ease of use, developers can change the default keyspace setting from app-specific to the global keys using the Arcana Developer Dashboard.
|Requires approval before this option can be enabled.
|User sees a unique, different key/wallet address when they log into any app that is integrated with the Arcana Auth SDK.
|User sees the same key/wallet address irrespective of which app they log in as long as they use the same onboarding mechanism and the app is integrated with the Arcana Auth SDK.
|No known security vulnerability.
|Potential vulnerability may arise in case a user's account is compromised in one app. It exposes all other apps linked to the same user due to the shared key/wallet address across applications.
Enabling Global Keys
By default, all apps are registered for using app-specific keys. Developers can change that by using the Arcana Developer Dashboard and selecting global keys. To opt for global keys, developers must request activation via an online form and provide required information. The global keys feature activation for an app may take a few hours for screening and verification.During the verification process, developers can continue using the 'app-specific' keys option.
Global Keys: Wallet User Experience
When the global keys option is set for an application using the Arcana Auth SDK, it alters the user experience when interacting with the Arcana wallet.
If the app was earlier using app-specific keys, app users would have accessed wallet address already. Once developer switches to global keys, users will see a different wallet address for the same app.
The blockchain transaction signing experience will change for the user. Earlier, using the default app-specific key setup, initiating a personal sign message request prompts the Arcana wallet to display a pop-up within the same app context where user needs to take action. After switching to global keys, the same personal sign message will appear in a new browser tab. Users can take necessary actions in this tab and subsequently close it.
Global Keys Limitations
Global keys have some usage limitations:
Custom Wallet UI
Global keys are not supported for apps using custom wallet UI.
Apps using the custom wallet UI are restricted to app-specific keys, resulting in users encountering different wallet addresses across apps. This applies even when the same authentication provider is used for logging into various apps integrated with Arcana Auth SDK.
The reason for this restriction is to reduce a potential security vulnerability.
Initially, apps are set up to use app-specific keys by default. Developers have the option to later adjust the keyspace and transition to using global keys in the registered app. Switching the keyspace will lead to a modification in the app user's wallet address.
While Arcana rigorously follows a validation process to enable global keys for apps, the adoption of 'global keys' may introduce a potential security vulnerability in apps that switch keyspace to global keys.
This vulnerability is a trade-off for the convenience provided by global keys.
Global keys allow users to have a consistent wallet address across all apps integrated with the Arcana Auth SDK, providing seamless utilization of digital assets. However, in the event of one app turning malicious, the user's key is no longer confined to that app, allowing unauthorized access to the user's information across all apps using 'global keys'.