App-Specific vs. Global Keys
Arcana provides developers using the Arcana Auth product with two user key options:
- App-specific keys
- Global keys
These key types enable Web3 application developers to tailor the user experience based on their specific requirements for privacy, security, and ease of use.
User Experience
| App-specific Keys | Global Keys |
|---|---|
| Default configuration. | Developers must explicitly select this configuration. |
| Available for both Testnet/Mainnet configuration profile and app deployments. | Available only in the Mainnet configuration and app deployment. |
| User sees a unique, different key/wallet address when they log into any app that is integrated with the Arcana Auth product. | User sees the same key/wallet address irrespective of which app they log in as long as they use the same onboarding mechanism and the app is integrated with the Arcana Auth product. |
| No known security vulnerability. | Potential vulnerability - if the user account in one app gets hacked, all the others are exposed as well due to the single key/wallet address. |
Global Keys Trade-off
In Web2 applications, users commonly use the same password for multiple applications. Similarly, in Web3 applications integrated with the Arcana Auth product, developers may opt to allow users to use a single wallet address across all integrated applications.
This behavior mirrors the simplicity of Web2 applications, where users have the same password for different applications. While providing the same user keys/wallet address across Web3 apps simplifies the user experience, it also introduces a security risk. This vulnerability becomes significant if there are financial consequences involved. If a malicious actor breaches one such app and gains access to a user's global keys, they could potentially access the user's digital assets across all other applications as well.
Enabling Global Keys
To enable a shared wallet address across applications, developers can enable global keys via the Arcana Developer Dashboard by updating the Mainnet configuration. After selecting the global keys option, developers must request activation via an online form; feature activation may take a few hours after verification.
Mainnet only feature
This feature is only available for applications deployed on the Arcana Mainnet.
Submit Request
To enable the 'Global Keys' feature, developers can submit a request after registering their applications and creating the Mainnet configuration profile that has the 'global keys' option enabled. The request will undergo manual verification, which may take some time. Developers can check the verification status in the Arcana Developer Dashboard. Once approved, the application will have 'Global Keys' enabled. During the verification process, developers can continue using the 'app-specific' keys option on Arcana Testnet.
Once the application is approved for global keys, it can be deployed on Mainnet, and users will notice a change in key/wallet address values when logging in with global keys.
Mainnet deployment before approval
Deploying the app on Mainnet with the 'app-specific' keys option before global keys approval results in two key/wallet address changes for users. The first change occurs during the transition from Testnet to Mainnet deployment using app-specific keys. The second change happens after the request is approved, shifting the app's keyspace from 'app-specific' to 'global keys'.
Global Keys Limitations
The 'Global Keys' option is exclusive to apps configured for 'Mainnet' usage. These apps are integrated with Arcana product using the 'Mainnet' Client ID and deployed on the Mainnet. Here are some limitations related to the use of global keys:
Switching Keyspace
Initially, apps can be registered and configured to use app-specific keys (default). These apps can integrate with Arcana Auth using the assigned Client ID for the 'Testnet' configuration profile and deploy on Testnet.
When apps are ready for Mainnet deployment, developers can create a Mainnet configuration profile and choose the global keys option. It is advisable to wait for the global keys request update before deploying the app on Mainnet. This ensures that users will only experience a single change in keys/wallet addresses from Testnet to Mainnet.
Please note that once an app deployed on Mainnet switches to the 'Global Keys' option, reverting back may have side effects. When switching back, the authenticated user's keys/wallet address will change to a different one.
Custom Wallet UI
If a developer selects the custom wallet UI feature during app registration, the app can only utilize app-specific keys. The global keys option is not available for apps using the custom wallet UI due to security concerns.
This implies that users of Web3 apps configured with the custom wallet UI will have distinct wallet addresses, even if they use the same authentication provider to log in to another app integrated with the Arcana Auth product within the Arcana ecosystem.
The reason for this restriction is to reduce a potential security vulnerability. See the security section below for details.
Security
While Arcana follows a stringent validation process to enable global keys for apps, the usage of 'global keys' introduces a potential security vulnerability for the users of such apps.
This vulnerability is a trade-off for the convenience offered by global keys. Global keys allow users to have the same wallet address for the same onboarding provider across all apps integrated with the Arcana Auth product. This unified wallet address allows users to seamlessly utilize digital assets across various apps. However, if one of these apps becomes malicious, the user's key is no longer confined to that particular app, granting unauthorized access to the user's information across all apps using 'global keys'.