Skip to content

App-Specific vs. Global Keys

In Web2 applications, users often employ the same password for multiple applications. Similarly, in Web3 applications integrated with the Arcana Auth SDK, developers may choose to enable users to use a single wallet address across all integrated applications by configuring the global keys option instead of using the default 'app-specific' keys.

Global keys offer a streamlined user experience akin to Web2 applications by providing the same user keys/wallet address across Web3 apps. However, global keys also introduce a security risk, especially if there are financial implications in the app. If a malicious actor breaches one such app and gains access to a user's global keys, they could potentially access the user's digital assets across all other applications using global keys.

flowchart LR 
    subgraph D [ ]
        A1(((Developer))) 
    end
    subgraph KT [Keyspace Configuration]
    direction LR
        A1--> B1(Dashboard Login) --> C1[App A Settings] -- Configure Keyspace --> D1[Global Keys]
        B1 -->C2[App B Settings] -- Configure Keyspace --> D2[App-Specific Keys]
        B1 -->Cz[App Z Settings] -- Configure Keyspace --> Dz[Global Keys]
    end

classDef an-pink stroke:#ff4e9f,stroke-width:0.25rem; 
class D1,Dz an-pink
flowchart LR 
    subgraph U [ ]
        A3(((User 1)))
    end
    subgraph ULZ [User 1 Logs in - App Z]
        direction LR
        A3 --> BZ(App Z Login) -- Authenticated --> CZ(Arcana Wallet in App Z) --> DZ[Wallet Address UA1]
    end
    subgraph ULB [User 1 Logs in - App B]
    direction LR
        A3 --> B33(App B Login) -- Authenticated --> C33(Arcana Wallet in App B) --> D33[Wallet Address UB1]
    end
    subgraph ULA [User 1 Logs in - App A]
    direction LR
        A3 --> B3(App A Login) -- Authenticated --> C3(Arcana Wallet in App A) --> D3[Wallet Address UA1]
    end

classDef an-pink stroke:#ff4e9f,stroke-width:0.25rem;
class D3,DZ an-pink

Based on the app-specific requirements for privacy, security, and ease of use, developers can change the default keyspace setting from app-specific to the global keys using the Arcana Developer Dashboard.

App-specific Keys Global Keys
Default. Requires approval before this option can be enabled.
User sees a unique, different key/wallet address when they log into any app that is integrated with the Arcana Auth SDK. User sees the same key/wallet address irrespective of which app they log in as long as they use the same onboarding mechanism and the app is integrated with the Arcana Auth SDK.
No known security vulnerability. Potential vulnerability may arise in case a user's account is compromised in one app. It exposes all other apps linked to the same user due to the shared key/wallet address across applications.

Enabling Global Keys

By default, all apps are registered to use app-specific keys. Developers can change that by using the Arcana Developer Dashboard and selecting global keys. To opt for global keys, developers must request activation via an online form and provide the required information. The global keys feature activation for an app may take a few hours for screening and verification. During the verification process, developers can continue using the 'app-specific' keys option.

Global Keys: Wallet User Experience

When the global keys option is set for an application using the Arcana Auth SDK, it alters the user experience when interacting with the Arcana wallet.

  • If the app was earlier using app-specific keys, app users would have accessed the wallet address already. Once the developer switches to global keys, users will see a different wallet address for the same app.

  • The blockchain transaction signing experience will change for the user. Earlier, using the default app-specific key setup, initiating a personal sign message request prompts the Arcana wallet to display a pop-up within the same app context where the user needs to take action. After switching to global keys, the same personal sign message will appear in a new browser tab. Users can take necessary actions in this tab and subsequently close it.

Wallet behavior (No clickjacking fix)
Wallet behavior (No clickjacking fix)
Wallet behavior (With clickjacking fix)
Wallet behavior (With clickjacking fix)

Global Keys Limitations

Global keys have some usage limitations:

Custom Wallet UI

Global keys are not supported for apps using custom wallet UI.

Apps using the custom wallet UI are restricted to app-specific keys, resulting in users encountering different wallet addresses across apps. This applies even when the same authentication provider is used for logging into various apps integrated with Arcana Auth SDK.

The reason for this restriction is to reduce a potential security vulnerability.

Switching Keyspace

Initially, apps are set up to use app-specific keys by default. Developers have the option to later adjust the keyspace and transition to using global keys in the registered app. Switching the keyspace will lead to a modification in the app user's wallet address.

Security

While Arcana rigorously follows a validation process to enable global keys for apps, the adoption of 'global keys' may introduce a potential security vulnerability in apps that switch keyspace to global keys.

This vulnerability is a trade-off for the convenience provided by global keys.

Global keys allow users to have a consistent wallet address across all apps integrated with the Arcana Auth SDK, providing seamless utilization of digital assets. However, in the event of one app turning malicious, the user's key is no longer confined to that app, allowing unauthorized access to the user's information across all apps using 'global keys'.

Last update: April 22, 2024 by shaloo, shaloo