Security
Estimated time to read: 4 minutes
The Arcana Arcana Auth SDK is powered by the Proof of Stake (PoS) algorithms. The Arcana protocol is decentralized by design. The subsystems used to implement the Arcana Auth SDK are secured via testing and audits. The same underlying security is shared across all the Arcana protocol nodes, including the ones owned and run by third-party trusted partners (validators).
Key Concerns
-
App Onboarding: Are the users securely onboarded on the apps that integrate with the Arcana Auth SDK? Are user credentials safe? Does Arcana follow standard authentication protocols?
-
Web3 Keys Ownership & Privacy: Are the keys assigned to authenticated users safe? What happens if the keys are lost? Can they be recovered? Do the users own, control, manage and secure keys or does the system ensure key security?
-
Protocol Security: Is the core Arcana protocol and smart contracts that implement user authentication and key share assignment secure? Has it been battle-tested and audited?
-
Embedded Wallet Security: Is the Arcana wallet secure? Does Arcana ensure that it is not vulnerable to clickjacking and other common vulnerabilities?
-
User Data Security: Is the data shared by the developers or users with the Arcana ecosystem safe and secure?
The Arcana Auth SDK addresses these security considerations related to Web3 authentication:
App Onboarding
Web3 apps integrate with the Arcana Auth SDK to enable user onboarding and enable authenticated users to sign blockchain transactions. This involves both securing user onboarding as well as ensuring that the keys used to sign blockchain transactions are access-controlled. User's keys are self-custodial meaning they are fully owned by the user. See key privacy details in the following section.
Arcana supports standard OAuth 2.0 protocol and works with several social login providers to ensure user credentials are never stored in the Arcana ecosystem.
Once a user logs in successfully, the Arcana Auth SDK generates a time-bound JWT token and associates it with the user account. The Web3 app can use this JWT token, verify it and ensure user onboarding is secured. They can generate their own JWT token for the user session. The time-bound JWT token ensures that any credentials stolen through phishing attacks have a limited shelf life.
Web3 Key Ownership & Privacy
Once a user has been authenticated, it is imperative that the blockchain signing keys for that user are completely owned, secure and private. {{ no such element: dict object['adk_name'] }} ensures this through the state-of-the-art asynchronous distributed key generation (ADKG) subsystem. The key shares generated by this subsystem are not stored or assembled ever, within the Arcana subsystem.
Key Share Generation
Arcana Auth SDK combines several algorithms to have a highly secure and robust ADKG subsystem. It uses a robust asynchronous DPSS mechanism to ensure that no single node in the system has access to the user's keys and that the system can handle malicious nodes. We are also working on other enhancements to this ADKG subsystem to enable key share repair, key share refresh, and more. Besides these other enhancements include Arcana Auth SDK multi-factor authentication (MFA) feature, and multi-party computation (MPC) for even stronger security without compromising on ease of use for Web3 users.
Key Share Assembly
Arcana Auth SDK does not store any key shares that belong to the app user. The key shares are created by the ADKG subsystem and assigned to the authenticated user. Key shares are used to generate the user's private key only in the context of the Web3 app, at the client end, after user verification. If the user changes the device used to log in to the Web3 app that is integrated with Arcana Auth SDK, the enhanced wallet security (MFA) feature addresses key recovery on the new device in a secure manner.
Global & App-Specific Keys
Arcana Auth SDK Keyspace feature offers two kinds of keys that can be assigned to Web3 app users:
- Global Keys
- App-specific Keys
Developers can select keyspace type during configuration depending upon the kind of user experience and security needs of the app and choose the type of keys that are assigned to app users.
Global keys have some usage limitations to ensure key security as these keys can be accessed across all the apps that are integrated with the Arcana Auth SDK using the Global keys configuration option.
Protocol Security
The smart contracts used to implement the Arcana Auth SDK and the authentication protocol have been audited for vulnerabilities. All known audit issues have been addressed. See Arcana Audit Reports for details.
Embedded Wallet Security
Web3 apps that integrate with the Arcana Auth SDK can enable the built-in, in-app, non-custodial Arcana wallet for logged in users to sign blockchain transactions. The Arcana wallet displays in the context of the app itself once the user authenticates. Developers can customize the wallet branding or replace the wallet UI with a custom wallet UI. The built-in wallet UI has been designed and hardened to handle UI based attacks such as clickjacking.
If a users chooses to, they can use the in-app, built-in wallet UI to export private key. Every time the key is exported, an email alert is issued to the user to that user can verify whether the exports were authorized. If the built-in wallet UI is replace with a custom one, the onus is on the developers to provision user key export feature.
Developers can choose to enable the additional domain validation security checks through the Arcana Developer Dashboard to further secure the in-app wallet.
User Data Security
Developers interact with the Arcana Developer Dashboard to register and configure the apps for various Arcana Auth SDK usage settings. All the data provided by the developer in the context of the registered app is encrypted and secured. Web3 app user credential data is never stored in the Arcana subsystem. User login and usage details are secured via data encryption and access control.
The Arcana Auth SDK usage data for the Web3 app can only be accessed by the authorized developers via the dashboard.