Is it safe to store Near private-key in browser localStorage?

[Slyracoon23]

Is it safe to store the near private-key in browser localStorage?

I have seen many posts and threads about the how unsafe it is to put sensitive information on localStorage, eg. link

I would really appreciate if anyone can explain why in this case it's ok.
Thanks

[willemneal]

Great question! As is usual it depends. Keys in local storage are function access keys; they can only sign transactions on behalf of the user for a set of the corresponding contract's methods (default is all of them) with an allowance of 0.25 N that can only be used to pay network fees. Anytime you need to make a transaction that attaches a deposit of NEAR to the call the user is redirected to a wallet with a full access key that has the permission to transfer the NEAR. When "logging in" to an app you are redirected to a wallet and sign a transaction with a full access key to add a new function access key.

A common pattern for a function call to force the user to sign with a full access key is to require attaching 1yN (1 N == 10^24 yN). This allows the contract author to decide which functions to protect the contract from function access keys.

So yes someone could gain access to your local storage and interact on your behalf but the key's permissions are limited and the security of the contract should further reduce the potential harm.

One last thing to note is that it is only a pattern that the keys in local storage are function access keys. However, when "logging" into the app you will be shown the details of which keys you are adding so you should be careful of applications that will add a full access key.

[Slyracoon23]

That's a very great answer!

I assumed that creating function access keys were a major contributor to the security model.
Phishing attacks are always very hard to minimize for sure.

Thanks for the response @willemneal

[willemneal]

No problem! I do think there should be more work to standardize key management to improve security and UX, e.g. currently logging out, just deletes the key in local storage but not from your account.