A strong critique of internet identity

Who here genuinely thinks Internet Identity is a good authentication mechanism? I mean honestly, there’s so much wrong with it, it’s hard to even know where to begin.

First off, anyone who places any value whatsoever on privacy is just screwed. Can’t create a passkey natively if you run linux, can’t even create one with your phone if you run GrapheneOS. You have to literally go out and buy a yubikey. Speaking of which.. I haven’t used one before, but as far as what I’ve read on them, they don’t even enforce a pin. So basically anyone who steals your key, if you keep it on your keychain, which many providers literally advertise, can easily access your funds. That’s ridiculous!

That doesnt even come close to the glaring security issues with passwordless loging with passkeys only. When you’re using them to access your amazon or facebook account, ok, that’s one thing, noone cares. When you’re using them as the means of accessing large quantities of your money, as in a crypto wallet (i.e the NNS), that’s an entirely different thing. I’m willing to bet my entire portfolio that a large percentage of ICP holders currently just have 2 devices set up as passkeys, like a phone and a computer, no recovery, and they keep both devices in the same house. One little housefire or robbery, and their entire ICP stack is gone forever. Not to mention that a phone in and of itself is chronically insecure. I could find out the phone pin or swipe pattern of literally any random person I know within a week by simply shouldersurfing if I cared enough to want to know.

Honestly, the last half year I’ve been connecting to my internet identity by setting it up originally on a windows machine first, set up a recovery phrase, remove the windows passkey, and then just log in on my linux machine by clicking recovery every time and fetching the seed phrase from my password manager. Which of course has its own set of security considerations. Honestly Dfinity couldn’t provide the option of one seed phrase for login, and one that can be locked for recovery? Couldn’t have been that much harder implementation wise…

And I just created a mock account on id.ai to test out Internet Identity 2.0 on a windows machine, and they completely removed the option of even setting up a recovery seed phrase in the first place, what the actual duck -_-

Then as the cherry on top… You don’t even require authentication for transactions on the NNS. Once logged in you have full control over all nonstaked funds. We are lucky that noone currently cares about ICP, because if there was any meaningful level of adoption, thousands of people’s life savings would’ve been stolen by now by a simple RAT on their computer. The NNS layout has changed like 5 times already over the past year, and still this hasn’t been added. There’s no excuse for not having implemented this yet by now. It’s basic wallet mechanics 101. Get a clue Dfinity!

Hi @linux556,

As a fellow Linux user, I share the pain of not being able to use passkeys tied to the laptop natively. This isn’t the fault of Internet Identity, and not even Chrome - it is lack of necessary and unified components in Linux that allow for passkeys to work:

1. TPM-backed storage
2. System biometrics
3. user consent UX.

There are other options, though:

1. Google Password Manager (since you are using Graphene OS, it is unlikely that you’d use it)
2. Phone for QR/BLE connectivity (I presume this doesn’t work out of the box on Graphene either)
3. Yubikey and other hardware tokens
4. Third-party managers (1password, bitwarden) - I suppose you aren’t fan of those either.

So for Yubikeys, you should be able to install PIN for FIDO2 connections. I won’t be able to advise on the token handling in NNS itself or NNS redesigns, but I’d recommend using a hardware wallet (e.g. Ledger) to keep your unlocked tokens since NNS does support them.

By the way, I recommend Proton Pass (Passwordless Authentication and Login | Proton) as a password manager with Passkey support. As a former Proton engineer, I can assure you Proton does stay truthful to its promise of encrypting everything on the client side across its whole product portfolio.

Thanks for that protonpass tip, just tried it and works as it should. So it at the very least allows me to create an identity directly on my linux machine, which for my purposes solves most of my personal issues. At least for 1.0. Are there plans to incorporate seed phrase recovery in Internet Identity 2.0?

However, it still doesn’t change my fundamental criticism though. Ordinary people are gonna end up screwing themselves with this system. And adding Google as an authentication option as is the case for 2.0 imo only aggravates the situation rather than ameliorating it. The primary authentication mechanism should be a seed phrase. With an optional secondary recovery phrase that can be locked.

I already made 3 threads about this topic. Privacy and security respecting users just can’t use Internet Identity.

Doesn’t work on GrapheneOS, doesn’t work on QubesOS, and sometimes doesn’t work on spyware bloated devices.

This is probably the best way to do it right now and it’s ridiculous.

Many privacy advocates distrust Proton for good reasons. Just yesterday they proved once again that the distrust is justified. Nonetheless I tried ProtonPass (and Bitwarden) on GrapheneOS and couldn’t get it to work with II.

I hope Dfinity will give us an option that works on ALL devices like username, password and the optional authenticator. This way I can choose what device I’m using and I’m not forced into a spyware bloated surveillance device.

You should be able to at least connect to the NNS dapp in Qubes. Haven’t tried Qubes specifically myself yet, but I got it to work in tails’ tor browser by changing the webauthn property in about:config to enabled. So I assume it’d work in Qubes as well. Other dapps like openchat, icpswap, etc, didn’t end up working though.

^
connected with recovery seed phrase in tails. didnt get it to work with any passkeys.

Happy to chat about it in Watercooler.

You’re missing the bigger picture here. Passkeys aren’t some experimental tech - they’re already protecting billions at Coinbase, major banks, and other financial institutions. If passkey authentication was fundamentally broken, we’d see massive exploits by now. We don’t.

ICP implemented this years before it became the industry standard.

Your Linux/GrapheneOS complaints aren’t really about Internet Identity - they’re about your choice to run systems that deliberately limit mainstream security features. You can’t blame DFINITY for Linux’s fragmented passkey support or GrapheneOS blocking Google services.

On the recovery seed removal - that’s actually moving toward better security patterns. Seed phrases are a UX nightmare and a massive attack vector. Most people store them terribly.

The “no transaction authentication” point has merit, but that’s more about NNS wallet design than Internet Identity itself. Those are separate systems.

Look, no auth system is perfect. But passkeys solve real problems with passwords and SMS 2FA. The major players wouldn’t bet their businesses on fundamentally flawed tech.

The only reason why passkeys are “protecting” people is because most people have zero knowledge when it comes to security. They fall for obvious phishing mails and have zero regard for selecting safe password. Give them the option and they’ll choose the password “password”. Make them add a number and they’ll choose “password123”, make them add a special character and they make it “password123!”.

Passkeys protect noone but stupid users, and because there are more stupid users than security aware users you get the situation where passkeys protect more people statistically speaking. For security aware users they are a massive downgrade compared to a username+password scheme combined with potentially 2fa. So to not even provide such an option in web 3, which I would argue consists of a larger percentage of this latter group of people compare to the general population, is a major slap in the face imo.

If I remove my fingerprint setup on my device, then I need to use a pin instead. The pin is attached to my device (the same pin wouldn’t work on a device that isn’t mine). This means to authenticate with passkeys I can either provide:

• Something I know (pin), &
• Something I have (device)

Or alternatively (optionally)

• Who I am (fingerprint) &
• Something I have (device)

I don’t understand why you think passkeys are insecure. You can choose to use a pin (much like a password, except it only works on a specific device). This is more advanced and secure than an all powerful password (not tied to a specific device).

I have linux on one PC and a hardware wallet gets the job done with Fido. No issue with that. Using Yubikey mostly for backup and mobile access. I like II. The problem isn’t in it. All CEX users with millions in their accounts get secured the same way. Devs could add another protection when funds are being withdrawn the same way CEXes do it. II is currently great for apps that don’t require tokens right from the start. To get better protection - put your Chrome extensions in disabled mode unless enabled. I don’t think the future is in extension wallets - one regulation and a lot of these will be deleted. Then whoever is left will have all crypto users and their funds. These users should be part of the app, not gifted to a third party centralized extension wallet. Hardware wallets - not really mainstream. The problem is, other chains rely on extensions and people are used to them, but the reality is, they arent more secure than a dapp using II.

In case attacker has access to change files - both fail. They could replace extension files or change your entire browser. Here the second one is harder, so II provides a better protection. Popular extension wallets get even more unsecure - bigger honeypot. On mobile devices II is superior, these are much harder for attackers to hack into.

Supplychain attacks. Both fail again as recently demonstrated. Again popular extensions are always the first targets. Trying to target many custom dapps is way harder. Even hardware wallets wont help much, because probably nobody reads what they are signing and compares addresses and contracts.

The most secure way: II on a desktop with two factor signing messages on a mobile device with II. Provided that the dapp didnt get supply chain attacked in both places, that would be better than hardware wallets - much better messages visually when signing and everyone has a mobile phone. Also both need to be DAO governed and open source. Hardware ledgers are mostly not. That would be best if someone is working with large amounts. If the user has no PC - just mobile is the way to go for decent security.

Well originally I was under the impression that it was only a ‘something you have’ mechanism, didn’t know you could set it up to enforce a pin on a yubikey.

However even when knowing this, I still think it’s insecure. Just that it CAN BE MADE secure. What makes it insecure is the same reason why big tech says that passwords are insecure. People choose the easy option. Normal people aren’t gonna go out and buy a yubikey. They’re gonna use their phone as passkeys and that phone is secured with either a simple pin, or a simple swipe pattern.

And for security aware users it’s just annoying. Why do I need to go out and buy a yubikey. Just give me username+password with PGP based 2FA, along with a lockable recovery phrase. It’s easier, free, doesn’t require me to haul a yubikey around, and is identical, if not slightly better, in terms of level of security compared to a pin-yubikey passkey setup. I’d even settle for it being hidden by default and require me to do an extra ‘advanced options’ click every time I wanna sign in.

And most importantly… it works.

What are the plans for id.ai regarding recovery phrases? Will it still be implemented?

And will the old II login still work and be active or will Dfinity cancel it at some point?

I don’t use a yubikey. I use a …

[…] phone as passkeys and that phone is secured with either a simple pin, or simple swip pattern [fingerprint]

Except my pin is complex (not simple). Why do you think that’s less secure than …

username+password with PGP based 2FA

It’s the same principle:

• Something you know, &
• Something you have

(post deleted by author)

I was talking about the average user. That you’re an exception who actually tries to secure their phone access properly does not really matter all that much. But if you really wanna go there… even in your case it’s less secure. Pegasus malware supposedly can compromise any android and iphone. So at the very least you are wide open to the threat of state actors.