Bring back the legacy sign‑in method with separate Internet Identity anchors!
The new unified ID 2.0 model, linked with Google and Apple, compromises decentralization and user sovereignty.
Many of us intentionally maintain separate anchors for higher cybersecurity — please restore the Legacy sign‑in option and allow opt‑out from Big Tech logins.
7 Likes
You can just use a passkey; it doesn’t have to be Google or any other one. II2.0 is compatible with all the features of 1.0.
4 Likes
I think the team should make a better user guide for ID2.0 users to better understand. Most ppl don’t fully understand how to use.
4 Likes
From my testing that doesn’t seem correct at least on Android, passkeys are directly linked to the Google Password Manager and removing that link makes the passkey invalid. II 1.0 method didn’t have any links to GPM
3 Likes
Hi @vavram, you’re raising a great question.
Passkeys require a WebAuthn-compatible authenticator, which on most devices is provided by an OS-integrated passkey manager. Google Password Manager is indeed, the standard for Android. Similarly, the Apple standard manager is the (iCloud-based) Apple Passwords. However, what’s important to know is that you can choose an alternative passkey manager if you wish. For example, 1password works on both Apple and Android devices. Or one could use a YubiKey for a passkey manger without a cloud synchronization feature.
Cloud synchronization keeps passkeys end-to-end encrypted, meaning vendors cannot directly access or modify them. While platform account controls still exist, this offers substantially more user autonomy than OpenID sign-in, where the identity provider can directly block authentication. (But Internet Identity 2.0 supports OpenID for users who prefer that, e.g., coming from Web2.)
In the early WebAuthn days, credentials were typically device-local and non-syncing; modern passkeys add secure synchronization and cross-device usability. Opting out of having an authenticator is not possible anymore, but users can still avoid cloud-synced or OS-managed passkey managers by using hardware security keys. Note that Internet Identity has been amongst the very first projects to adopt passkey technology, and we’ve been evolving side-by-side. Admittedly, there’s still room for improvement, but today’s passkeys are much more sophisticated and arguably a better technology than when they were first introduced in the legacy II.
4 Likes
It’s still possible on Huawei devices running HarmonyOS for instance where credentials are still “device-local and non-syncing” as long as user opts out of cloud-sync, so that’s factually incorrect. That means II 2.0 could theoretically offer parity with II 1.0 as an option for the user.
Personally I neither need or want any cloud-syncing for my credentials, If I want to store them in the “cloud” I can encrypt them myself and save them there.
Try my method, you will be able to use it without google
Read it all and you should understand 
I tried every method there is and on Android it’s not possible to use passkey without Google Password Manager. If you think you’re not relying on Google anymore, just go to Manage identity on your Android device and Google Password Manager should appear under Access methods:
clear your cache on the android unit assuming you have a recovery phrase ready and working for safety.
follow this
This is from my android phone, as you can see used now.
No google attached pure pass key via android
Typical when it gets added its called Unknown I changed mine to FF fon, just because I know which browser it is, in this case Firefox Phone(Fon)
I see you have an unknown unit below, what is that from, if so just try remove the passkeys(all of them you are not aware of or cant remember, keep one on desktop) now try the method above.
If you still have trouble, follow the entire guide from first step til last I posted in the other thread.
It’s from the Huawei device that supports “device-local” passkeys without any syncing as I previously said. Thanks for trying to help, but in my case I’m fine with just moving all liquid tokens to a new II only linked to the Huawei device.
That is correct. I did exactly this a few months ago and had to jump through hoops to correct it. The passkey got added to Google Password Manager, despite my having my third party password manager available and its being the default. So I went to my PC and then discovered there was no immediate way of using II 2! I needed to add another passkey. To do that I had to switch to Chrome (installed but not my default browser), install the third party password manager I use, log into II 2 via Google Password Manager, add a new passkey to my third party password manager and then I was good to go in my default browser and other browsers where I have my third party manager available.
With hindsight, I should have started the upgrade in my default browser on the PC, which would have auto-popped up my third party password manager.
As I understand it, Apple, Google and Microsoft only know that you have an Internet Identity and nothing else. They can’t track you.
However, they can deplatform you, so you need, at minimum, a recovery phrase and ideally additional passkeys stored outside their ecosystems.
It’s not even about malicious intent but the possibility of security exploits existing in the cloud platform which increases the attack surface compared to only having the passkeys stored locally on the device.
Store the passkey on a yubikey
Fortunately I don’t have to do that as there are more convenient alternatives that only stores passkeys locally as I previously mentioned
1 Like
This is from caffeine btw
I actually don’t blame you. I don’t exactly trust storing my keys on big tech cloud either.
One day if quantum does come out, the current encryption everywhere will be at risk (but hopefully ICP will be a step ahead at that point).
But yeah I don’t see the problem with the original II 1.0 at all and the number but obviously multiple identities becomes more of an issue for some and since we did away with the usernames and passwords, it’s the final thing they wanted to eliminate and to allow people to backup on big tech cloud just makes it easy for the masses.
The more we want to distance ourselves from big tech cloud, the more it seems impossible with their monopolies unless DOM really does do Endorphin OS at some point.
We have now traded a number for a username/nickname however the username/nickname is only for reference and is not an equivalent to the previous identity number correct? Also, it is not shared during login I hear? So we still eliminated the usernames…
Anyone now have the ultimate solution to do away with the passphrase itself as well and have the system link a pure biometric to the crypto keys? (just kidding…)
I think Scam-Alt-Tab-man had an idea on that one, still going afaik
Fun fact: apparently, apart from the human eye structure being a UID - the chocolate eye also has a unique signature that can be scanned to provide proof of identity. Don’t ask me why I know this.
Carry on, I’ll see myself out.
Everyone is now forced to use II 2.0, though it’s not addressed that:
- OAuth is less secure and less private, and passkeys are not harder to use, OAuth is just more familiar. I don’t see why adding it, especially since I didn’t see the community asking for it. For marketing and attracting new users? Frankly, it seems that II 2.0 didn’t attract many new people and just created unrest in the community.
- No way to opt out of OAuth in II 2.0 for developers or for users to disable it as auth method for their II account: it lowers the minimal security level for apps without giving developers control over it or providing an alternative. I remember concerns that giving developers such control might give information about what people use for auth, but it seems to me that introducing OAuth itself created a possibility of such a problem existing, and it seems strange to see that this argument was used in a discussion about concerns about lowering security by introducing OAuth and giving back the higher security options for auth by only using passkeys