Immediate Action to Protect Internet Identity w/ Seed Phrases

@skilesare @bjoern I think it’s reasonable to make this an opt-in feature and the default moving forward.

3 Likes

I think this is beyond the scope of the proposal. My gut reaction would be to avoid that, since you really should never be entering a seed phrase into a device connected to the internet.

But again there are many ways to improve the situation, but we want to get the minimum viable fix out soon, this vulnerability has been haunting me for too long.

6 Likes

Good point on making it opt-in, perhaps something like this?

Opt-in checkbox upon seedphrase generation

No change to Anchor Management screen

Instead of simply allowing user to delete their seedphrase and if user opted-in to seedphrase re-entry prior to deletion, force re-entry

6 Likes

I think it’s important that you can opt-in to the seed phrase confirmation for removal on an already-created seed phrase.

8 Likes

Makes sense, we could do something like adding an icon to the recovery phrase row and on click, display a similar modal to the one for “Remove Seedphrase” that describes what this would do.

6 Likes

Bjoern’s comments on this from a previous thread:

3 Likes

I’m in favor of doing this.

I think it generalizes to “You can only remove a device/seed phrase by proving it’s in your possession”

In the case of both devices and seed phrases, it would mean that you could never remove them if they become lost or stolen. Methods of marking them as such could be introduced but they could also be used by a malicious actor with a compromised device.

3 Likes

Good point, just wondering if that already requires to enter the seed phrase?

I would be in favor of no as it is currently unprotected.

I think you’re absolutely right that two levels are the future proof way of doing this. But it’s better to have a simple solution with improved security right now.

This can be moved even further with multi level and more fine grained control over devices. But this will certainly take significantly more time to implement.

We propose this to have a short term solution.

2 Likes

I like @dostro’s design showing the padlock in the management screen. I think that may be the right way of presenting that to the user.

I don’t think it’s reasonable to implement an intermediary solution in the backend. The additional complexity over the opt-in locked recovery phrase is minimal, but the effort to implement a partial solution and then generalize later may be significant.

For the frontend, things are a bit different. Migration is easier, so we could go with a simplified solution first. But there’s actually a variant that has much better security properties than the plain recovery phrase: Using a Ledger hardware wallet with the FIDO U2F app as web authentication mechanism and using that as the recovery key! (You get back-up security since the key is derived from the seed phrase as well, but you never have to enter/read the seed phrase on your computer.) So I think whatever we build for the recovery phrase should also work for that type of setup as well.

@frederikrothenberger @nmattia please also chime in with your perspective on implementation complexity.

1 Like

I totally agree with this. Very confused: when want to delete the seed phrase, just press the x, and then it disappears right away, that’s not good for security.

2 Likes

@lastmjs
Here’s a situation that would give me pause to approving this proposal.

Let’s say I wrote down my seed phrase somewhere, and I lose it. I don’t know that it was destroyed, but I know that I lost it. If this proposal passes, I will have no way of generating another seed phrase, and if my seed phrase is found or stolen by someone else, they have access to my account. I will be worried for the rest of eternity that someone will find my seed phrase and do who know what with it.

I think you may want to change the proposal to require that 2 access points must be used to create a new access point, reset a seed phrase, or delete any other points of access to an identity.

If the identity only has 1 access point (the user only has 1 key/device), then a single device can create new access points, reset the seed phrase, and perform all capabilities. Once there are now 2 access points (not including the seed phrase), the user is required to use 2 access points for any of the create/reset/delete access point capabilities.

I’m thinking this would be like Internet Identity’s version of 2 Factor Auth.

A few examples:

  • I lose my seed phrase → (I can use two devices to reset it)
  • I lose all of my access points → (I can use my seed phrase to log in and create new access keys)
  • I had >= 2 access points and then lose my seed phrase and all of my access points but one → (You are SOL on creating new access points or resetting your seed phrase, but can still access your identity through this single point of access, better not lose this access point buddy)

I think this does a good job of protecting identities that have done the legwork to create more than one access point into their identity, without screwing those of us that do a great job safeguarding all of our identity keys, but accidentally lose our seed phrase.

5 Likes

One issue/hole I see with my solution above is the case I’ve quoted, where an attacker could use a seed phrase not to delete devices, but to quickly add enough devices until they meet the 2 device threshold required to lock people out.

I think there’s potentially a way to stall such an attack, such as new devices can not vote to delete or reset any old devices for a particular amount of time or a one can only add a 1 new device per week, but I’m wary to go down either of these solutions as they introduce additional complexity.

I’m going to let my concern and idea above just sit for awhile, and maybe the community can find a solution for the situation where I lose my seed phrase.

2 Likes

Also making the yubikeys require a 6 digit pin to log in ontop of touching the physical button

Was like this at first (June 2021) and suddenly stopped asking for the pin.
Would be really great to have this back.

1 Like

First thank you @lastmjs for starting a new thread. I hated the idea of continuing the old one, as the title was extremely misleading.

Regarding the proposal to make the Seed Phrase somehow “promoted”, I have a couple of thoughts:

  1. I like the idea of having to confirm possession of an “admin” device to remove devices. (with caveats)
  2. I don’t like the idea of being forced to use the seed phrase as an admin device. I would prefer to be able to choose what device is promoted as an “admin” device.

Caveats:

  • I don’t know if it’s ok to force or make this behavior the default one. I’d prefer this be an opt-in feature.
  • While seedphrases have been used as the de facto standard in other blockchains, there are a few things to consider here. First, this seedphrase is generated by a 3rd party, and it is being displayed on your monitor, in your browser. Some users might have a problem with this flow, and I believe it’s a reasonable ask to be able to “own” every device you choose to use.
  • There are better (IMO) alternatives to the seedphrase. Ledger provides a Fido U2F APP that can be installed on your Ledger, and you can use it as a regular u2f key (like yubikey etc). What’s nice about this feature is that the master seed phrase of the Ledger will generate the same u2f keys, allowing you to use a device that can be restored even if lost. Coupled with the fact that Ledger’s seed phrase is generated 100% off-line and not displayed on any computer is, IMO, a better solution for security paranoid conscious users.

It would be nice to be able to choose what device is designated as “admin”. It would make sense to support more than the default seed-phrase, if it’s possible and not too much work to implement.

3 Likes

Generally in support of this idea moving to next steps.

But like these suggestions too…

Can we have two or more seed phrases simultaneously for each II anchor? Then:

  1. You must have a seed phrase to delete a device.
  2. You must have a seed phrase to delete the seed phrase itself.
  3. You must have all existing seed phrases together to generate a new seed phrase.

Now, if one of your seed phrases is stolen, the thief cannot delete your other seed phrases, but you can delete that seed phrase immediately and then generate a new seed phrase.

(Note: A seed phrase is not considered as a device here.)

respectfully that is really over complicated lol

You can still have just one seed phrase, but if you want, you can make your account much safer by using multiple seed phrases. This can be especially useful for the 8 year gang.