Immediate Action to Protect Internet Identity w/ Seed Phrases

Why can’t we turn an existing seed phrase into a seed phrase protected?

That (Why can’t we turn an existing seed phrase into a seed phrase protected?) would be great! I dont relish the thought of going through my “globaly distributed seed recovery mechanism” for DR.

Simply because this thread has highlighted for me the community’s desire to keep II slim, which for me translates to “small, incremental changes”. It’s also arguably a bit more secure to wipe your insecure recovery phrase in favor of a protected one that you can be assured at that moment only you have access to.

In favor of incrementality, I’d vote to build protection in first and convenience in next. Counter arguments?

1 Like

Because right now seed phrases can be deleted / changed.

There surely exist some users who still have access to their WebAuthn Credential (YubiKey / Biometric login) but no longer know their seed phrase. There might even be users who know, that they have lost access to the seed phrase but still did not update it (for whatever reason). And by just locking everyone’s seed phrase we will create a lot of unhappy users unable to use the seed phrase feature at all. This is why the seed phrase locking feature has to be opt-in (and imho should require proving that you still have access to it, again because otherwise people will soft-lock themselves out).

Internet Identity should be an unopinionated platform that everyone can use how they see fit. We recognize that right now there is a deficit in functionality for those users who would like to differentiate the access levels of their different devices / recovery mechanisms. It is a very high priority in our team to solve this.

Nevertheless, it is important to not make changes that

  • limit the design space in the future in overly restrictive ways
  • cause disproportionate amount of maintenance effort
  • harm / restrict users

This is why we need to be careful about this change and cannot just lock everyone’s seed phrase.

I’m asking why we can’t choose to turn an existing seed phrase into a seed phrase protected, I am not suggesting we update all seed phrases to become seed phrase protected.

I just want the option to update my current seed phrase to a seed phrase protected.

@dostro if it isn’t as simple and would possibly be a bit more secure then I think it’s fine to proceed with the simplest possible implementation that gives the users the option to create a seed phrase protected. But I also don’t imagine it wouldn’t be that difficult to add the code to upgrade an existing seed phrase to a seed phrase protected.

Here’s the thing I was careful when creating my phrase and have multiple backups and everything. Now I’ll have to redo it instead of just clicking a button. That’s my personal bias.

5 Likes

+1

I think 2FA adding/removing devices/phrases and Social Recovery are better choice for users

1 Like

Ok how about this - since Internet Identity doesn’t have a concept of “update device” and since we want to make minimal changes to the backend, we could handle this from the frontend since a recovery method is just another public key:

  • User chooses to convert seed_phrase to seed_phrase_protected in the UI
  • UI retrieves the seed_phrase public key from lookup()
  • UI adds the public key as a device with seed_phrase_protected keytype
  • UI removes the seed_phrase device

I don’t think we need to ask the user to re-enter their seed phrase for this procedure because if an attacker is going through this process, they can easily just remove the seed phrase and add their own seed_phrase_protected

Hi all, got some news!

Identity Labs, Internet Identity and @lastmjs met yesterday to discuss this; made a lot of progress including an implementation plan! I’ve started a new thread for anyone curious about the plan and progress.

There were some questions asked here that I think would be good to clarify once and for all, so I’ve also updated the FAQ. Should be live early next week.

Finally, we’re making progress internally on allowing external contributions to the Internet Identity repo, just pending some approvals. I’ll send out more info as soon as that’s done!

5 Likes