The FIDO app on the Ledger Nano is a great recovery mechanism for Internet Identity, but mostly because you can have a backup of the keys (which you cannot have with most other FIDO devices like a Yubikey). The security properties are not fundamentally different from other web authentication devices that support user verification, because you cannot actually validate the contents of transactions.
The ICP app on the Ledger Nano that you can install today supports only a fixed set of transactions for the governance and ICP ledger canisters. The next version, which is in review with Ledger literally at this very moment, adds more generic support for some SNS and ICRC-1 transactions (as per this PR).
We are currently designing a scheme that allows any canister on the Internet Computer to use the ICP hardware wallet app for securely displaying and signing transactions, and that would work as follows:
- The canister developer specifies for each pair of (canister id, method name) a schema for rendering the parameters. That would likely be a transaction name and a structure that specifies for each field of the Candid argument whether it should be displayed and the title that should be used. (We need to devise a format for this, this actually is the main open design task.)
- The canister then signs said schema with the IC’s threshold ECDSA signature method.
- The dapp front end sends the unsigned transaction along with the signed schema to the hardware wallet.
- The hardware wallet derives the canister’s ECDSA public key from the IC’s ECDSA root public key and the canister id, and verifies the signature on the schema. It then uses the schema to display the transaction to the user, and signs the transaction when the user approves.
How does that sound?