I found this kind of confusing. I ended up just naming the duplicate device with “(identity.internetcomputer.org)” at the end of the name so that I could tell them apart.
3 Likes
The architectural choice between an recovery phrase vs FIDO/Security Key as your primary (and only) recovery mechanism has to do with longevity. The recovery phrase will far out-live any man-made device. Of course the recovery phrase must be guarded (or in my case distributed) so that it is intended to last for generations.
The implementation decision of this architectural choice is poorly thought through for nns from a security context; although easier from UX context.
In context of quill, for example, it is possible to have air-gapped machine with the pem file producing a signed message, displaying that through a qr code ; which can instruct through a connected machine.
Thanks for the update. I haven’t read all of the comments in this thread.
I thinks it’s important to reflect on the design of II. It seems almost unbelievable to me that the design allows a user to possibly lose their II if a domain name disappears.
I think this should be scrutinized and mitigated somehow, quite unnerving. A self-sovereign identity should not be inextricably linked to a centralized naming service.
25 Likes
Yes, it is quite unnerving. The first I heard about this was last year in discussing with @skilesare et al at a dinner last year.
The saving grace is the fact that the recovery phrase is the self-sovereign identity. Other mechanisms are vassals of the sovereign identity.
A hardware wallet/security key can still have a seed phrase, difference is it is generated inside an airgapped device with a TPM and it never leaves it whenever you need to actually use the seed. Also I have to worry about safely storing only 1 seed for all cryptos instead of 1 per chain.
My hw wallet might break but I still have the seed phrase safely stored, so no problems about longevity either.
Up until now I was under the impression that as long as I didnt lose my hw’s seed and the II anchors used by the specific dApps I would always have access to my stuff.
I’m clearly missing something but why is the seed needed at all? Why can I recover an ETH wallet using a security key but for II I must use the seed phrase? I could understand if it had to do with principals changing between URLs but now dApps can support multiple domains.
Anyhow it is a serious oversight that one could lose access like this and many community members had warned it could happen months ago. Hopefully it’ll get fixed/mitigated in a timely manner.
1 Like
The recovery phrase wasn’t even part of the original design.
2 Likes
I landed in the same problem area… Because I skipped the solution mention by @diegop 
Setup your Internet Identity anchors to be usable with the newly introduced URL identity.internetcomputer.org
(How to set up your Internet Identity on the new domain ) Please note that we are working on UX improvements that will make the process easier.
Context:
- I have an Internet Identity with Seed/Recovery phrase and multiple devices (Brave Browser Profiles & multiple Apple Devices)
- I navigated to https://identity.internetcomputer.org (Brave Browser)
- Clicked “Manage Existing”
- Selected “Lost Access?”
- Entered existing anchor in “Enter anchor”
- Entered existing Seed/Recorvery phrase + clicked “Continue”
- I get redirected to “Manage your Anchor” on “https://identity.internetcomputer.org/” there I see all my registered devices from “identity.ic0.app”
Problem with nns.internetcomputer.org
- I navigated to https://nns.internetcomputer.org/
- Selected “Sign in with Internet Identity”
- Got redirected to “Create an Anchor”
- Selected “Use existing”
- Entered the existing anchor
- Clicked Continue
here I got stuck in browsers select the Passkey modal
Workaround to get nns.internetcomputer.org authentication working (step by step)
- Login with existing Internet Identity anchor on https://identity.ic0.app/ with clicking “Manage Existing”
- Add existing anchor + click “Continue”
- You then will see “Manage your Account” on https://identity.ic0.app/
- Click “Add new device”
- Click “New Browser”
- Switch to your “New device/Browser profile” that should be added (let the identity.ic0.app on existing device open)
- Open identity.internetcomputer.org
- Select “Manage Existing”
- Select “Add a new device”
- Enter your existing Anchor
- Name the new device (hint suffix with: ‘(inter…puter.org)’)
- Click “Continue”
- Perform Browsers add passkey flow
- Add your presented “Verification Code” to existing device + Click Verify Device
- Move back to new device and login to https://nns.internetcomputer.org/ with your existing anchor
7 Likes
The core issue, I believe , has to do with the manner of implementation on these browser wallets. Since browsers can be hacked, it was thought (and legitimately) that one could remove all of the authentication devices and install only those devices recognized by the hacker. Using a “locked” recovery phrase will give some semblance of security …in a “secure” setting. Also not every one has a security key(i.e. an ledger).
@LightningLad91 Indeed it wasn’t a part of the original implementation. But fortunately there was a diligent effort by the community to add in this phrase protection.
As @dfisher points out, this is a blessing in disguise. Because now we are seeing decentralization unfold before our own eyes.
2 Likes
Seed phrases weren’t there at the beginning of the network. Anybody who wanted to back up there identity then had to use an additional device and they might not see this update in time.
I’m not that knowledgeable about webauthn but do credentials still work when you switch to a custom dns server?
Then the foundation could potentially setup a custom dns server that resolves ic0.app so that there is always a way to recover your identity.
5 Likes
Not everyone has biometrics either but that hasn’t stopped Dfinity from making them mandatory to use II.
I’m strictly talking about hardware wallets, which can be linked to browser wallets like Metamask, but just as a UI, the browser extension still inherits the device security cause the seed phrase never leaves it. But that’s beside the point, what I wanted to know was why the recovery option is only available by using the backup method that is by default more vulnerable and prone to attacks. Is it a design choice or are there technical limitations that lead to it and if so what could be done to solve them? Why is the recovery process needed at all?
Asking users to generate seed phrases on possibly compromised devices instead of incentivizing them to use a hw wallet or straight up not allowing those who have one to use it, is crazy to me. It’s a bad practice and completely counter intuitive cause it’s the opposite of what users are told in the entire crypto space.
2 Likes
Yes…and I believe the context was the SEC coming for the domain and not Spamhaus…so good that we are getting our ducks in a row now because the SNS is about to get a big fat spotlight on it. Let’s make ourselves anti-fragile to that threat. How do we make disruption work to our advantage?
@Fulco 's mention of a custom DNS server is super interesting. Back in the day, I used to hack my local DNS for developing on windows. Perhaps we need a simple program we can download to run DNS locally when we need to. I wonder how certs would work with that? Perhaps the IC is the solution here itself.
2 Likes
Thanks for the info. I have some comments/questions that might inform any upcoming UI/UX improvements.
In general I think it’s confusing that my existing devices and recovery methods are there and indistinguishable from the new ones I added through the new domain name.
I now have “duplicate” devices under “Added devices”. I would find it helpful if the relevant domain name was shown there if possible.
Multiple places say that recovery keys must be re-added. Since we can only have one, it seems like we’re moving the risk from the old domain to the new one. Perhaps one per domain should be allowed.
2 Likes
We were very close…to hanahaus. 
Isn’t the issue that google is the top level resolver for .app?
1 Like
I have a question. If I have two devices (E.g My PC and phone) that can access to ic0.app. Do I must need to create recovery phase so both of my new devices can access to the new domain?
I don’t really like using recovery phase, it somehow increased the risk of getting my account stolen.
You don’t need to create a recovery phrase so that both of your devices can talk to nns through the new domain. But you should create a recovery phase.
In my migration, i do have a recovery phrase. I did not have to touch my recovery phrase to add the two existing devices to the new domain.
That recovery phrase is distributed in three continents…read: it’s painful for me to recreate my recovery phrase. But and consequently it is also very difficult for someone to steal my recovery phrase.
2 Likes
Hey folks,
First of all, thank you all for sharing this post wide and far.
Second, really appreciate all the comments, suggestions, questions.
I just want to let you know folks closer to II, boundary nodes, sdk, etc… are monitoring this thread (and I’ve pinged a few folks). I’ve deliberately left a few questions or comments unaddressed because I did not feel I had enough expertise to answer with full confidence, clarity of thought, and accuracy.
Thank you all for being a great community!
2 Likes
Thank you!
Just added my devices to new domain.
I’m increasingly concerned at the nonchalance with which entering seed phrases into internet-connected web UIs is encouraged by the security model of II.
I also am maybe more afraid of this migration than just doing nothing, considering the flurry of activity and complications of the setup/migration I’m seeing others point out (like having multiple devices that are really the same).
9 Likes
After recovered by phrase, I cannot add current device into my anchor. How to solve it?