Internet Identity 2.0

Dear Internet Computer Community,

We are thrilled to announce a significant leap forward for Internet Identity, our authentication service for the Internet Computer. We’re introducing Internet Identity 2.0, a complete redesign and re-engineering aimed at making decentralized authentication more accessible and user-friendly for everyone.

Why 2.0?

When Internet Identity first launched over four years ago, it was designed with web3 enthusiasts and blockchain users in mind. However, our vision for Internet Identity has always been much broader. We believe in providing a seamless and secure authentication experience for everyone, not just those familiar with decentralized technologies.

Identity Numbers: From Necessity to Obsolescence

When Internet Identity launched, identity numbers were a technical necessity, not a design choice. The WebAuthn standard at the time required applications to know the specific ID of a user’s passkey to retrieve it from their device. This meant we needed a way to store and retrieve these passkey IDs, leading to the creation of identity numbers as a simple identification mechanism.

However, this presented a challenge. If users forgot or lost their identity number, they were unable to authenticate. While this might have been manageable for tech-savvy users, it proved to be a significant hurdle for those less familiar with technology, leading to confusion and frustration.

The good news is that the landscape of passkeys has evolved. A new WebAuthn standard introduced “Discoverable Passkeys.” This innovative technology allows applications to request a user’s passkeys without needing a pre-existing identifier. With discoverable passkeys, the need for identity numbers has been eliminated.

What’s New in Internet Identity 2.0?

Internet Identity 2.0 brings a host of improvements designed to enhance your experience:

  • Completely Redesigned Interface: We’ve given Internet Identity a fresh, modern look and feel. The new design is intuitive and easier to navigate, ensuring a smoother user journey.
  • No More Identity Numbers: As explained above, discoverable passkeys mean you no longer need to remember or store an identity number. Logging in is now simpler and more streamlined.
  • Seamless Passkey Integration: We continue to embrace passkeys as the future of secure authentication. Internet Identity 2.0 leverages the latest passkey standards for enhanced security and ease of use.
  • Google Integration: While passkeys are becoming more mature, they are not yet mainstream for everyone. We’ve observed a 50% drop-off rate in our registration flow, indicating a need for alternative authentication methods. To make Internet Identity accessible to an even wider audience, we’ve integrated Google as an alternative authentication option.

Launch Plan: Phased Rollout Strategy

Our rollout strategy ensures a smooth transition while maintaining service continuity:

Phase 1: New Domain Launch (id.ai)

  • Deploy Internet Identity 2.0 on the new id.ai domain.
  • Users registered on version 1.0 will not be able to authenticate on this domain.
  • No changes in the old domains, which keep 1.0
  • New users registered in id.ai won’t be able to log in to the old domains.

Phase 2: Migration Enablement

  • Make the new domain and 2.0 features available to existing users registered in version 1.0
  • Existing users who migrate to 2.0 will be able to log in to the old domains.

Phase 3: Developer Adoption

  • Recommend to developers the possibility of using id.ai for new integrations.

Phase 4: Full Integration

  • Implement Internet Identity 2.0 features across all existing domains.
  • Complete the transition while maintaining service availability.
  • Retire legacy components once migration is complete.

Are You And End User?

You can create a new identity in 2.0 today at https://try.id.ai. It’s still early, so some functionality might be unfinished or missing at this stage.

Identities created in 1.0 are not yet usable in the new domain. We are working on a migration path. As mentioned in the launch plan, it’s our first priority at the moment.

Are You A Developer?

Internet Identity 2.0 is in beta release and not yet ready for production. We’ll notify the developer community once it’s ready for integration with existing production applications.

To integrate today:

Set https://id.ai as identityProvider in AuthClient.

Leave us your early feedback in this thread.

The Future of Internet Identity

Internet Identity 2.0 represents our evolution from a web3-first authentication service to a mainstream-ready identity solution that maintains the security and privacy principles that have made Internet Identity trusted by the Internet Computer community.

We are incredibly excited about Internet Identity 2.0 and the positive impact it will have on decentralized authentication. We believe this new version will pave the way for a more secure, accessible, and user-friendly Internet Computer for everyone.

Stay tuned for more updates, and thank you for being a part of our journey!

11 Likes

Thanks Llorenç, great to see an announcement!

Currently, the wall of text has left me confused, mainly from a user perspective it’s unclear what do we need to follow. As an end-user what do I need to do or, not to do?

You stated:

As a result I have a couple of questions:

  • What does it mean for my existing II?
  • Do I need to do anything? When do I need to do it by?
  • Given there are no numbers how do I log-in onto device where my passkey currently is not stored? See screenshot below
  • Will II v2 enable multi-sig II?
  • Can we merge identities registered on id.ai with the II v1, or should we hold off until II v1 is supported in II v2?
1 Like

Thanks for the comment! Good point, I added an extra section “Are you an end-user?”

There is nothing special for you to do today. Only try it if you want.

Given there are no numbers how do I log-in onto device where my passkey currently is not stored? See screenshot below

We will be adding a similar flow in 2.0 as well. It’s just not available yet.

If the passkey is in a phone, you can use the QR code that appears when you click “Use an existing Passkey”. Scan it with your phone and follow the instructions.

Will II v2 enable multi-sig II?

It’s in the roadmap, but not a priority at the moment.

Can we merge identities registered on id.ai with the II v1, or should we hold off until II v1 is supported in II v2?

Instead of merging, we will support identities registered in v1 to log in to v2 with minimal changes. This is coming soon. There won’t be any new identity created in this process.

Merging multiple identities is also part of the roadmap, but first, we need to support identities created in any flow to authenticate in the other flow. That’s our priority now.

As we mention in the developer section, this is still in beta and not recommended for use for applications with existing users in Internet Computer. Only new applications.

1 Like

Thanks for sharing, i have a couple of questions
1, if users can lost or forget their identity number(currently only 5 digit, 6 digit, 7 digit numbers), then they may not suitable for living in Web3 world, so i don’t think this is the reason your team to give up anchor number, is it necessary to keep it instead of abandon it?
2, how do we keep mnemonic phrase?currently method is number+seed phrase it’s a convenient way to store and i can log in any device if i have the phase.
3, if the new change have negative impact for existing users? as you mentioned, people have use ii 1.0 for 4 years, no security issue till now, i understand the tech develop to update to ii 2.0, can we have both method?
4, do you have any time schedule for these changes?
Thanks in advance.

We can forward ic0.ai to this if you wish

1 Like

Thanks for sharing your concerns:

  1. We want to address a more general public, not only web3 enthusiasts.
  2. We have an idea of how to implement this. In summary, we believe we can use part of the seed phrase to identify the user.
  3. We are not opposed to having all the different ways coexist. But it’s not in the short-term plans for now.
  4. No, we don’t have a fixed schedule now.

I hope that addresses your points!

1 Like

Wow great new!

From developer perspective

  • is that any native embedded to dapp like Bioniq for directly login in dapp rather than navigate user to another page

  • I asked Sea snake before but it is cool if II can give dapp user’s email if they login with google before some business purpose

Thank you for your reply. I sincerely hope that the current storage method of anchor numbers + mnemonic phrases can continue to be used. Because I only need to delete the numbers (remember the numbers) and store the mnemonic phrases, I can safely keep my assets. There has been no security incident in the past four years, which is enough to prove its safety. Moreover, it allows me to log in on any device if I want. I think this is a very good design. I hope the team can consider it. Thank you.

We would need to investigate this further.

Better supporting other environments is also in our roadmap, but not a priority at the moment.

Super easy to update from the old version. Works really good with google sign in and so far I haven’t noticed any issue. Really great. I don’t want to switch back to the old version now though. What are the risks of leaving it live the way it is?

1 Like

What kind of risks are you worried about?

We are still working on bringing feature parity with the Internet Identity 1.0 and fixing any bugs that might appear.

I’m not really worried about any specific risk but I thought I might be missing something after reading this above (Internet Identity 2.0 is in beta release and not yet ready for production. We’ll notify the developer community once it’s ready for integration with existing production applications.). Should it be okay to leave it integrated?

Ah, yes, that’s ok.

It’s in beta because of the missing functionality and missing path for existing users to use their identity with the new flow.

There aren’t any extra risks to use the new versus the old one.

1 Like

So what will happen to users that already have implemented a process on the seed phrase storage? I mean I already have many seed phrases distributed on different countries and places, that now I can’t go and modify it just because of the anchor id will be removed… or my seed phrase will continue to be working as usual, and the anchor id generated on the V1 of II, will still working as usual being part of that seed phrase?

Or the migration phase will change my seed phrase because of this anchor id will be removed??

I have spent tons of money and time buying hardware, and this crypto seed bank and doing the storage process to now have to change all that again.

Existing seed phrases will continue to work as usual but (technical design pending) you might be asked for your identity number for those until you reset the seed phrase.

This is going to help a lot on the Kinic side.
Super stoked! Kinic is likely to be an early power user of v2.

2 Likes

Sounds good, let’s not change the seed phrase because there are many people who don’t have that on plain text next to his room.. as i said I implemented a whole process to store this phrases. I can’t travel now and go and update the seed.

So what you are saying is, if I don’t decide to reset MANUALLY the seed phrase, it will keep working the same seed as usual right?

Yes, given that II only stores the derived public key of a seed phrase to verify incoming signatures, it won’t be technically possible to change those on behalf of users.

1 Like

I think the Miaodian number would be very convenient. I’ve been an icp identity for so long, and I haven’t reported any incidents of ii number assets being stolen. The security issue of ii1.0 is also fine. In my personal opinion, ii2.0 should still retain the 1.0 number. After all, there are already 2.7 million users.

I have a good idea. Considering the frequent incidents of token theft caused by clipboard tampering in the crypto world, could we use the anchor number as the receiving token address for NNS? In this way, I don’t have to check each letter, only the numbers need to be compared/input. From a technical perspective, is this feasible? thank you!!!