This looks like a meaningful step forward for Internet Identity! Excited to see how version 2.0 improves usability and security. Thanks for sharing the update!
Questions about the upgrade process:
I have an Internet Identity 1.0 with a passkey on domain identity.ic0.app. This is my main II I must not loose!
I have a different Internet Identity 2.0 with a passkey on domain id.ai
I unconsciously created that II 2.0 id when I tried an early Caffeine.ai release. I do not really need this II 2.0 Identity any longer.
Now I want to upgrade my main II 1.0 to II 2.0
Do I need to remove/delete my ‘caffeine’ II 2.0 on id.ai before I upgrade my main II 1.0?
Or can I just upgrade my II 1.0 and end up with two independent II 2.0 Identities on id.ai?
Will I be able to use both independently?
Without any downside, conflicts or practicality issues?
What is the suggested way of upgrading with such a configuration?
1 Like
No, you can have multiple identities on id.ai similar to how it was possible on the legacy II. I would recommend giving them different distinct names to avoid confusion though.
Yes for all of the above.
As you’ve mentioned, upgrading the II 1.0 identity and using both identities for their particular use cases. You can always quickly switch from the top right in id.ai between the recently used identities.
1 Like
Why Fido keys (yubikey) dont work on id 2.0 ? It is listed as available but it only works on id 1.0? - Tried in several devices
Second question if mistakenly added google account on id2.0 how to remove it ? I dont see any possibility to remove Google or Apple account ?
Is my understanding correct that it’s possible to create two II 2.0 accounts linked to the same anchor number?
See my response to the same question here: 🚀 Announcement: identity.ic0.app & identity.internetcomputer.org → id.ai (Internet Identity 2.0) - #53 by sea-snake
No, every “identity” from II 1.0 can be upgraded to 2.0, where each retain their anchor number.
A new power-user feature in II 2.0 when signing into a dapp is the “Enable multiple account” toggle, here you can create multiple “accounts” for a particular dapp within a single “identity”. This could be used for example to maintain multiple Oisy wallet addresses within a single identity.
This feature has been added to II 2.0 to resolve the past challenge users experience that had many identity numbers written down just because they needed multiple accounts for a particular dapp.
1 Like
Yes, I understand that. I created a sub‑account to test how logging in as a different user behaves when developing apps with Caffeine.
The issue I’m facing is that I linked my account to II 2.0 before locking the recovery phrase in II 1.0.
At the time, I didn’t think it was necessary to lock the recovery phrase, since entering the anchor number together with passkey authentication already seemed secure enough.
However, I later thought that II 2.0, which is designed to be simpler for general users, might still require locking, so I locked the II 1.0 recovery phrase yesterday—but then realized it doesn’t synchronize afterward.
In this case, I assume the locked recovery phrase will eventually become invalid, and that I should instead write down and keep the recovery phrase already associated with my II 2.0 account.
Is my understanding correct?
Firstly, an identity number isn’t a pin, it’s a false security assumption that this would make a recovery phrase more secure.
Never expose a recovery phrase, with or without the identity number. In case you think your recovery phrase has been exposed, reset it immediately to replace it with a new one.
If you lock a recovery phrase for an identity in 1.0 and then visit the 2.0 dashboard with the exact same identity, it should also indicate it’s locked over there.
As mentioned in the other thread, investigating and implementing additional layers of security as replacement for locking recovery phrases is on our backlog.
1 Like
Is there a time lag? The message ‘Recovery phrase not verified’ still remains. This II 2.0 account is linked to the II 1.0 identity number.
Of course, I understand that the recovery phrase must never be shared. Thank you for the reminder.
I’m sorry for asking repeatedly due to my lack of understanding.
The recovery phrase hasn’t been used yet (or verified in II 2.0), therefore it’s indicating as unverified.
1 Like
Thank you for your trouble. I tried upgrading again with the same identifier, and that solved the issue.
Thank you very much.
is it posible to access new identity 2.0 (on id.ai) by recovery key? … When i try “lost access” (recover) – i have only recovery passphrase option.
I set up my (usb) recovery DEVICE (at the ii 1.0 dashboard),
but when I want to try it with my new ii 2.0 (on id.ai domain) it seems there is no such option.
I have absolutely no idea why you’re showing me this.
1 Like
Edit, nevermind, I misunderstood what you asked, my bad.
The recovery device can be used to authenticate during the upgrade process, similar to the other non recovery passkeys.
It’s listed together with the other non recovery passkeys in the II 2.0 dashboard access methods overview.
Edit:
Looking into the upgrade flow implementation now, but at first glance it seems you might have caught an edge case. I’ll share an update in this thread once I know more.
I am using a Yubikey 5C NFC (Firmware 5.2.7). I can log in at identity.ic0.app (II 1.0) with it, using it at a MacBook or an iPhone.
But when I try to use it to login at id.ai (II 2.0), I get an error message similar to “No login data found for id.ai on this security key”.
Why is this? What can I do make logins at id.ai possible with this Yubikey?
I have not tried to create a new access methods on id.ai with this Yubikey, yet, as I reached the maximum number of access methods. All old access methods from II 1.0 have been brought over. But I cannot delete any while logged in at II 2.0.
(When I log into II 2.0 at id.ai with a passkey bound to my MacBook I see this Yubikey as being used minutes ago under Access Methods. As it should.)
1 Like
A YubiKey (or any other passkey from II 1.0) cannot be used directly on id.ai (II 2.0), you’ll have to go through the upgrade flow with your identity number first, creating a new passkey with your YubiKey. Or in case, you’ve already upgraded, add the YubiKey on id.ai (II 2.0) as access method.
Creating a new access method for your YubiKey would indeed be the correct approach, to avoid users from accidentally deleting old access methods from II 1.0 and possibly getting locked out of upgrading, they’re currently disabled indeed.
You can sign into II 1.0 and remove the old access methods from there, we’ll be enabling the removal of old access methods on id.ai (II 2.0) when more guard rails have been put into place.
As for the passkeys limit, this will be raised in the next II upgrade proposal to enable users to upgrade that have already reached the limit.
2 Likes
Please enable to change name in II 2.0
1 Like
Folks at DFINITY,
We have an app that uses II 1.0, and we do prefer because it works reliably, works well with Yubikeys, and has a way to recover IDs by using a recovery phrase, a method quite familiar for many blockchain users.
Even though our app is nearly finished, we have not shipped.
So we have these important questions, I would appreciate very much your guidance
a.- Is there an expiry date for Internet Identity 1.0? Or will both II 1.0 and 2.0 co-exist for many years to come?
b.- If our app ships with support for II 1.0, and in the future DFINITY phases it out for version 2, is there a way to programmatically do a mass upgrade for users so they don’t have to do it themselves, or it becomes extremely easy?
c. Does II 2.0 now support recovery phrases, or not yet? Will it, when?
Thanks,
Joseph Hurtado
Founder Granata Consulting
CTO Satoshi Notes
1 Like
January 26, see: 🚀 Announcement: identity.ic0.app & identity.internetcomputer.org → id.ai (Internet Identity 2.0)
They have to do it themselves, but there’s a guided flow in above link that apps can opt into. See https://oisy.com for an example how’s that would look like.
1 Like