Companies, NGO’s, communities, education institutions, Governments and their ministries and agencies, and all kinds of other groups. How does Internet Identity work for them on a practical level?
For as far as I understood, the Internet Identity is not linked to real world identity and only with devices. I guess such groups can form an identity, say a company can register each of its devices. But can there be support for its individual members, and a possibility to define different roles for different members? What about devices that are for common use between component members, how will they be able to differentiate who is using the a device at any given instance?
These are questions that arose when I thought of how not having our personal identity linked with the internet identity can affect usage, for I felt having them linked through KYC was an ideal solution to losing your Internet Identity in case of losing devices, them being compromised, etc, as well as the issue of identities for groups and their individual members.
And I can’t specially shake the feeling of the threat of compromised devices, it can be as simple as stolen devices but also extreme cases like an individual being held hostage to get access or using the fingerprint of an unconscious person. Maybe I’m paranoid watching too many movies with “bad people” but, they are all potential threats, right? Or am I missing something here?
Don’t get me wrong, I am loving the ease of use without having to use passwords, but the potential down sides are a bit scary!
So there’s two main questions here, I’ll try to respond to both as good as I can:
What about devices that are for common use between component members, how will they be able to differentiate who is using the a device at any given instance?
From an Auth standpoint Internet Identity is primarily an Authentication mechanism. If you want Authorization schemes those’ll have to be built on the individual canister or as a service on top of Internet Identity. There are so many possible directions and features an Authorization solution can take on, that it’s not a good idea to try and prescribe it from a service as central as the II.
And I can’t specially shake the feeling of the threat of compromised devices, it can be as simple as stolen devices but also extreme cases like an individual being held hostage to get access or using the fingerprint of an unconscious person.
I think your perception of threat models doesn’t correspond with the way people get hacked in the real world xkcd: Security
People get hacked because they enter their passwords on phishing sites (which doesn’t work with II, because the phishing site has a different hostname), because they reuse passwords and companies end up having their credential databases hacked (even if you hacked the II you couldn’t extract any private information) or because they get MITM’d on some public WIFI (which is less of a problem with II because you never put any private information on the wire).
Losing your security device is a real concern, but primarily because we don’t force people to add a second device yet, which means there is the danger of people losing their accounts. If your threat model is someone targetting you personally, losing a security device should be the least of your concerns.