Internet Identity - Idea

II Team,

Is there a way to create a seed phrase without exposing the seed phrase on the UI? This is perhaps the single biggest point of vulnerability with II. A computer connected to the internet displaying the seed phrase directly on the UI.

Honestly I don’t know how it could work. Maybe some kind of Bluetooth to a air gap device?

Or better yet, generate a seed phrase on a air gap device and then QR code it to the II interface?

Anything I’m not thinking of?

The seed phrase has to either be entered or generated on some other device, as you mentioned an air-gapped one, that can derive a public key from the seed and transmit that to the UI. This solution already exists. It is the recovery device if you use a Ledger hardware wallet as a FIDO device. Your seed phrase is then simply the seed phrase of the hardware wallet.

1 Like

Great! I just figured it out with the FIDO app. Thanks Timo.

Would you say the security is equivalent using II with a FIDO device as a recovery method vs. using the ledger as a hotkey on the II?

Also, while one can protect the seed phrase generated by II in the browser, it does not look like one can protect the recovery method that relies on a FIDO device. This looks like a major vulnerability in using a FIDO device. Am I right?

1 Like

To precise @dfisher’s point @timo when he writes:

Here is what had explained Diego during the “Spamhaus gate”

Hmm thanks Roman. It seems like the FIDO device is riddled with vulnerabilities.

  1. You could lose access due to the domain issue

  2. You could lose access if a malicious actor took control of your II and then removed the FIDO device as a recovery option since there is no option to make the FIDO device protected

All in all, it doesn’t sound very secure. Let me know if you disagree.

So @timo this leads me back to my original question. How can we create a system for generating a seed phrase for the II using an air gap device and then protecting it? Is there a world in which is could be technically possible? Maybe some quill function with a QR code?


I agree 100% with you, like almost every time by the way.

About people wanting to use the II, bu wanting to avoid the use of a recovery phrase touching Internet, here is the recap of the discussion, because it answers to your question :

Here is what Jordan wrote back then :

And this :

And @bjoern answered this, which answers to your question :

So, as we must use the recovery phrase rather than FIDO : or we improve the security of the II seed phrase generation, or we put only few ICP on the wallets not protected by a Ledger Hardwallet used as hotkey. So when you ask :

As you can see, it is not equivalent in term of security. For big amounts, the Ledger must be used as hotkey.

But as you can see, with what @bjoern writes, the problem for the NFT owners stays entire, this is why I was asking this :

CONCLUSION : If we want to use the II, the Ledger as hotkey is a necessity for big amount of ICP, but this does not solve the problem for the NFT.

Thank you Roman.

It looks like Ledger is much more secure than II, which is a bit concerning still because Ledger is still not enabled to work with SNS transactions and we’re about to experience a major wave of SNSs.

But that still doesn’t answer the question of whether it is technically possible to generate a seed phrase on an airgap device and somehow import that seed phrase into an II. That might solve most of the issues. There must be a way to enable this. @timo

1 Like

Another tip:
Go thru all of your browser extensions and change their access.
Right click, then choose “When you click the Extension”

When you go to a site using MetaMask, you can right click and choose “On …” then it will always be on on that site. Otherwise you will have to click on it and reload the page.

If you use Mac. Make sure not a lot of apps have special permissions here:

I suppose Accessibility, Input Monitoring and Automation are the worst.

If you set these things right. Not a lot of things will be able to accessyour browsed page.
You can be certain, that the first ones hacked will be the ones which didn’t set these right.

1 Like

I see how that is relevant to browser extensions like metamask and Bitfinity Wallet. But is it relevant for II? Thanks either way.

Most extensions like MetaMask and all wallets work by injecting code into your page. If you do the above, they won’t be activated and won’t inject anything on the sites for which you didn’t explicitly allow them.
See the extension details:

So basically II will be secure if you don’t have extensions accessing it and you don’t have Mac apps with special privileges.

On Windows - I’ve got no idea, it was terrible for apps before a few years, not sure now. Macs are based on Unix and the security is tight.

Crackers will go for the low-hanging fruit, which is probably going to be extension - game - Youtube downloader with 10mil downloads. Or a popular screenshot desktop app with too loose security permissions. Not saying you can’t get hacked by something else, but it’s less likely to happen