Roman
April 23, 2023, 4:33pm
6
I agree 100% with you, like almost every time by the way.
About people wanting to use the II, bu wanting to avoid the use of a recovery phrase touching Internet, here is the recap of the discussion, because it answers to your question :
Here is what Jordan wrote back then :
And this :
Remind everyone to use hardware wallets for managing (at least larger amounts of) tokens and neurons. Internet Identity is great for authenticating toward dapps, but it still fundamentally relies on the security of the browser (which is the still piece of software most likely to be affected by zero days), and so fundamentally that isn’t a good way of managing things of significant value.
I wish I had known/understood this back in 2021. I feel like the marketing/eduction around II vs hardware wallets wasn’t really present, or at least I missed it. Seems to me that most of the lay people in the community believe (believed?) II to be extremely secure. It’s only after digging in that we discover these flaws.
So a concrete suggestion is to fix the education/marketing of II, or increase its security. How many people have locked up a lot of ICP on the NNS using II? Probably a lot of people. And the unfortunate thing is that there is currently no way to change that choice AFAIK.
And @bjoern answered this, which answers to your question :
I wish I had known/understood this back in 2021. I feel like the marketing/eduction around II vs hardware wallets wasn’t really present, or at least I missed it. Seems to me that most of the lay people in the community believe (believed?) II to be extremely secure. It’s only after digging in that we discover these flaws.
Let me clarify. Authentication with II is still fundamentally more secure than browser-based wallets like Metamask or Plug, because the cryptographic key resides in a secure hardware chip and outside of the realm of the browser or even the computer’s main memory. It is, however, also fundamentally less secure than a hardware wallet, since the hardware wallet will allow you to inspect the transaction. With web authentication, you as a user must be involved (e.g. fingerprint or face scan), but you don’t see the transaction details.
Let me put out some numbers. Here are values that I would feel comfortable with managing in different ways (these are based on my personal risk profile, everyone will have different limits):
Browser wallet (e.g. Metamask/Plug) on my own general-purpose devices: $100s, for short time maybe $1’000s.
Internet Identity on my own general-purpose devices: $1’000s, for short time maybe $10’000s.
Browser wallet or Internet Identity on a “clean” device that I only use for one specific application that I personally trust, and where the front-end is decentralized (e.g. nns.internetcomputer.org ) and that I never connect to public networks: $10’000s and maybe a bit more if I am paranoid about keeping the device clean.
Hardware wallet (which I never connect to a device I don’t own): $100’000s.
Custom cold-storage/air-gap setup: Anything beyond.
So I did not want to suggest that Internet Identity wasn’t secure – quite to the contrary! I personally think it has the best trade-off between security and usability for day-to-day use. I just want to encourage the use of “non-day-to-day” methods for cases for large amounts of tokens.
So, as we must use the recovery phrase rather than FIDO : or we improve the security of the II seed phrase generation, or we put only few ICP on the wallets not protected by a Ledger Hardwallet used as hotkey. So when you ask :
As you can see, it is not equivalent in term of security. For big amounts, the Ledger must be used as hotkey.
But as you can see, with what @bjoern writes, the problem for the NFT owners stays entire, this is why I was asking this :
I wish I had known/understood this back in 2021. I feel like the marketing/eduction around II vs hardware wallets wasn’t really present, or at least I missed it. Seems to me that most of the lay people in the community believe (believed?) II to be extremely secure. It’s only after digging in that we discover these flaws.
Let me clarify. Authentication with II is still fundamentally more secure than browser-based wallets like Metamask or Plug, because the cryptographic key resides in a secure hardware chip and outside of the realm of the browser or even the computer’s main memory. It is, however, also fundamentally less secure than a hardware wallet, since the hardware wallet will allow you to inspect the transaction. With web authentication, you as a user must be involved (e.g. fingerprint or face scan), but you don’t see the transaction details.
Let me put out some numbers. Here are values that I would feel comfortable with managing in different ways (these are based on my personal risk profile, everyone will have different limits):
Browser wallet (e.g. Metamask/Plug) on my own general-purpose devices: $100s, for short time maybe $1’000s.
Internet Identity on my own general-purpose devices: $1’000s, for short time maybe $10’000s.
Browser wallet or Internet Identity on a “clean” device that I only use for one specific application that I personally trust, and where the front-end is decentralized (e.g. nns.internetcomputer.org ) and that I never connect to public networks: $10’000s and maybe a bit more if I am paranoid about keeping the device clean.
Hardware wallet (which I never connect to a device I don’t own): $100’000s.
CONCLUSION : If we want to use the II, the Ledger as hotkey is a necessity for big amount of ICP, but this does not solve the problem for the NFT.