Internet Identity is slowing IC adoption

As it currently is Internet Identity is quite tedious to use if the device you’re using doesn’t have biometrics and in my opinion is one of the biggest limiting factors for IC dApps adoption.
Personally I rarely use IC dApps on my desktop cause connecting my hw wallet everytime is annoying and I don’t want to enable Windows Hello cause I’d rather use a password than a PIN and even if I wanted the problem would persist when I dual boot into a Unix system.

The following is a list of changes/improvements to make II a true Web 3.0 equivalent to legacy oAuth systems:

  • Temporary login using OTP or QR codes if the device doesn’t support biometrics/Windows Hello: e.g Binance allows to login if you scan the QR code in the mobile app.
    A metamask like login flow (set a password and import seed just once) would also be nice, I know its not as safe, but considering you can bypass the need for biometrics or security key by using the “recover lost anchor” option everytime, I’d rather have that than type my seed phrase everytime I want to login.

  • More granular control over what each device/authentication method can do: e.g only admin level devices can add new/remove ones, this should be a top priority, II’s shorcomings on this front have already caused issues in the past: My NNS has been stolen,Please help me
    A temporary fix is being discussed by the community: Immediate Action to Protect Internet Identity w/ Seed Phrases - #51 by nmattia
    but in my opinion it’s a bandaid solution which could have long term implications on how II works, so I think it’d be best to prioritize an actual solution and solve the problem once and for all.

  • Pseudonyms for Anchors, numbers are harder to remember than words, it may not be an issue if you only have one ancor but if you have multiple ones you have to write them down somewhere.

  • Increase browser compatibility, especially on mobile it can be annoying when your default browser isn’t Chrome and apps require a login, in that case you have to switch the default browser back to Chrome, login and then reset it to your preference, this has to be done everytime the auth token expires.

The first 2 points should have top priority, not only cause they make II harder to use and less secure but also because 3rd party solutions are being released to mitigate those issues, so a new problem arises: fragmentation. On other chains Metamask is the go to wallet to interact with dApps, on the IC we have: Stoic, II, Plug, NFID, DEXes priopetary wallets for some reason, etc…
Each dApp supports a different subset of the listed tools and each tool has a different subset of features, as an experieced user this is already a chore, if II is meant to be used by everyone something has to change.

8 Likes

Internet Identity is not a must to use except for NNS . And i prefer to leave it that way for maximum security.

Some of the dapps are not using II . They are using wallets like plug and stoic . And you do not need II to create plug or stoic.

1 Like

Internet Identity is not a must to use except for NNS.

Not true at all, almost all dApps outside of the NFT/DeFi space use II: DSCVR, Distrikt, Dsocial, etc…

And i prefer to leave it that way for maximum security.

You can always create multiple ancors for multiple use cases and how is a wallet like plug more secure than II? Besides in my opinion if we want to have widespread adoption the web 3 space must move away from wallet based authentication, its too complex for the average user, II if improved would be much better and safer as it resembles what users are already used to.

5 Likes

Internet Identity is not a must to use except for NNS.

Developer can choose not to implement II as a login option…

2 Likes

True but that doesn’t they won’t or they shouldn’t, as I said most dApps in the social space are already using it and rightfully so, why make your own system, which you have to implement and maintain when professional coders at Dfinity have already released a functioning one?

Just cause they theoretically have the option it doesn’t mean we can’t advocate for II to be improved, all the points I mentioned would make the NNS experience better too.

3 Likes

Internet Identity is a true novelty and SHOULD be used everywhere. Have to find ways how to make it maximum security but also approachable for people.

You don’t need a biometric scan nor a hardware wallet. A phone works just as fine. But if you have, you can have 2 access points + the seed phrase. Personally, I find it very convenient to use and it is the simplest way to onboard people to crypto. It is native with browsers and entirely on-chain.

2 Likes

There are many ways how to improve the II even further. It is not complete. I believe adding a scalable way to translate the critical stuff could help out. Here’s a proposal discussion for this:

Some things you mentioned here (OTP/QR code, granular control and admin level) are definitely on the roadmap, we just haven’t gotten to it yet. :pensive:

For “Pseudonyms for Anchors”, I think that’s a great idea! How would that work exactly? Are you thinking of e.g. generating a pair of words based on the anchor number for instance? Having user-specified pseudonyms will be a bit tricky to implement.

Finally regarding browser compatibility, can you clarify what the issue is?

I think this isn’t such a bad thing, at least for now. The IC ecosystem is very young, and it’s really good to have all those different players! One thing that would be absolutely great is to have say a base authentication mechanism like II, but with pluggable 3rd party features; but maybe I’m dreaming a little…

3 Likes

we just haven’t gotten to it yet

Good to know, I’m really looking forward to see them implemented.

How would that work exactly?

Ideally we should be able to choose a unique keyword, similar to a nickname or email.

browser compatibility

Not sure if anything has changed recently but at least on mobile II login is only supported with Chrome. So for example when using Distrikt’s app I have to switch default browser everytime the session expires.

The NNS and Internet Identities should be easy enough for the very elderly and tech illiterate people should be able to use it. I don’t think we’re at that point.

5 Likes

This can’t be understated enough. If ICP could fulfill on delivering to “this kind of userbase” it would certainly set a new precedent, reflecting on what ICP is already capable of, while at the same time raising the bar for what could be expected when using the internet.

1 Like

Likely there are some things that could be done to leverage the power of II with ZKPs.

Also, it would be nice if we could reduce logging into one or two steps process.

Ok, I’m guessing you mean on Android? Will try to reproduce this, thanks for bringing this up

@frederikrothenberger is implementing this right now! should be live next week

2 Likes

Hi @Zane

Regarding the Android & II Login problems: It seems not to be as clear cut. Firefox does work as well (at least on my Android 12 device). However, WebViews embedded in apps (which is what Distrikt uses for login) seem to behave differently than the full browser apps regarding WebAuthn. The Firefox WebView currently does indeed not work (on my phone at least). Thanks for pointing this out. I have added this bug to our backlog.

Could you post the versions & device that you are using and also which browser you normally use.

In the long term, we probably want to address this issue by switching to a redirect base protocol, which should hopefully fix most the UX and compatibility problems regarding WebViews.

3 Likes

So I ran across some issues on the Internet identity on the week end. I had previously added two apple devices using a security key, I decided I wanted to use my thumb print instead so set them up again to use that. This worked for a while but after a computer restart the thumb print option was totally missing from both devices and it was asking for my security which was not with me at the time.

To resolve this I had to totally remove the devices and set them up again. In doing so I noticed several issues with the internet identity user flow.

One biggie is there is no link to the internet identity app when you try to log into the NNS app, you have the app specific login screen. On the screen the full army of options is missing. But the screen makes it look the same as being on the full internet identity app. This would be very very confusing for new and novice users.

Also when on the full app certain important options don’t appear unless you are in a certain state, so for example I had to remove my identity anchor before it would give me some options. This again is confusing to new and novice users.

I would suggest that when you login to app using the internet identity that the should be a link to the identity app in case you run into login issues. In the identity app all potential options should always be shown to the user always knows the full range of options available. If an option would not work due to the current user star then grey it out but don’t remove it.

One other thing is we need to be able to have more than one security key back up, this allows users to have them in different locations in the event that one is lost.

Hey thanks for the great feedback!

Can you clarify this? What do you mean by “no link to the II app”?

I have never seen this put into words but you’re completely right, and this has been annoying me for quite some time now. We (@frederikrothenberger) are actually working on an improve authentication flow when you come from another app; it’ll then actually look like a different screen! I for one can’t wait for this to land.

You mean physical key fob? You can add more devices as “regular” devices, wouldn’t that work?

1 Like

Thanks for taking a look!

So to clarify when you use the identity to login when on the NNS app, it takes you to the NNS app.That is logical
When you log directly into the Identity.ico.app it takes you to anchor management.

There is no way to get to anchor management if you login to the NNS app but because the identity app pages look the same this is very confusing.

Ideally from a user perspective all options would be available to you however you access the internet identity.

If I add a new device I cant add a new fob for it, so must use the existing one, which is no help if I loose the fob. So the extra device is pointless in that case.

After setting up thumb print again on my iPhone, it is now asking me to use my security key to login. This is concerning because if I loose the only security key associated with my account I will be locked out.

1 Like

I have a Samsung S8 running Android 9, my default browser is Brave, iirc II didn’t work with it until a few months ago, but I recently tried and it’s as you say, WebView is broken, but the browser itself works.

I’ve also read about some compatibility issues on Apple devices but I guess there is nothing you can do about them and it’s good old Apple poorly implementing standards as usual.