Yes I agree that IC adoption is hampered by it, but not because of II technology itself but the fact that majority of IC apps are relying on it solely. Maybe DFINITY documentation should recommend a secondary login method at minimum for people less concerned with their security.
Even II itself could be upgraded to include software based authentication as long as the concept of admin devices is introduced along with it or it’s possible to make it opt-in only.
If we want widespread adoption then we must offer a user experience that’s on par if not better than web 2 apps, at the moment if IC devs were to implement multiple auth methods, they’d either have to go the “ETH” route with a MetaMask style login flow, which I think isn’t ideal for a number of reasons, or implement standard username and password, that would mean more dev time and some stuff like password reset might not be possible right now without relying on legacy cloud.
A more secure and feature rich II would be the perfect solution.
Reading through this thread in the process of looking for anything that might throw light upon my own login problems, I noticed a mention of NFID.
Is NFID part of the Internet Computer’s identity system or not?
I am confused because part of my login problems has been the fact that I have so far accumulated in my notes file of Internet Computer login credentials three different anchors given to me by NFID, along with 24-word “phases” for each, yet identity.ic0.app seems unable to make use of any of them.
I had actually reached a conclusion that NFID must be something different from the Internet Computer, possible for example a Microsoft or Google or someone identity system superficially similar to the one used by the Internet Computer.
Part of how I came to be able to create anchors at all using NFT, and why NFID had seemed to be the only method that actually worked, is that I would like if possible to create an identity I can have backups of, such as the anchor+passphrase given me by NFID, first, to be sure I actually have it and it is secure, BEFORE optionally associating with one or more of the identities various keys I will never myself actually have access to, such as keys stored in special secure chips and so on.
Basically I am hoping to be able to have an identity I actually have and can back up, then if I want to associate fingerprints or image-recognition stuff to it I can optionally do so.
Which reminds me, if I do associate such things, I would prefer not to tie it down to a specific authority but rather be able if such things are needed at all be able to note with each example of such an item its authority, such as “according to MI5 this identity’s fingerprint is X”, “according to the CIA it is Y”, “according to the iphone of serial number such and such when it scanned it on such and such a date it was Z” and so on. I also have never even tested any fingerprint scanners for details like how well can they recognise if different fingers, or same finger of other hand, are used with them, and stuff like that. Let along all the tricks you see on TV shows for fooling fingerprint (and for that matter retinal scanner) systems.
So anyway, supposedly I now have at least three anchors, without possessing as far as I know any machinery that offers fingerprint scanning (though possibly I might yet discover that one of the laptops or phones lying around might turn out to have such gadgets).
My problem is, I have not discovered any way to use any of them without somehow storing them onto a “hardware wallet”, and I do not have any “hardware wallet” dongles or such.
-MarkM-
I am now suspecting a huge part of the problem might be that recovery-phrase input at identity.ic0.app does not remove extra whitespace, in particular end-of-line indicator bytes such as (for me, being on Linux) linefeeds.
Because copy-paste from phone to desktop without using something like ssh (or maybe even remote screen mirroring etc) does not work so one is reduced to typing the words one at a time into whatever textfile or whatnot one is keeping track of passphrases in.
Because the words are often (visually even if not internally in the app) grouped into separate lines when shown to you, and because your text editor you are typing in defaults to some finite width you’d like what you type to be narrower than (for easy reading and copy-pasting on systems with narrower default, especially using text editors that mouse copy will only copy the visible part of, maybe with a $ at edge to show where edge of screen had truncated it), and for easy counting of the words for systems that ask for e.g. word 5, word 14 and word 24 or whatever, one often ends up with linefeeds in one’s text file that shows a passphrase.
It actually seems to me totally weird for input of passphrase to NOT have excess-whitespace removal, since also one often finds trailing spaces on lines in textfiles espcially if copy-pasted to the textfile, and also often lacks a trailing space, having instead of a space a linefeed.
So if a passphrase input wants specific number and type of whitespace between words, it should see to it itself that it massages the input into that form before trying to make use of it.
TL;DR I copy/paste passphrases from textfiles in which each passphrase is typed as several lines of text; BECAUSE some text editors if I try to copy/paste a line longer than width of window it doesnt get the whole line; THEREFORE passphrase inputs OUGHT TO massage phrase input.
-MarkM-
By carefully massaging my passphrase input to identity.ic0.app on my browser, I was able to get to the manage anchor page.
However neither on that page nor in trying to log in to nns.ic0.app was I able, using this Ubuntu 18.04 desktop, to go any farther.
In particular, on my A7 phone I had selected add a device, and it had told me to go to that device (in this case this desktop machine) and initiate add a device on that machine.
The purpose of this attempt is to somehow associate the desktop and the phone so that when the desktop wants some kind of second-factor authentication it will be able to ask me to use the phone instead of insisting I have to go buy a “hardware wallet” gadget.
Trying to do as instructed on this desktop just keeps wanting a hardware wallet first before it will even let me do anything about the phone, even though on the anchor management page it clearly shows the phone as the only authorised device so far.
Isn’t the point of all this that each device, such as this desktop, needs to be authorised by an existing device?
How do I get this desktop to use the phone instead of a hardware wallet for authorisation?
I then thought well maybe since it has been ages since I started on the phone the add a new device process, maybe I need to get that started again first before trying to run it on the desktop.
But now the remote device choice when adding a device on phone does not work anymore!
This is the third or fourth DAY of spending more than full time hours (by a lot) each day just trying to get an internet identity that works. How has anyone other than owners of hardware wallets (and maybe even for them it is very very hard?) ever managed to adopt the IC at all?!?!?
-MarkM-
I have now managed to initiate the add a new device on the phone, but…
…Still well within the five minutes the phone is giving me to go through the add new device routine on this desktop, the phone has NOT refreshed its page like it said it would after I entered on this desktop an alias I want to use for this particular one of my various desktop machines.
Rather, the desktop instantly went to wanting to see a hardware wallet instead of asking whether I wanted to use the already-added phone instead of a hardware-wallet AND the phone did not refresh the page on which it was presumably waiting to see a signal that another device (the desktop) had been told an alias to be known by and was thus ready for the phone to continue adding it.
Meanwhile on another phone I had tried to visit identity.ic0.app in its browser and an hour or more later the busy-circle on the site was still turning so I revisited the page; that was an hour or few ago now and still that busy-wheel is turning endlessly, Loading Resources…
Just how much resources does it need to load on a phone that has not visited its site before???
-MarkM-
Hi @knotwork
Maybe I can answer some of your questions:
Is NFID part of the Internet Computer’s identity system or not?
There is no one such system. NFID is an alternative to Internet Identity (identity.ic0.app) and uses the same back-end as Internet Identity. But it is a different service.
I am now suspecting a huge part of the problem might be that recovery-phrase input at identity.ic0.app does not remove extra whitespace, in particular end-of-line indicator bytes such as (for me, being on Linux) linefeeds.
This is a very good point, thanks for highlighting it. I’ll see, what we can do about that.
The purpose of this attempt is to somehow associate the desktop and the phone so that when the desktop wants some kind of second-factor authentication it will be able to ask me to use the phone instead of insisting I have to go buy a “hardware wallet” gadget.
This is unfortunately not a feature of Internet Identity and not what the add device flow is supposed to do. The add device flow is used to associate a new authentication method (such as biometrics on a different device) with your anchor such that after the flow, both devices can be used independently to authenticate your anchor.
Thanks a lot for the valuable feedback and I’m sorry your experience with Internet Identity was not great. We will continue improving it, hopefully making it work as expected for everyone.
Thank you! Sounds like what I actually need is a “hardware wallet emulator”, a “fingerprint scanner emulator” or a “facial-recognition auth” emulator.
Does anyone reading this happen to know whether apps/programs in general, as well as in particular the internet identity suite, happens to use a dynamic library one could replace, or even a kernel module one could install, or even a builtin kernel call one could compile-in if it is not something that could be put into a module, to attempt to discover and make use of a hardware-wallet dongle, a fingerprint-scanner, or a facial-recognition tool?
Hmm thinking about that I am actually suspecting that facial recognition might be the one requiring the most code and data thus the one most likely to not be a core kernel call nor a dedicated piece of hardware?
-MarkM-
I have both my phone and a YubiKey set up as authentication methods for my Internet Identity. When I log in on my laptop Chrome shows me a choice of Bluetooth, NFC or USB (for my YubiKey) and my phone. If I select my phone, I get a notification on my phone and I can use the fingerprint reader on the phone to log in on my laptop. It feels very much like second-factor authentication. Is this what you’re looking for?
I don’t think so, since as far as I know none of my phones nor laptops have fingerprint readers; so basically I am looking into ideas such as running on one desktop or laptop or phone some software that will let it pretend over USB that it is a hardware wallet dongle.
My desktop machines do not have bluetooth so bluetooth would only be of use on laptop or phone, neither of which I customarily use.
I actually would very much prefer not to have a phone have any control over anything financial, if need be doing an ssh from it to a desktop in my home to do things like sending cryptocurrency, but that is looking somewhat infeasible nowadays.
Maybe in the long run something like sending encrypted emails to a mail filter on a disktop in my home on some kind of one-shot basis or something. Hmm need to put more thought into long-run scenarios; for now I am just trying to do simple logins to websites like one does with Metamask or Hive Keychain or Rabet or suchlike.
Actually come to think of it, I only need intially probably the “memo key” and “posting key” type functionality, if an actual identity gives way more than that obviously one would need at least two identities, one without any ability to touch one’s funds to start with then maybe later one that has access to some small amount of funds and so on. Hmm again. Whole thing is, “in large” a bit complex, isn’t it? 
-MarkM-
FWIW, I don’t think you need a fingerprint reader on your phone in order to use it as a login device, just some way of unlocking it (it’s possible that facial recognition or whatever mechanism you use to unlock your phone is sufficient). Essentially all you need is a way of unlocking your device’s TPM chip (Wikipedia page, Android-specific keystore implementation).
The way I have my neurons set up, my Internet Identity is only a hotkey for them, so I (or anyone else using my phone) cannot touch the neurons, ICP within or maturity. All I can do from my phone or laptop is vote with my neurons. The neurons themselves are controlled by a Ledger device, via a USB cable, in combination with a command line tool.
If you want to go really hardcore, there’s also quill, which you can use in conjunction with an air-gapped computer to manage your neurons. Of course, said machine does not need to be air-gapped, it’s just a good idea for it to be. Without that, someone hacking into your machine can steal your secret keys. Something that isn’t (or shouldn’t) be possible if your keys were e.g. stored inside dedicated hardware (TEE/SE/TPM) on your phone.
On my A7 phone I might have been “forced” by NFID to lock my whole phone, not just to use the mechanism doing so would have made use of; so now the phone itself is locked, which I would not have done if it had only been possible using fingerprint or facial-recognition. Fortunately the “lock” is just a PIN, but still having to use it for the entire phone not just for this one function or app seems like overkill, and means the entire phone can now only be left useable to other members of the household if I want them to also be able to use whatever identity I authorise on that phone.
I have one other phone here that has a working battery (aka can be powered up, since none that cannot charge seem able to simply be powered up via USB despite not being able to store a charge), I installed latest Chrome in case its gosh knows what model/brand/version default browser might not be of a kind modern apps/sites can even identify let alone use, and navigated to identity.ic0.app but it says my browser is not equipped for it.
Which maybe could just mean that I would have to first set up screen locking for the phone as a whole, or maybe just for chrome, in order for sites it visits to see the lock mechanism as even being available on that phone?
It seems to maybe be wanting to see an auth function or code-snippet that might be what browser extensions inject into pages, so maybe it is not looking for a phone lock mechanism of the phone itself so much as a browser-extension wallet installed to the browser, so I am going to try to recollect or reconstruct whether I ever in fact managed to find and install anywhere any browser-extension that works with Internet Identity.
Possibly strange or maybe not to someone familiar with inner workings is that I do know I installed an app very hard to look up again on Google Play called Me (a highly populated keyword on the play store) but that following hours of difficulties using it their support eventually told me that it does in fact not support internet identity even though it does supposedly open and manage accounts on the Internet Computer. It seems to use something it calls a Principle and it is not clear to me whether since it does not use my identity whether maybe a Principle is actually an account they are the real controllers of, not their users.
Maybe though the relation between the so called "Principle"s and them might be more like how recovery accounts seem to work on Hive, where the recovery account, which often was the creating account that created your account for you, is just the only one that can execute the recovery function but still needs the actual key of the account-to-recover, and maybe even there might be a way they could have created the account for the user without themselves ever getting access to its secret key.
So right now I do not know whether somehow the fact that the Me app is on the A7 phone and not on this whatever-it-is other phone could be making them respond differently or maybe it is that the whole darn A7 phone is locked whereas this one isn’t.
So still more experiments to do do try to figure this stuff out… I see something called Plug too, I think maybe it was Plug not Me that said they do not support internet identity. Havign to try more and more apps and browser-extensions is making this more and more complex the more of them I try…
-MarkM-
The second phone I am trying says its baseband version is DOOGEE-X5S.2015/12/21
It seems to be the one on which visiting identity.ic0.app gives a “loading resources” page that just forever spins a busy-indicator wheel and in the various numbers of hours I have let it try never actually finishes loading them.
I tried using the default browser because I found an app-lock icon that lets each app be locked or not individually so applied it to the default browser first to make sure it doesnt lock me totally out before risking using it on the new chrome app I installed.
Since default browser seems unable even to load the resources I will now go on to try using the app lock icon/app to lock the new chrome app and see if that changes how chrome reacts when visiting identity.ic0.app…
…OK, done. window.PublicKeyCredential is not defined still, so maybe it is looking for a browser-extension not the phone’s lock mechanism.
…By the way I just learned that NFID.one has the same problem of failing to massage whitespace in pasted anchor+passphrase as identity.ic0.app has. I successfully logged into NFID.one by manually carefully massaging my input over and over again in their input-field widget until it attained the form they wanted and it worked.
I also think I might have learned that when I think I am trying to authorise a desktop machine the system thinks what I am really trying to authorise is a physical device such as for example a hardware-wallet fob/dongle, that is what it seems to think of maybe as the target not the desktop machine itself really in some way. It is starting to look like maybe for desktops I might ultimately end up not with any authorised desktop machines really but, if I actually went out and bought a dongle/fob, a dongle or fob that when plugged into a desktop machine turns it into an authorised machine temporarily while the dongle or fob happens to be attached to that machine not to some other machine.
-MarkM-
I now seem to be trending toward the idea that maybe desktop machines are not “devices” at all as far as authorising of devices go, unless some super-modernistic desktop machines have some kind of Trusted Execution Environment or Strongbox built in and the operating system they are running supports using such hardware?
That is to say, so far all paths I have attempted toward being able to use a desktop machine seem to dead-end at “use a portable hardware wallet such as a Nano Ledger”.
No routes seem to lead to being able to use some other machine, such as a phone, instead of a “hardware wallet”; attempting to use a phone to authorise a desktop machine always seems to end up wanting a “secure key”, which seems to mean a “hardware wallet device”.
If I did have a hardware wallet device, it doesn’t even seem clear terminology to refer to the desktop being added as a device, if it is only able to be or act-as a device when a hardware-wallet device is atteched to it or in bluetooth range of it etc.
Thus the idea of using Internet Identity on machines actually suitable for doing software-development on seems pretty much “shot down” from the get-go, short of maybe stumbling upon a workstation / desktop that has some kind of built-in hardware key-security subsystem. (?)
-MarkM-
Depends on the machine. A modern MacBook with thumbprint reader can be used as a device, but a Linux machine cannot; I believe Windows only works with Windows Hello. II is entirely at the mercy of the browser and operating system; the magic word, if googling, is ‘WebAuthn’.
When a website asks you to log in with Internet Identity, a principal is what it gets back. Principals are the basic form of account on the IC. An identity service like II or NFID will provide a principal it controls in exchange for a different form of authentication, like a device; a wallet like Plug or ME will store the principal directly, so it is under your control.
Thank you! Slowly the grand design is becoming clearer.
-MarkM-