You are correct about the current design of the II. In the current design all devices that are added to an II are equal in power. Therefore, the whole II is only as secure as the weakest of the devices that you have added. If someone steals you oldest phone and overcomes the weakest fingerprint scanner then he can take over your entire II and lock you out. Similarly, the attacker can also take over if you use a compromised browser or sufficiently compromised OS and log into https://identity.ic0.app/.
So here all devices added to an II are on the same level and control of the II is defined by an OR condition: device 1 || device 2 || device 3 || …
Here, the recovery phrase is just another device like any of the others, just not a physical one.
What you are proposing is to introduce two levels. Devices on the lower level can only manage devices on the same level whereas devices on the higher level can manage all. So if a device on the lower level gets compromised then a device on the higher level can step in and kick out the compromised one and a complete takeover is prevented. Multiple administrative levels do not currently exist in the II. Whether they are needed is up for discussion.
A couple of points to guide the discussion:
-
Account recovery through multiple administrative levels can be offered by the dapp. It does not have to be in the II. The NNS already offers that. You can configure a “hotkey” principal for voting with your neurons (that is the lower level) and a main principal for ultimately controlling it (that is the higher level). The main principal can reset the voting principal. You can use two principals that come from different IIs, basically achieving what you want. Any dapp could offer the same. For example, a social network could allow to associate two principals with each user account instead of only one.
-
It is only for some applications, that a temporarily compromise is not as bad as a complete takeover. The case of locked neurons are such a case but that case is rather special. For a social media account you can also argue that a temporary takeover is not so bad, just a couple of posts in your name, but you would prefer that over completely losing the account. For a wallet of tokens or NFTs on the other hand a temporary compromise is as bad a complete takeover. The attacker can sell everything in your wallet immediately. So the multi-level administration will not protect you. Therefore the question is, isn’t it better if the dapp manages this along the lines of 1. rather than the II?
-
The II is primarily designed to prevent people from losing access and a convenience feature. It is not meant to protect high-value assets. To prevent losing access you will need multiple devices on the higher level. Just one (like one seed phrase) is likely not enough.
-
If such administration was part of the II then how exactly would it look like? Is two levels enough? How many devices on each level? What is needed and what is feature creep? Are we introducing new foot-guns that lead to people locking themselves out?
I think the discussion is going to be a long one and that is the reason that the II is as simple as it is now.