Internet Identity Lack Of Security

It’s all about incentives. If you can prefund your disaster recovery so that every a disaster recovery drill occurs, you provide ,say 1 ICP, to each successful participant. That might provide enough incentive?

My wish is that Dfinity create a security team who would develop a strong security system for the NNS. NNS manage billions of $. No one, who steal your seed or your Yubikey, should be able to add and delete your devices so easily. We should have warnings, 2FA if not 3FA, confirmation on other device, etc.
And then, should develop a self recovery system where only the creator should be able to recover.
No voting or human should be involved.
And also plan a system for your family to have access if you have a fatal accident.
Dfinity team are the best creators I have seen so far. It should not be very difficult for these professionals to figure an innovative way to have the best secure system over all others.
Unfortunately, right now, I feel my Kraken account and my regular bank account much more secure then my NNS account. This can be changed.
IC is a new born, so is the NNS. Time will make it grow. Have no choice if we want mass adoption.

8 Likes

When I started using Yubikey last June, I was prompted for my Yubikey PIN every time I wanted to login in my NNS, which I loved. Then, after a NNS upgrade, it stopped asking for my PIN. Was it only a coincidence or a change in the upgrade?

Thanks for the research! This got me curious and I asked around for reasons why this might have been disabled. I think this is where it was disabled, and explains why: Discourage user verification by Dfinity-Bjoern · Pull Request #311 · dfinity/internet-identity · GitHub

So yes, we can have this back, it’s just that (right now) it’s not very useful. To sum up the description: if someone steals your Yubikey, then can pretend to be the Internet Identity webapp and request and authentication without UserVerification; then forward that to the canister. Since the Internet Identity backend/canister doesn’t check for that flag, then it doesn’t really help. The “only” case where it helps is if the hacker has only limited capabilities, i.e. if the hacker only tries to log in via the web frontend.

I am guessing this is still something though; alternatively we could also make the changes in the backend to actually check that the Yubikey/FIDO2 device was used with UserVerification set to preferred.

1 Like

Trying to clarify things, mostly for myself; there’s also a great summary here by @LightningLad91 and a great comment by @timo here.

If I understand correctly, this is the OP’s original problem: if any of your devices gets compromised, then the hijacker can replace all your devices (including seedphrase) locking you out completely. @Roman you also mention that, according to you, getting your account hijacked temporarily is not a “big” problem since all your ICPs are staked in neurons, and being able to recover your account using the seedphrase means recovering your neurons.

The idea proposed here is to make sure your seedphrase either cannot be removed at all, or cannot be removed without the user first entering it. This means that as long as you know your seedphrase, you can always log in.

There are some issues with this approach (some that have been mentioned above):

  • What if you forget your seedphrase? Then you are stuck with a seedphrase which you cannot change. What are the consequences of this, especially if it was ever leaked?
  • What if you don’t trust seedphrases (someone mentioned that characters appearing on a screen is not very secure)? Then don’t use seedphrases! And this issue doesn’t really affect you.
  • What if the attacker keeps adding new devices, faster than you can remove them? That’s something I would be worried about. If the attacker has the means and knowledge to hijack one of your devices, they can do many things to always have a way in.
  • Right now, the backend doesn’t differentiate between recovery devices and … regular devices, meaning the attacker could (for instance using dfx canister call ...) add another seedphrase that the legitimate account owner could never change.

Furthermore there are some points I want to clarify:

  1. IANAC – I’m no cryptographer but I think that “seed” phrase is a bit of a misnomer. As others have pointed out above, most blockchains must have immutable seed phrases, which are unique for a wallet. This is not the case of II, where “seed” phrases are just another device (although the webapp treats them somewhat differently). To convince yourself, create an anchor, add a “seed” phrase, remove the “seed” phrase, and add a “seed” phrase. The second one is different from the first one.

  2. Internet Identity is not a wallet. Its goal is to be an authentication mechanism for the IC. Because it is flexible it can be made very secure (see below) but at the end of the day (as Timo mentioned above) it is only as weak as the weakest link in the (device) chain.

  3. You probably shouldn’t use the same identity for your 30k staked tokens and for dscvr/distrkit/openchat. In one case (the staked tokens) you’ll want something that’s ironclad, probably with one or two hardware devices (like a ledger or yubikey) and absolutely 0 iPhone/iPad/Android devices. Those one or two hardware devices will be put in cold storage and you’ll use them every n years when your neurons dissolve. The other identity is one you use for social accounts, etc, that is stored on your day-to-day devices (iPhone, etc). Anchors are cheap, why not have many? You (hopefully) don’t use the same login (mechanism) for your e-banking and for Spotify, probably best to do the same on the IC.

  4. It was mentioned that using a Yubikey/FIDO2 device with II is 2FA; as far as I understand it isn’t. Two-factor authentication is when you have two factors, typically a password and a yubikey. In II’s case, the yubikey is the only authentication thingy you use, since there is no password, making this not-2FA. This is actually one-over-two factor authentication (or one-over-multiple FA…).

Maybe the problem here is better solved with best practices and documentation? Maybe we should have a page somewhere explaining the limitations of II as it is today, warn about pitfalls, and suggest workflows like splitting your IC presence between several anchors with varying security?

There’s also some confusion that keeps being brought up about the relationship between recovery devices and regular devices. They are treated kinda the same but still differently in the webapp, and kinda the same but still differently in the backend canister. This should be clarified, and we’re revisiting the UX a bit at the moment, but suggestions are welcome!

6 Likes

Dear @nmattia, thank you for you wise answer. I will answer following your points’ order :

Roman you also mention that, according to you, getting your account hijacked temporarily is not a “big” problem since all your ICPs are staked in neurons, and being able to recover your account using the seedphrase means recovering your neurons"*

I don’t say that is not a big problem, but a problem less big than the current problem of seeing one’s identity and neuron lost forever. This is just a “moindre mal”.

What if you forget your seedphrase? Then you are stuck with a seedphrase which you cannot change. What are the consequences of this, especially if it was ever leaked?

Let me ask you, what if someone forgets his Ledger Hardware Wallet Seedphrase or any other immutable seed phrases ? Answer : this someone loses everything, and that is why Ledger, etc. recall frequently about being so cautious with this seedphrase. But despite of this risk, they don’t choose a mutable seedphrase, cause with mutability comes the insecurity. I can assure you that no whale would buy Ledger if they had the same seedphrase mutability than ICP to protect the forgetters. In summary, currently, the most cautious or responsible ones have to pay by taking all the risks in order to allow to those forgetting or losing their seed phrases a way to recover. But with this, the whole security falls for everyone.

What if you don’t trust seedphrases (someone mentioned that characters appearing on a screen is not very secure)? Then don’t use seedphrases! And this issue doesn’t really affect you.

I am ok with this point, but this is quite a minimal risk compared to the current situation, and if one doesn’t use seedphrase, one uses :

  • either a yubikey or ledger FIDO(U2F) which is inadequate with a fluid using of ICP ecosystem on an iPhone or even on a Desktop without having to connect an hardware every time before going to stream, on socials like distrikt, etc.
  • or a device using biometrics, so easily compromisable ; then every persons with an amount that they won’t want to risk – whatever the amount (it can be 100k for a whale, but also $50 for someone with low income) – won’t use ICP sooner or later, cause of :
    1.the fear of losing everything after a simple hijack or a phone/computer steal/loss
  1. the lack of fluidity of having to use yubikey/FIDO all the time.

What if the attacker keeps adding new devices, faster than you can remove them? That’s something I would be worried about. If the attacker has the means and knowledge to hijack one of your devices, they can do many things to always have a way in.

Not if enter again your seedphrase is accompanied by the question : “do you want disconnect all your currently connected devices” ? Like Facebook or Apple do after a password reinitialization : they give the opportunity to disconnect every devices at once. But, still, even if this is possibility was not implemented, and that I assume the situation you think about, this situation is very too rare, even exceptional, whereas current system implies an important probability to lose everything without any opportunity to take control back and that my approach gives the opportunity to take control back in the majority of cases. It is a matter of probability : but your way of arguing is like saying “the car seatbelt is not a solution, because in some rare cases, it can decapitate you while an accident, so don’t install any seatbelt in any car”. But think about the fact that your mother could have been killed by the seatbelt in the accident in which she just died is not enough to forget that she was not using the seatbelt when she had the accident and that she would have got better chances if she had used it. In our case : once having been hijacked forever and our neurons lost forever, the thought that the attacker would have maybe added devices faster than me would not help to accept the current system in the case where I would be hijacked forever, cause the situation is too rare. It is not about finding the perfect solution, but to quickly limit the current high probabilities of failure.

So I agree with you, the main risk is to have one’s seedphrase stolen, but the risk already exists and currently, if one’s seedphrase is stolen, one’s neuron too, and forever, whereas not with my approach.

Right now, the backend doesn’t differentiate between recovery devices and … regular devices, meaning the attacker could (for instance using dfx canister call ... ) add another seedphrase that the legitimate account owner could never change.

• This is in your hands :wink:

  1. Agree
  2. Agree
  3. Dfinity MUST NOT argue that people just have to create several identities to solve the problem. One of maint “marketing” and attractive points of Internet Computer is : having now the possibility of not manipulating several accounts. Still : let us assume someone creates one identity only for staking, like me, it will never be totally quiet : the scare of being hacked will be already here with the current system, because of the previous points. Plus, let us assume I create an identity just for chill on the web, here is the problem : almost each NFT ICP projects are developing an “Engage-To-Earn” authentically allowed for the first time by the on-chain technology, so people will use their “casual” identity too engage, and generate NFT, Rewards, etc. and eventually will be scared of losing this “casual identity” too because of all their rewards accumulated, and if in order to protect their rewards, they send a lots of rewards to their first identity : the “wallet” identity, they will be even more scared about losing this identity dedicated for staking, but they will also lose a lot of percentages of rewards, because the more you have, the more rewards you earn. Simply think of someone having 1000 icp, this someone create 2 identities in order to have 2 neurons with 500 each : his yield will be so much lower. So, let us keep the “one identity” marketing, cause without this, the ICP is far less interesting. And the day where appears a blockchain with the one chain technology, and a better security, ICP is done. I even can say to you that I know project developing by thinking of avoiding this potential lack of ICP identity unity (if the unity of Internet Identity is eventually forsaken). Let us not forget that concurrency is everywhere, and that the identity will be a battlefield for blockchains.

@LightningLad91 @mparikh @lastmjs I let you complete or reformulate !

1 Like

I think there is a major misunderstanding here. The II was not meant to be used for holding stake in the amounts that are thrown around here. It is not about having one II or two different ones. You simply don’t use II at all for these kind of amounts.

II is a convenience feature for everyday use. It is not a security feature for long-term storage.

II is and remains a “software wallet” no matter how you use it, even if you use it with a Yubikey and even if your FIDO device is PIN protected. When you connect a FIDO device it is only used once to sign the browser’s session keys. After that all interaction is initiated and signed by the browser alone. Hence II is only as secure as your browser, regardless of how secure your phrase, biometric sensor or Yubikey is. You cannot entrust significant value to this environment.

The only safe ways to hold significant value is with an air-gapped computer and the proper tools such as quill or with a Ledger Nano connected to the NNS dapp as a hardware wallet. In the latter case every single transaction gets confirmed on the hardware wallet’s display and signed inside the hardware wallet. The browser is then untrusted. There is no II at play with the hardware wallet.

Using a hardware wallet is different from using a FIDO device to log into your II. The former is a true hardware solution, the latter is still essentially a software wallet. The two are not to be confused.

I think because of this misunderstanding the discussion is getting derailed. Whales don’t ask if they can have one or two IIs. Whales don’t use II for storing value.

I am not saying that II can’t be improved or that the discussion here doesn’t have value. I am just saying we are getting derailed if we’re discussing using II for long-term/cold/high value staking or storage.

2 Likes

I really appreciate your clarification @timo. Maybe this is the key of the problem. So, what can one do now if one already staked one’s ICP using one’s Internet Identity. I look forward for using Hardware Ledger, but things seem stuck for its Integration. Is it possible to use quill retroactively, and desynchronize my neurons and my Internet Identity ?

Still, it would mean that a non developper doesn’t have a way to stake securely his ICP. In this case, every non developer stakers would have to surrender to not stake or to risk everything, and this would mean that ICP is not for mass adoption or at least for investors adoption. It would be reserved only to investors who would be also developers. If this is, quite bad situation for ICP’s future so…

1 Like

For improving the II we could discuss:

  1. creating two levels of authentication methods, higher level and lower level, and you need to be logged in with a higher level method in order to remove (i.e. delete) a lower level method. But
    a) using the higher level must be optional,
    b) the user must be able to choose which method to put on the higher level (for some it is the phrase, for others a Yubikey, etc.)
    c) it must be possible to put more than one method to the higher level if the user wants that.
    This is just like an admin vs user account in an OS. You can create multiple accounts of either type.

  2. Introducing threshold. So that for example you need to call “delete” with two out of three authentication methods in order to be able to delete an authentication method.

6 Likes

No, if you have staked with II then you can’t change that. Maybe a future upgrade to the NNS will allow changing the controller of neurons. If that happened then you could change it. But I don’t know when or if that will ever happen. The reason that the neuron controller cannot be changed is so that neurons can’t be sold. That’s something the community has to decide if it wants to continue to prevent the sale of neurons and how. If someone comes up with mechanisms that allow to change the controller of a neuron while at the same time preventing a sale then changing the controller can be allowed.

Anyway, to your question what to do now in the short term. If you already have staked a significant amount with II then I would suggest the following:

Take a dedicated laptop for managing your neurons. Here, “managing” means changing dissolve delays, dissolving, disbursing, spawning. Those actions should happen infrequently. “Managing” does not mean voting. For voting you can configure a hotkey and you can vote from your everyday phone/laptop. The dedicated laptop can be old. If it is so old that it does not have a biometric sensor then you can use a Yubikey with it or you can type in the recovery phrase every time you need to manage your neurons. What is important is that you don’t use the dedicated laptop for anything else than opening a browser and going to nns.ic0.app. That way you can get almost as secure as with quill or a hardware wallet. The more you restrict the laptop the better. The security is gradual. You could for example, configure a dedicated Wifi network in your router and let that dedicated laptop be the only device connected to it, so that your dedicated laptop and your everyday devices don’t share the same Wifi, etc.

This unfortunately also means to create a second II for every day use. Don’t log in with the II that control the neurons on any other devices than your dedicated laptop.

You can configure your second II for every day use as the hotkey of the neurons. That way you can vote and monitor from your everyday devices.

In the medium term, you should request the feature to allow hotkeys for the “merge maturity” action. I understand that is the main reason why people want to manage their neurons frequently. Some people are merging daily. The easiest answer to that would be to allow hotkeys to trigger the merging. Or, alternatively, an auto-merge feature that you only have to enable once would also work. I think auto-merge is already being worked on.

In the medium term you can also push for improvements to the II that you started with. But please understand that over the dedicated laptop it will be a relatively small security gain.

4 Likes

That’s an understatement :slight_smile:

There’s nothing inherently wrong with the way II works right now. It uses some new tech (webauthn), it supports fido keys and it’s pretty good with protecting a user’s privacy (maybe a bit too good at that). There’s no “lack of security” here.

What people seem to misunderstand is that no amount of code and hand-holding features will fix bad OPSEC. All the hypotheticals that people used in this thread can be addressed by sane OPSEC: Don’t use the same account for both staking a gazillion ICP and for playing hold’em. Don’t add random insecure devices to your II that maintains said gazillion ICPs. Use live distros. Use airgapped systems, etc.

4 Likes

So, to avoid - still not totally - risk, people have not only to create another II, but also buy a dedicated computer, etc. In summary, even casually hold or stake and interact with NNS becomes « Mission : Impossible ». Conclusion : it is clearly not thought for a mass adoption. I wish I knew this before investing…

If any newcomer wanting to enthusiastically invest in ICP had to read this as good as rigorous and wise methodology you gave, it would make him immediately reluctant to invest in ICP and flee away to invest in safer and simpler blockchain allowing staking.

I think this only way to act safely for a non developper investor, rationally described by you, would disgust any enthusiast investors.

Thanks a lot for this long and patient methodology description !

I think about this a little differently.

  1. If I have 100x of value, I would use a safer mechanism to store. (Just like I wouldn’t store ALL of my net worth in a physical wallet).

  2. I am ok with carrying around 1x of 100x with the potential of knowing and accepting the risk that I may lose 1x against not able to spend any value at all.

On the existing investment front, I believe that there’s a mechanism to transfer the management of a neuron to follow another neuron; even one created with nns dapp in iis. If the followee is created through airgapped computer, then I THINK that’s a path to secure existing investment. @timo might this work?

The project has lots of problems, but the II is not one of them.

The more I read your posts, the more I’m convinced you are a troll. You seem to ignore what’s being explained to you by security professionals, you seem to constantly move the goalposts, you find the most convenient edge cases and the most absurd what-ifs. You are not looking for a discussion, you seem to have a pre-made point and you want to drive it home.

The title, your responses, they all read “TROLL” … As an old forum adage went, “please don’t feed the trolls”…

1 Like

Are you serious ? :smiley: Mate, are you new here ? If you never saw my name since the genesis, there is an issue. I let the socials tell you if I am a troll. But if you say so… Have you twitter at least, do you read the forum or telegram channels ? Best joke of the year. Do you know ICPMaximalist at least ?

I don’t think @Roman is being a troll at all. I think he is expressing dissatisfaction with II.

I completely understand your points on OPSEC and I don’t disagree. To be honest I should have done more due diligence with how II works before I staked so much at Genesis.

But, I do agree with @Roman that telling people now, 6 months later to not stake large amounts of ICP with an NNS account that relies on II authentication is an oversight (unless I missed something in the original documentation warning against this). Especially since there was no other choice.

Edit: To be fair I guess the CLI has always existed. But that is not something I would have expected an every day user to figure out.

4 Likes

Again, you have a better formulation than me to express my opinion.

Friend, I say this with absolute candor and no ill intentions: I don’t care who you are, what your twitter is, or how much social clout you have. In this thread, this topic alone, your posts, the words you choose and the replies you type make you sound like a troll. If your intentions are indeed good, you should take a breather and rethink your approach.

I stand by my words:

The title is misleading at best. There is no inherent lack of security in the II.
The replies are constantly moving the goalposts.
Your edge cases are contrived.
Every “bad security” example you gave somehow implies that PHYSICAL security is compromised. There are few security solutions that would ever work in such a situation, and most of them hint towards what’s already been offered: live distros, airgapped systems.

I don’t intend to further this line with you. I am but a dev that wants to see this project succeed, and I have no intention of fighting with you. Just wanted to let you know that your approach is counterproductive, misleading and at the end of the day it makes you sound like a troll. shrug

2 Likes

I don’t believe that @Roman is a troll, either. If I look at his concerns, it’s that how to safeguard his investments.

What is large or not depends on context…

Put this in a different context: 10 ICP may not mean much to some. But for others, that’s a LOT of money( perhaps ONE months worth of work). If II is NOT workable for those with “little” investment, how will we EVER get masses to stake their coins on NNS?

I believe that this post has been a HUGE learning experience for me , personally.

4 Likes

You are right my good friend, I am a troll, I am meaningless and nobody. I won’t talk anymore on the forum. Like this, you won’t have to suffer anymore of my trolling.

1 Like