Internet Identity Lack Of Security

I use Ledger Nano since last June.
There is no automatic merging, so I need to go in my account everyday to merge.
I am starting the dedicated computer as of today
Will wait the automatic merging and then, will proceed exactly as you recommend.
Thanks for all the clarity and explanations.
And happy to ear security improvement, especially for adding and removing devices, are in the plan.

2 Likes

I love this idea for a recovery device (not necessarily seed phrase), that cannot be removed.
Make it optional.
The initial NNS creator would always be able to recover.
Nano Ledger would be great for recovery device.

3 Likes

Yes, that is true. You would lose your profile in those other dapps. That’s unfortunately unavoidable. Unless, of course, the dapp in question offers a way to change the principal associated with your username. That functionality does not seem far fetched and might become common. We are asking the same thing of the NNS dapp when we ask that the neuron controller can be changed (the neuron id is the username here).

1 Like

Understood. Agree that it is a nice feature.

2 Likes

I really appreciate your candidness. It is unfortunate though.

I still have concerns about using II even for non-NNS applications. Given what we’ve learned today why would I use II to login to InfinitySwap, Sonic, OpenChat, or any other app that could store value? Do i need to have a dedicated laptop for each of those applications?

I really don’t mean to beat a dead horse; and I apologize if I come off like I’m just complaining for the sake of it. I just had a really high opinion of II until today. If your recommendation is that I set up a different anchor for each application that I value (whether it be financial or personal) it just seems like it defeats the point of what II was supposed to fix? Perhaps that is on me and my misunderstanding.

I appreciate you taking all of this time to explain. It’s been very enlightening and has given me a lot to consider.

3 Likes

Let’s make some analogies before you ditch II entirely :grinning:. How much money would you store in or access through MetaMask, MEW, etc. (without connecting a hardware wallet to them)? About the same you can store in II. Both depend on browser security. If the browser/OS is compromised then you can lose funds.

The point I made is that II is a software wallet. Software wallets have the advantage that they can store key material and you don’t have to confirm every single interaction on an external device and display. But if the browser/OS is compromised then the key material is at risk. Hardware wallets protect against that at the cost of having to approve every single interaction on an external device and display. Fundamentally there are only these two options, software wallet or hardware wallet and it is up to the user’s judgement to make the trade off.

Here, to illustrate, “browser compromised” means for example that your browser can swap out an URL under the hood and display a green padlock when there shouldn’t be one.

Now, in some further detail, II actually tries to improve over wallets like MetaMask. Where those wallets store key material permanently on disk (at least encrypted), II doesn’t. II only creates session keys that are valid for 30 min. The permanent keys are inside the biometric sensor or Yubikey. That is an improvement because it shortens the attack window for certain attacks.

7 Likes

Well, I have my cold wallet Ledger Nano installed in Metamask and if Metamask is compromised, they cannot remove any of my asset without my Ledger device. Since the seed phrase for metamask is fixed, I would always have access or can simply delete it and install my cold wallet in another wallet.
Also, my Ledger Nano seed phrase have never come up on my screen.
Technically I understand your point but quiet different to me.
And NOOOO, I will not ditch my NNS :grin:

1 Like

Completely agree. I love II for all those reasons.

But the thought of being put into a non-recoverable state because I made a human error (I think we can all empathize) with one my devices is just very scary. Especially when that II could gate access to my family photos, personal records, financial records, or any other valuable data.

1 Like

Wow, there is so much information in this thread. I previously thought I understood, but now I suspect I have a knowledge gap regarding security of my accounts. I will need to reread this thread again several times and consider changing my strategy. I would very much prefer for it to be relatively simple to address these issues.

I have felt pretty secure with my single Internet Identity, multiple devices (iPhone, iPad, windows hello, 2x yubikey), and backup seed phrase. I do know that anyone with access to any one of my devices can add their device, delete my devices, and delete my recovery method. Knowing this, I also had the attitude of “not your keys, not your crypto” in regards to maintaining access to these devices. In other words, I absolutely must keep the devices protected, locked, and only accessible by me (except leaving explicit instructions for my family in case something happens to me).

While I still think the “not your keys, not your crypto” mantra applies to a large extent, this is probably an oversimplification. I have much to learn. There are so many concepts in this thread that are not familiar to me at this time.

Again, I would prefer a much simpler method of making sure others cannot take over my internet identity and accounts. I support identification and implementation of better recovery methods.

@Roman please note that I edited this post so hopefully it better explains what I was trying to say.

3 Likes

You can use Yubikeys with smartphones

With all the respect, can you explain me why you have a “Not your keys, not your cryptos” attitude? What is the logic behind this? What about if your forget your home key at the restaurant. Someone find it, kick your family out of your home and move in. He then tell you: “Not your keys, not your home”. Does crypto a real asset like your home? Why would it be different? This thinking have always been so strange to me. May be this is why the crypto world is laid back on security. I will work hard to make this attitude to change. Crypto is too important. Mass adoption will never happen until security and proof of ownership is taken seriously by the crypto community. This is something decentralization and crypto is way behind the traditional system.
Security and lack of proof of ownership is the biggest problem to have more “normal” people to get in and stake, not the reward distribution TMO. How many friends and family member do you recommend to buy ICP and stake in the NNS? How would you feel if you recommend someone and that person loose his key, loose the control of his NNS, thus loose his crypto? Would you tell that friend or family member “Not your key, not your crypto”?
With some added security and proof of ownership, I would recommend. But now, I would never recommend to anyone.

1 Like

I fully agree with you. The only reason I have adopted that attitude is because I know that someone can delete my devices and recovery if they gain access to any one device. It’s the only defense I knew about previously (before learning about some more complicated mechanisms in this thread). It’s not a great solution and I agree that easier mechanisms for recovery are needed to achieve mass adoption.

1 Like

The vast majority of my crypto investment is through ETF (BTC & ETH). I have to pay a small annual fee and loose all the Defi and Staking income. But this is the price I have to pay for security. The first crypto that will guarantee ownership (may be with NFTs), who will make sure that people cannot loose their account or can recover will succeed big times. Promoting full security in crypto would be the biggest thing TMO. I know Dfinity have a lot on their plate but I hope Dfinity will get it and will be the first one to get there as soon as possible. They have the skill, the money and the creativity to be the first one.
If security and recovery of accounts was a priority for IC, I would have less ETH and much more ICP because I believe much more in the future of ICP then ETH.

5 Likes

The problem I’m facing is that II isn’t just about Tokens. I can accept the added precaution of using a separate identity anchor/device for protecting my crypto.

But II is used to gain access to other applications like social media accounts, file storage, etc. These are the types of accounts that do have to be accessed on a daily basis. Meaning the devices I use to access these accounts can’t just be put in cold storage all the time. These are also the types of accounts I would like to recover in the event that one of my devices are compromised.

Edit: I don’t think it’s appropriate to ask each application to provide an account recovery method. I only say that because how would it work in a decentralized world? Let’s take Distrikt for example; when Distrikt becomes an open internet service who is going to have the authority to move my account to a new Principal ID? Is a user expected to submit a proposal and petition the entire community to approve their request? That seems like it would be very unpopular. Especially since a loss of my II would require me to make that same proposal across each service I’ve registered with.

5 Likes

Given that no one is seriously contesting the above statement (most are in agreement), my situation is that ALL of my neurons have been created using NNS DAPP and thereby by extension with Internet Identity. Further the consensus is that air-gapped system is best for this management.

I am therefore hyper-focused on how to move the day-to-day management of my neurons (currently mostly merging maturity at 100% and perhaps in the future to spawning) to an air-gapped system (quill et al) from using the NNS DAPP. I am happy to report that some progress has been made on a system that “authorizes” an airgapped neuron to manage the nns-dapp neuron. I am now focused on the UX because I will be using this system for the foreseeable future without,hopefully, EVER logging into NNS DAPP for the management of staked neurons. I am grateful for the work and guidance on the idea provided by @skilesare . Will post on a seperate topic on approach and progress.

I also understand that using live distros. as suggested by others in this topic, may work well for most people. However that solution, to me, seemed incomplete because in it we still use the Internet Identity to manage significant store of value.

I also realize that there are many more issues with Internet Identity that need to be sorted out that have been pointed out in this topic. However, for me, It was important for me to decide what was the most urgent and immediately actionable.

7 Likes

You can consider using security key that has PIN built-in to increase security. Yubikey not so secure in my opinion, because if somebody can access the physical key, they can use it directly. This is not the case for security key with PIN built-in in the hardware, you have to enter PIN first, before you can use the key to authorize / sign.

Security key with Built-In PIN I use daily: Ledger Nano S & OnlyKey (crp.to)
Recovery key : Seed Phrase & Yubikey (for compatibility) just stay inside my secret security box for backup, that only me can access it.

No one should be able to remove devices that easily specially recovery. One of the main features I like is locking neurons as it adds to the security of the system. However if someone can get your yubikey, seed or whatever and lock you out that is a big problem. There should be a timeout phase for removed recovery devices. Owner should be able to choose time such as week, month or year. If user sees that recovery key is about to be unlocked and removed they can then take action to remedy the situation. The owner can initiate a process to recover the account. Maybe then there is an SNS social component that decides who is the real owner based on Neurons the person follows for the recovery process.

4 Likes

Having easy to use Trezor support wouldn’t hurt as well.

Wow. Just gave this thread a read from top to bottom, and I’m troubled with what appears to be the development community’s obtuse reaction to this valid concern (I don’t know all the players so I’m really just guessing here). “Don’t trust the II” - is that really the message we want to send? Honestly I would never have gotten involved or excited about this project if it was presented that way to me in the first place.

There is a simple solution that will increase trust in the system - Fix the II recovery mechanism (there have already been some good ideas discussed in this thread) such that it can actually recover an account that has at least one compromised key. Yes, that’s not necessary if we don’t trust the II, or if we exercise perfect security protocols - but, that’s not the point. The point is we’re trying to build a trustworthy system and that requires some level of fault tolerance. No system will be perfect, but ‘better’ is right in front of us.

6 Likes

At this point, it is NOT the messaging that matters. It is what it is, currently. To pretend otherwise is not wise, IMO. I am not trusting II CURRENTLY with my store of value because the experts are telling me NOT TO.

Also it’s NOT ALL doom and gloom. I am convinced that II is leaps and bounds beyond the standard userid/password thingy. This tool is very very powerful if wielded properly. Also alternatives (such as live distros ) are perfectly reasonable for most. As some have pointed, that alternative would likely require a physical compromise to be risky.

The above said, my personal risk tolerance with financial losses is very low ( I don’t mind ups and down in the marketplace. I do mind preventable and foreseeable losses; it hurts my ego).

That said, we are ALL looking greatly forward to making II better. As you see, there are different nuances that different folks bring into the picture and I can see their point of view. We are NOT apathetic. However as many have said, this is a long conversation.

4 Likes