Internet Identity Lack Of Security

When I started using Yubikey last June, I was prompted for my Yubikey PIN every time I wanted to login in my NNS, which I loved. Then, after a NNS upgrade, it stopped asking for my PIN. Was it only a coincidence or a change in the upgrade?

According to Yubico, the PIN request is controlled by the service provider (then the NNS).
If this is the case, can we have this back?

  • FIDO2 is made up of two components - WebAuthn on the service provider end, and CTAP2 on the YubiKey end.
  • PIN prompts are a result of a WebAuthn setting known as User Verification. This setting is controlled by each service provider.
  • If a service provider does not specify a setting for User Verification, most modern browsers will default setting it to Preferred (as per the WebAuthn spec), which may result in a PIN prompt.
  • If you prefer not to be prompted for a PIN, try disabling the YubiKey’s FIDO2 function, and see if that eliminates the PIN prompt, while still allowing you to sign in. Note that FIDO2 is required for certain services (e.g. personal Microsoft accounts), so disabling the function on the YubiKey will cause it to not work or not be recognized by those services.

My friends @mparikh, @LightningLad91, before any complex social recovery, I think that just by making necessary to enter the seedphrase before being able to remove it would be enough to quickly and strongly secure things. Afterwhat, we could think more sophisticated ways for recovery, but once secured with the most immediate and then simplest solution. I scare that proposing system more complex, we never adopt any system of security before a long long time. If not possible to make necessary to enter the seedphrase before being able to remove it, let make the seedphrase no removable. But let’s change something quickly !


Yes, locking the seed phrase is the very basis of securing other more complex recovery mechanisms.


So agree my goodfriend, and so happy for having eventually been understood by you and @LightningLad91.


I totally disagree with non suppressible seed phrase. I do not use seed phrase. Everything that appear on the screen can be recorded easily. Imagine if someone have access to your seed phrase and it is not suppressible. Then the hacker would have access to your account forever.
The seed is a 1 way authentication only. This is not good.
We should always have a 2FA system. Now, the only 2FA device is Nano Ledger, which I use. So you need the Nano in your hand and need to know the PIN.
I am hoping the Yubikey can be configure to ask the PIN as well.

1 Like

So this (prompting of the yubikey pin) happened for me as well. It is now no longer happening for me as well.

I am trying to see what changed and how. This led me to try to do a reproducible build for internet identity as described here (Verifying the code of the Internet Identity service (a walk-through)).

I have been yet to get to a current reproducible build. The build currently in production diverges. That said, this is a recent build (October time frame).

I disagree too. I would prefer supressibility by firstly asking the seedphrase. But If i have to choose between current easy removability and non removability, non removability is safer !

It would imply to create another identity and transfer what you can, but it is better than seeing your neuron gone forever. But again, I am for removability with asking of the seedphrase before any removing.

The current focus of attention is the prevention of account loss before, so how to get back after the loss?I believe that most OF the ICPs in NNS are more or less pledged inside, which has great benefits with other cryptocurrencies, so that the victims have a chance to recover their losses, shouldn’t there be a judge committee to determine the ownership of the account?

1 Like

I agree. Seems like an easy win


I believe that generally, in other projects, seed phrases are immutable. Once generated, they can always be used to recover a private key. I believe this is the case with MetaMask, and I imagine is the case for Bitcoin and Ethereum private key pairs. At the private key pair level, I don’t think it’s possible to “delete” a recovery phrase, since that phrase is mathematically designed to produce a private key.

The interesting thing about Internet Identity is that we are able to generate multiple public/private key pairs, if I understand correctly, thus we can change seed phrases. Is that how it works?

If we want to be more like other projects, having immutable seed phrases makes sense. But I imagine other projects do this because they have to, not because they choose to.

Why should the seed phrase be privileged over other authentication methods? For example, why shouldn’t you have to present the Yubikey to remove the Yubikey? Why is the seed phrase the one authentication “device” that must be presented before being removed? Can you see my logic here?

I am concerned about losing the seed phrase itself. Part of the reason (maybe the whole reason) for the II allowing multiple devices is to ensure that you don’t ever lose access to your account. So if you lose any number of devices, as long as you have one you can log back in. This of course makes it more susceptible to theft, since an attacker can remove all other devices. But what if you lose a Yubikey or your seed phrase? You’d want the power to remove those devices, wouldn’t you?

Hopefully that all makes sense, we should just consider the implications of this. The seed phrase would become even more important if we implement this change. Users would need to understand that the seed phrase can never be regenerated or recovered. And if the attacker gets the seed phrase, then they would have irrevocable power to the account.

I think adding social recovery to the seed phrase could be an elegant solution. It should be extremely difficult for an attacker to obtain a threshold of shares, and even if one were compromised the threshold could hopefully remove any individual shares.


To understand how HD (Hierarchical Deterministic) Wallet works: BIP39 - Mnemonic Code

Internet Identity Specs: internet-identity/internet-identity-spec.adoc at main · dfinity/internet-identity · GitHub

Internet Identity allows you to connect using any keypair listed in your “devices” (incl. recovery mechanisms which are derived from the seed phrase).

By doing this; it generates based on your Internet Identity Anchor and the front-end hostname, a unique DelegationKey; ( internet-identity/internet-identity-spec.adoc at main · dfinity/internet-identity · GitHub )

I think social recovery would mean “Recovery identities” that the user is assigning (before losing his access) such as M-of-N would be required to add a new device (public key) to the identity which should map to the original user;

The seed phrase for the NNS cannot be used like any other seed phrase of other systems because of the locked neurons. As an example, in other crypto wallet like metamask, if you have concern or doubt your seed phrase may have been stolen or is lost, you may create a new wallet and move your crypto. But this cannot be done with ICP locked in neurons. So a permanent seed phrase could be very bad for the NNS

I totally agree, and that is the case for example with Ledger Company’s Hardware : they tell us “save cautiously your seedphrase, cause if you lose it, you will lose everything” and up to us to be very very careful.

But currently with ICP, just to protect against seedphrase lost, everybody is put in danger, and overall, a lot of people don’t use ICP because they resign using exclusively yubikey or ledger FIDO(U2F), but they can’t use this on phone. So this is precisely why the seedphrase is better to choose than Yubikey and Fido to answer your question about what device make non removable rather than another :
“Why should the seed phrase be privileged over other authentication methods? For example, why shouldn’t you have to present the Yubikey to remove the Yubikey?”

Answer : Yubikey and FidoU2F are not usable with iPhone and Android, so in order to avoid any risk of having Identity and than neurons stolen, one never adds the phone as device and then doesn’t use ICP except once a day at UTC16pm to go to the NNS and at this moment only, go one minute to distrikt…

That is why the best solution is : removability of the seedphrase only after having entered the seedphrase in the first place. But if not possible like @lastmjs seems to say it, the best is to choose immutable phrase. Cause, anyway, currently, if your seedphrase is compromised, you lose your identity and your neuron forever. That is why I don’t understand your opinion, cause you seem to say that we could be compromised, but taking control back on our identity. Currently, if you are compromised, the attacker create another seedphrase, removes your devices, ans that is done forever for you.

So, in this case (impossibility to make necessary to enter seedphrase in the first place before being able of removing it), immutable seedphrase like says @lastmjs remains better than losing control forever as the current system implies.

Maybe set up two devices with high authority for backup?

1 Like

Almost…currently this is my thought process on social recovery…
social recovery would mean “Recovery identities” that the user is assigning (before losing his access) such as M-of-N would be required to update the mnemonic with a new seed phrase replacing the old and communicating the same to the original user.


This is the current system.

I have been using a Yubikey on my Android phone for over a year now. I’m not sure about iOS, do they have NFC or USB-C?