Internet Identity Lack Of Security

Well, and the Ledger Nano. Currently you are right, only in the Ledger’s “dev store” and waiting to be moved by Ledger to Ledger’s normal app store.


That’s my general take-away as well. At least until the Ledger app is officially released.

I’d also point out this kind of leaves existing users high and dry unless we can pass a proposal to allow a transfer of neuron control.


Improvements to the II are more than welcome. But I expect a somewhat lengthy discussion is required about how exactly. Everybody has a clear idea how it should work based on his/her own opsec. But we have to find improvements that are generic enough to help everyone. I also wouldn’t like to see features in the II that push people into a certain direction with their opsec. For example, saying your one and only phrase has to be the unchangeable root authority would do exactly that.

Let me propose a solution that requires minimal changes and let me know if that satisfies your needs. I am assuming that you already have staked in the NNS with II.

  • accept that two IIs are needed and one of them (the staking II) is only ever used in a secure environment
  • your secure environment can be a live distro
  • get a FIDO device with PIN protection (the Ledger Nano can be used as such a device with the FIDO app on it)
  • configure the staking II with two authentication methods: the FIDO device and a recovery phrase
  • configure a hotkey in the neurons pointing to your other II (the everyday II)

Now assume that maturity would either be merged automatically or could be merged with through the hotkey with the everyday II. Then:

  • monitor, vote, merge maturity with you everyday II

Would that satisfy most people’s immediate needs?

It would require quite a dedicated attacker to overcome. Most likely physical access.

I think merging the maturity in this way is obtainable faster than changes to the II.


Doesn’t this assume that people have only used their existing II for the NNS Dapp? What about people who have profiles with other apps associated with that identity anchor?

This is the problem I’m having. Sure a dedicated laptop/live distro will work. But how many of the existing users want to go through that hassle and also lose their online presence?

Edit: I think all we are looking for is a way to recover our II even if one of our authentication devices are compromised. Forget staking. Let’s say I just want to be able to recover so I don’t lose access to my accounts. Would it not be acceptable to just pick one device as a recovery device so I can do something like stick it in a safety deposit box?


I use Ledger Nano since last June.
There is no automatic merging, so I need to go in my account everyday to merge.
I am starting the dedicated computer as of today
Will wait the automatic merging and then, will proceed exactly as you recommend.
Thanks for all the clarity and explanations.
And happy to ear security improvement, especially for adding and removing devices, are in the plan.


I love this idea for a recovery device (not necessarily seed phrase), that cannot be removed.
Make it optional.
The initial NNS creator would always be able to recover.
Nano Ledger would be great for recovery device.


Yes, that is true. You would lose your profile in those other dapps. That’s unfortunately unavoidable. Unless, of course, the dapp in question offers a way to change the principal associated with your username. That functionality does not seem far fetched and might become common. We are asking the same thing of the NNS dapp when we ask that the neuron controller can be changed (the neuron id is the username here).

1 Like

Understood. Agree that it is a nice feature.


I really appreciate your candidness. It is unfortunate though.

I still have concerns about using II even for non-NNS applications. Given what we’ve learned today why would I use II to login to InfinitySwap, Sonic, OpenChat, or any other app that could store value? Do i need to have a dedicated laptop for each of those applications?

I really don’t mean to beat a dead horse; and I apologize if I come off like I’m just complaining for the sake of it. I just had a really high opinion of II until today. If your recommendation is that I set up a different anchor for each application that I value (whether it be financial or personal) it just seems like it defeats the point of what II was supposed to fix? Perhaps that is on me and my misunderstanding.

I appreciate you taking all of this time to explain. It’s been very enlightening and has given me a lot to consider.


Let’s make some analogies before you ditch II entirely :grinning:. How much money would you store in or access through MetaMask, MEW, etc. (without connecting a hardware wallet to them)? About the same you can store in II. Both depend on browser security. If the browser/OS is compromised then you can lose funds.

The point I made is that II is a software wallet. Software wallets have the advantage that they can store key material and you don’t have to confirm every single interaction on an external device and display. But if the browser/OS is compromised then the key material is at risk. Hardware wallets protect against that at the cost of having to approve every single interaction on an external device and display. Fundamentally there are only these two options, software wallet or hardware wallet and it is up to the user’s judgement to make the trade off.

Here, to illustrate, “browser compromised” means for example that your browser can swap out an URL under the hood and display a green padlock when there shouldn’t be one.

Now, in some further detail, II actually tries to improve over wallets like MetaMask. Where those wallets store key material permanently on disk (at least encrypted), II doesn’t. II only creates session keys that are valid for 30 min. The permanent keys are inside the biometric sensor or Yubikey. That is an improvement because it shortens the attack window for certain attacks.


Well, I have my cold wallet Ledger Nano installed in Metamask and if Metamask is compromised, they cannot remove any of my asset without my Ledger device. Since the seed phrase for metamask is fixed, I would always have access or can simply delete it and install my cold wallet in another wallet.
Also, my Ledger Nano seed phrase have never come up on my screen.
Technically I understand your point but quiet different to me.
And NOOOO, I will not ditch my NNS :grin:

1 Like

Completely agree. I love II for all those reasons.

But the thought of being put into a non-recoverable state because I made a human error (I think we can all empathize) with one my devices is just very scary. Especially when that II could gate access to my family photos, personal records, financial records, or any other valuable data.

1 Like

Wow, there is so much information in this thread. I previously thought I understood, but now I suspect I have a knowledge gap regarding security of my accounts. I will need to reread this thread again several times and consider changing my strategy. I would very much prefer for it to be relatively simple to address these issues.

I have felt pretty secure with my single Internet Identity, multiple devices (iPhone, iPad, windows hello, 2x yubikey), and backup seed phrase. I do know that anyone with access to any one of my devices can add their device, delete my devices, and delete my recovery method. Knowing this, I also had the attitude of “not your keys, not your crypto” in regards to maintaining access to these devices. In other words, I absolutely must keep the devices protected, locked, and only accessible by me (except leaving explicit instructions for my family in case something happens to me).

While I still think the “not your keys, not your crypto” mantra applies to a large extent, this is probably an oversimplification. I have much to learn. There are so many concepts in this thread that are not familiar to me at this time.

Again, I would prefer a much simpler method of making sure others cannot take over my internet identity and accounts. I support identification and implementation of better recovery methods.

@Roman please note that I edited this post so hopefully it better explains what I was trying to say.


You can use Yubikeys with smartphones

With all the respect, can you explain me why you have a “Not your keys, not your cryptos” attitude? What is the logic behind this? What about if your forget your home key at the restaurant. Someone find it, kick your family out of your home and move in. He then tell you: “Not your keys, not your home”. Does crypto a real asset like your home? Why would it be different? This thinking have always been so strange to me. May be this is why the crypto world is laid back on security. I will work hard to make this attitude to change. Crypto is too important. Mass adoption will never happen until security and proof of ownership is taken seriously by the crypto community. This is something decentralization and crypto is way behind the traditional system.
Security and lack of proof of ownership is the biggest problem to have more “normal” people to get in and stake, not the reward distribution TMO. How many friends and family member do you recommend to buy ICP and stake in the NNS? How would you feel if you recommend someone and that person loose his key, loose the control of his NNS, thus loose his crypto? Would you tell that friend or family member “Not your key, not your crypto”?
With some added security and proof of ownership, I would recommend. But now, I would never recommend to anyone.

1 Like

I fully agree with you. The only reason I have adopted that attitude is because I know that someone can delete my devices and recovery if they gain access to any one device. It’s the only defense I knew about previously (before learning about some more complicated mechanisms in this thread). It’s not a great solution and I agree that easier mechanisms for recovery are needed to achieve mass adoption.

1 Like

The vast majority of my crypto investment is through ETF (BTC & ETH). I have to pay a small annual fee and loose all the Defi and Staking income. But this is the price I have to pay for security. The first crypto that will guarantee ownership (may be with NFTs), who will make sure that people cannot loose their account or can recover will succeed big times. Promoting full security in crypto would be the biggest thing TMO. I know Dfinity have a lot on their plate but I hope Dfinity will get it and will be the first one to get there as soon as possible. They have the skill, the money and the creativity to be the first one.
If security and recovery of accounts was a priority for IC, I would have less ETH and much more ICP because I believe much more in the future of ICP then ETH.


The problem I’m facing is that II isn’t just about Tokens. I can accept the added precaution of using a separate identity anchor/device for protecting my crypto.

But II is used to gain access to other applications like social media accounts, file storage, etc. These are the types of accounts that do have to be accessed on a daily basis. Meaning the devices I use to access these accounts can’t just be put in cold storage all the time. These are also the types of accounts I would like to recover in the event that one of my devices are compromised.

Edit: I don’t think it’s appropriate to ask each application to provide an account recovery method. I only say that because how would it work in a decentralized world? Let’s take Distrikt for example; when Distrikt becomes an open internet service who is going to have the authority to move my account to a new Principal ID? Is a user expected to submit a proposal and petition the entire community to approve their request? That seems like it would be very unpopular. Especially since a loss of my II would require me to make that same proposal across each service I’ve registered with.


Given that no one is seriously contesting the above statement (most are in agreement), my situation is that ALL of my neurons have been created using NNS DAPP and thereby by extension with Internet Identity. Further the consensus is that air-gapped system is best for this management.

I am therefore hyper-focused on how to move the day-to-day management of my neurons (currently mostly merging maturity at 100% and perhaps in the future to spawning) to an air-gapped system (quill et al) from using the NNS DAPP. I am happy to report that some progress has been made on a system that “authorizes” an airgapped neuron to manage the nns-dapp neuron. I am now focused on the UX because I will be using this system for the foreseeable future without,hopefully, EVER logging into NNS DAPP for the management of staked neurons. I am grateful for the work and guidance on the idea provided by @skilesare . Will post on a seperate topic on approach and progress.

I also understand that using live distros. as suggested by others in this topic, may work well for most people. However that solution, to me, seemed incomplete because in it we still use the Internet Identity to manage significant store of value.

I also realize that there are many more issues with Internet Identity that need to be sorted out that have been pointed out in this topic. However, for me, It was important for me to decide what was the most urgent and immediately actionable.


You can consider using security key that has PIN built-in to increase security. Yubikey not so secure in my opinion, because if somebody can access the physical key, they can use it directly. This is not the case for security key with PIN built-in in the hardware, you have to enter PIN first, before you can use the key to authorize / sign.

Security key with Built-In PIN I use daily: Ledger Nano S & OnlyKey (
Recovery key : Seed Phrase & Yubikey (for compatibility) just stay inside my secret security box for backup, that only me can access it.