Internet Identity Lack Of Security

Swoop · December 16, 2021, 10:46pm

I am really curious if given the amount of dispute around mnemonics whether dfinity can access directly or indirectly the mnemonic seeds? I just see this as a bit of a potential security lapse if that is the case.

plsak · December 19, 2021, 9:13pm

Hi, I wanted to start a topic Enhance security on identity.ic0.app but found this one and as it would be duplicated will just comment here.

Motivation: Users are supposed to properly secure their auth devices but at the same time are supposed to use them several times per day to access dApps, which are mutually exclusive requirements.

I agree with

LightningLad91:

What you are requesting is that II should only allow an existing seed phrase to be removed if the previous seed phrase is entered correctly first. By doing this you are giving the original owner the ability to recover the account even if one of their other authentication devices was compromised?

This will allow owner of the Anchor to secure the passphrase and eventually use it as last resort recovery

I shared idea for had/dp type of device (hidden authorisation device/decreasing priority), but similar functionality seems covered by below proposal

https://twitter.com/plsak/status/1470840499779031044?s=20
Planned propsal:

Long Term R&D: Internet Identity (proposal)

Currently, all devices and recovery methods associated with a user’s identity anchor have the same level of privileges. In particular, each device or recovery method can be used to delete or add any other device or recovery methods.

Long Term R&D: Internet Identity (proposal)

In the future, Internet Identity shall support different privilege levels for different devices, allowing a user to designate certain devices or recovery methods as more trusted and, e.g., make them non-deletable by lower-level devices and methods.
Note: this might seem to provide similar protection as hardening of seed-phrase change, but it’s actually more secure:
- passphrase can be copied or memorised during the securing process and then misused
- had/dp device(s) could be secured on different places (different banks safes) making it’s unauthorised access nearly impossible

Another convenient functionality would be to implement in Internet Identity option for 2FA setup

with password (simpler) or some authenticator app
https://twitter.com/CliffJumbo2/status/1471626182324269056?s=20
https://twitter.com/plsak/status/1471775537249112064?s=20
https://twitter.com/plsak/status/1471779932955201538?s=20
In simplest scenario Anchor which has this activated will be able to choose (when doing auth with Internet Identity) if will use a single method/device - unprivileged access or 2FA - to get all privileges
- II would provide response (with privileged status) to originating dApp which could then simply restrict it’s specific functions (NNS to move funds or start dissolving, II to remove devices etc.)
with such setup could be even simple password login used for the unprivileged access
- that could result in increased dApps usage - as for many the basic access would be easier

kyliux · December 20, 2021, 10:02am

I just would like to mention that dApps in this blockchain might be targeted by bots. Thoses bots would flood the website/App and lead to useless loss of cycles from Dev.

So we might want to be sure bots cant log in that easily, and for this scenario a mix with people´s party could be required.

plsak · December 20, 2021, 11:34am

Thank you, that is a great point.
And sure, enabling of the 2FA could be for example allowed only for Anchors which passed People Party…?

marrymosss · December 29, 2021, 12:34pm

I think that the security of communication on the Internet is an unsolvable issue. In fact, many sites in the world depend on servers that host their information. Cloud storage is not safe either.

mparikh · December 29, 2021, 9:54pm

The security of communication over the internet is
raison d’etre for the Internet Computer. I.e. IC IS SOLVING for this exactly. Please see Inside the Internet Computer | Certified Variables - YouTube for the how.

renem · December 30, 2021, 2:51pm

Idea,

At ppl party you have to go to a location, and return to it during the ppl party. it is pixelated and no one can see who you are, during the ppl party.

Once you have completed the ppl party, Why dont we create the option to save the location as a sort of seedphrase replica or add it as “option 2 secret phrase” so to say.

to have a device return to the location in order establish it as High priority device, in case someone else is currently trying to get hold of your account, returning to the location with a device could lock it as mother of devices for a short time so you can regain control of and kick out devices from your internet identity that dont belong to you.

At the same time, it should be made much harder to remove accounts from your Internet identity, at least you should need a seed phrase or a 2fa verification before being able to remove devices.

I have no IT background and no idea if this is a good idea

a problem, if you moved far away from the location, it could be a hassle in case you need to act quickly, but if it is a neuron staked account, it should be a decent option. to regain control of your neuron at least.

chepreghy · December 31, 2021, 10:53am

What if you lose your seed phrase and can’t recover it? Then there should be some kind of “Forgot my password” way of generating a new seed phrase. I understand that one should save their seed phrase to a secure place and never lose it. But accidents happen and the higher the adoption the more non-technical people will come to the IC. Many of these people will eventually lose their seed phrase. Should they lose therefor their access to staked neurons?

On the other hand it’s a security risk to be able to change one’s seedphrase without entering it. Tough to balance

Roman · December 31, 2021, 11:22am

How have people done since the beginning with the seedphrase of their Ledger Hardwallet in which they have Bitcoins, Ethers, etc. ?

chepreghy · December 31, 2021, 11:24am

I think the IC aims for a much larger audience than the number of BTC and ETH users. Most of whom use something like Coinbase or Binance to begin with, where you don’t have to deal with seed phrases.

Roman · December 31, 2021, 12:20pm

I sincerely agree with you ! But we are not talking about the same thing : I was not giving this solution as a definitive solution, but just as a temporary solution that it would be simple and quick to set until we find a more satisfying solution, this again until we find THE solution.

chepreghy · January 2, 2022, 12:31pm

Alright, that makes sense. We probably agree more than it seemed like from the first few interactions. I’m really curious how “THE” solution will look like. Dfinity have some of the greatest minds working there, I’m sure they’ll figure something out.

plsak · January 19, 2022, 7:47pm

Also note for the

=> purpose of hidden is improved protection - even if account is compromised (one of devices stolen) or there is a physical attack (happens for BTC), the attacker won’t be able to request all devices as he/she won’t ever see them - never will be sure that got all, which might discourage a major number of possible thiefs.

Roman · January 19, 2022, 10:04pm

Very good idea ! Is it already set ?

emmaperetti · May 2, 2022, 3:20pm

hi, there is a monthly working group meeting on Internet Identity and Authentication: Working Group: Identity & Authentication Come and join us. FYI @frederikrothenberger

Topic		Replies	Views
Suggestions for Internet Identity Team DFINITY	2	516	April 23, 2023
Immediate Action to Protect Internet Identity w/ Seed Phrases Governance	87	6953	October 28, 2022
Internet Identity is slowing IC adoption internet-identity Discussing	35	3760	January 20, 2023
First experiences with Internet Identity and Staking General	11	1011	March 29, 2024
Connecting Yubikey on Phone NNS General	4	1346	July 20, 2021

Internet Identity Lack Of Security

Related topics