The DFINITY foundation is planning to propose an update for the Internet Identity canister that would disable account creation on the Internet Identity front-end for all origins other than https://identity.ic0.app. Specifically, if accepted, the following origins will no longer accept new registrations:

• https://identity.raw.ic0.app
• https://rdmx6-jaaaa-aaaaa-aaadq-cai.ic0.app

This update proposal is planned for December 23 2021.

FAQ:

Why is DFINITY doing this?

1. Preventing fragmentation of the user base: Internet Identity authenticates using WebAuthn. WebAuthn credentials are bound to the origin they are registered on. This means that WebAuthn keys registered using e.g. https://identity.raw.ic0.app are not available on https://identity.ic0.app (this is what makes WebAuthn phishing proof). By extension, credentials registered on https://identity.raw.ic0.app are therefore also not usable for any dApp integrating with https://identity.ic0.app. This change will make it impossible to create new accounts on unexpected origins thus preventing this scenario from happening (in the future).
2. Security concerns: The assets loaded via https://identity.raw.ic0.app are not certified. A malicious node could therefore serve bad assets and compromise the account upon creation / usage. With this change, we want to discourage usage of https://identity.raw.ic0.app.

Relevant Questions if the Proposal Is Accepted

I’m a dApp developer. Do I need to take action?

Most probably not. You are only affected if you manually changed the identity provider in agent-js (https://identity.ic0.app is the default) or built a custom integration with Internet Identity using a different origin (such as the raw URL or the explicit canister ID).

I’m a developer and my dApp integrates with https://identity.raw.ic0.app or https://rdmx6-jaaaa-aaaaa-aaadq-cai.ic0.app. What do I have to do?

1. Switch to https://identity.ic0.app as an identity provider.

If you want to migrate existing users:

1. Switch to https://identity.ic0.app as a primary identity provider so that new users will use this one.
2. Keep the old integration as a legacy login option.
3. Prompt the users after the legacy login to authenticate again with https://identity.ic0.app
4. Associate their existing account with the identity provided by https://identity.ic0.app

I’m a user and accidentally registered on https://identity.raw.ic0.app or https://rdmx6-jaaaa-aaaaa-aaadq-cai.ic0.app but I want to keep my Identity Anchor. What should I do?

1. Recover on https://identity.ic0.app using your seed phrase.
   Note: it is generally a very, very bad idea to enter a seed phrase in another website than the one you obtained it from! In this case, it is only acceptable as https://identity.ic0.app is more secure than https://identity.raw.ic0.app and both point to the same canister.
   If you do not have a seed phrase, authenticate on the origin you created the Identity Anchor on and create a new one.
2. Register your existing WebAuthn keys in https://identity.ic0.app.
3. Delete all credentials that were registered on https://identity.raw.ic0.app.

Update: In order to better be able to support people who might run into issues with this change, we will postpone the proposal to early January 2022.

Happy Holidays!