Internet Identity: Proposal to deprecate account creation on all origins other than

The DFINITY foundation is planning to propose an update for the Internet Identity canister that would disable account creation on the Internet Identity front-end for all origins other than Specifically, if accepted, the following origins will no longer accept new registrations:

This update proposal is planned for December 23 2021.


Why is DFINITY doing this?

  1. Preventing fragmentation of the user base: Internet Identity authenticates using WebAuthn. WebAuthn credentials are bound to the origin they are registered on. This means that WebAuthn keys registered using e.g. are not available on (this is what makes WebAuthn phishing proof). By extension, credentials registered on are therefore also not usable for any dApp integrating with This change will make it impossible to create new accounts on unexpected origins thus preventing this scenario from happening (in the future).
  2. Security concerns: The assets loaded via are not certified. A malicious node could therefore serve bad assets and compromise the account upon creation / usage. With this change, we want to discourage usage of

Relevant Questions if the Proposal Is Accepted

I’m a dApp developer. Do I need to take action?

Most probably not. You are only affected if you manually changed the identity provider in agent-js ( is the default) or built a custom integration with Internet Identity using a different origin (such as the raw URL or the explicit canister ID).

I’m a developer and my dApp integrates with or What do I have to do?

  1. Switch to as an identity provider.

If you want to migrate existing users:

  1. Switch to as a primary identity provider so that new users will use this one.
  2. Keep the old integration as a legacy login option.
  3. Prompt the users after the legacy login to authenticate again with
  4. Associate their existing account with the identity provided by

I’m a user and accidentally registered on or but I want to keep my Identity Anchor. What should I do?

  1. Recover on using your seed phrase.
    Note: it is generally a very, very bad idea to enter a seed phrase in another website than the one you obtained it from! In this case, it is only acceptable as is more secure than and both point to the same canister.
    If you do not have a seed phrase, authenticate on the origin you created the Identity Anchor on and create a new one.
  2. Register your existing WebAuthn keys in
  3. Delete all credentials that were registered on

Update: In order to better be able to support people who might run into issues with this change, we will postpone the proposal to early January 2022.

Happy Holidays!

1 Like