The DFINITY foundation is planning to propose an update for the Internet Identity canister that would disable account creation on the Internet Identity front-end for all origins other than https://identity.ic0.app. Specifically, if accepted, the following origins will no longer accept new registrations:
This update proposal is planned for December 23 2021.
- Preventing fragmentation of the user base: Internet Identity authenticates using WebAuthn. WebAuthn credentials are bound to the origin they are registered on. This means that WebAuthn keys registered using e.g. https://identity.raw.ic0.app are not available on https://identity.ic0.app (this is what makes WebAuthn phishing proof). By extension, credentials registered on https://identity.raw.ic0.app are therefore also not usable for any dApp integrating with https://identity.ic0.app. This change will make it impossible to create new accounts on unexpected origins thus preventing this scenario from happening (in the future).
- Security concerns: The assets loaded via https://identity.raw.ic0.app are not certified. A malicious node could therefore serve bad assets and compromise the account upon creation / usage. With this change, we want to discourage usage of https://identity.raw.ic0.app.
Most probably not. You are only affected if you manually changed the identity provider in agent-js (https://identity.ic0.app is the default) or built a custom integration with Internet Identity using a different origin (such as the raw URL or the explicit canister ID).
I’m a developer and my dApp integrates with https://identity.raw.ic0.app or https://rdmx6-jaaaa-aaaaa-aaadq-cai.ic0.app. What do I have to do?
- Switch to https://identity.ic0.app as an identity provider.
- Switch to https://identity.ic0.app as a primary identity provider so that new users will use this one.
- Keep the old integration as a legacy login option.
- Prompt the users after the legacy login to authenticate again with https://identity.ic0.app
- Associate their existing account with the identity provided by https://identity.ic0.app
I’m a user and accidentally registered on https://identity.raw.ic0.app or https://rdmx6-jaaaa-aaaaa-aaadq-cai.ic0.app but I want to keep my Identity Anchor. What should I do?
- Recover on https://identity.ic0.app using your seed phrase.
Note: it is generally a very, very bad idea to enter a seed phrase in another website than the one you obtained it from! In this case, it is only acceptable as https://identity.ic0.app is more secure than https://identity.raw.ic0.app and both point to the same canister.
If you do not have a seed phrase, authenticate on the origin you created the Identity Anchor on and create a new one.
- Register your existing WebAuthn keys in https://identity.ic0.app.
- Delete all credentials that were registered on https://identity.raw.ic0.app.