Internet Identity: Proposal to deprecate account creation on all origins other than https://identity.ic0.app

The DFINITY foundation is planning to propose an update for the Internet Identity canister that would disable account creation on the Internet Identity front-end for all origins other than https://identity.ic0.app. Specifically, if accepted, the following origins will no longer accept new registrations:

This update proposal is planned for December 23 2021.

FAQ:

Why is DFINITY doing this?

  1. Preventing fragmentation of the user base: Internet Identity authenticates using WebAuthn. WebAuthn credentials are bound to the origin they are registered on. This means that WebAuthn keys registered using e.g. https://identity.raw.ic0.app are not available on https://identity.ic0.app (this is what makes WebAuthn phishing proof). By extension, credentials registered on https://identity.raw.ic0.app are therefore also not usable for any dApp integrating with https://identity.ic0.app. This change will make it impossible to create new accounts on unexpected origins thus preventing this scenario from happening (in the future).
  2. Security concerns: The assets loaded via https://identity.raw.ic0.app are not certified. A malicious node could therefore serve bad assets and compromise the account upon creation / usage. With this change, we want to discourage usage of https://identity.raw.ic0.app.

Relevant Questions if the Proposal Is Accepted

I’m a dApp developer. Do I need to take action?

Most probably not. You are only affected if you manually changed the identity provider in agent-js (https://identity.ic0.app is the default) or built a custom integration with Internet Identity using a different origin (such as the raw URL or the explicit canister ID).

I’m a developer and my dApp integrates with https://identity.raw.ic0.app or https://rdmx6-jaaaa-aaaaa-aaadq-cai.ic0.app. What do I have to do?

  1. Switch to https://identity.ic0.app as an identity provider.

If you want to migrate existing users:

  1. Switch to https://identity.ic0.app as a primary identity provider so that new users will use this one.
  2. Keep the old integration as a legacy login option.
  3. Prompt the users after the legacy login to authenticate again with https://identity.ic0.app
  4. Associate their existing account with the identity provided by https://identity.ic0.app

I’m a user and accidentally registered on https://identity.raw.ic0.app or https://rdmx6-jaaaa-aaaaa-aaadq-cai.ic0.app but I want to keep my Identity Anchor. What should I do?

  1. Recover on https://identity.ic0.app using your seed phrase.
    Note: it is generally a very, very bad idea to enter a seed phrase in another website than the one you obtained it from! In this case, it is only acceptable as https://identity.ic0.app is more secure than https://identity.raw.ic0.app and both point to the same canister.
    If you do not have a seed phrase, authenticate on the origin you created the Identity Anchor on and create a new one.
  2. Register your existing WebAuthn keys in https://identity.ic0.app.
  3. Delete all credentials that were registered on https://identity.raw.ic0.app.
3 Likes

Update: In order to better be able to support people who might run into issues with this change, we will postpone the proposal to early January 2022.

Happy Holidays!

1 Like