Hello everyone,
We hear your concerns about Internet Identity 2.0.
Firstly, we want to clarify that the identity number in V1 was never a security feature; it was simply an identifier. The real security always came from your actual device authentication (biometrics, PIN, or hardware key). Relying on obscurity can give a false sense of security, so users should avoid doing so.
Internet Identity 2.0 requests user verification when requesting a passkey through the WebAuthn API. Users will always have to use their Face ID, PIN, or another method they have set up on their device to enable fetching the credentials.
With this measure, Yubikey users will always need to enter their PIN to enable it. This is different from Internet Identity 1.0 where the user verification was “preferred”, not requesting the PIN always.
Discoverable passkeys maintain the same high level of security. Your private keys remain locked in your device’s secure hardware, and you still need the same biometric or PIN authentication to access them. If someone finds your YubiKey, they’d still need your PIN to access anything.
For those who want an extra layer of security, we plan to introduce configurable two-factor authentication (2FA) solutions for Internet Identity. We don’t have all the details ironed out yet, but we’ll share more as soon as we start building it. Rest assured, security remains a top priority.
Thanks to all for the feedback.