We hear your concerns about Internet Identity 2.0.
Firstly, we want to clarify that the identity number in V1 was never a security feature; it was simply an identifier. The real security always came from your actual device authentication (biometrics, PIN, or hardware key). Relying on obscurity can give a false sense of security, so users should avoid doing so.
Internet Identity 2.0 requests user verification when requesting a passkey through the WebAuthn API. Users will always have to use their Face ID, PIN, or another method they have set up on their device to enable fetching the credentials.
With this measure, Yubikey users will always need to enter their PIN to enable it. This is different from Internet Identity 1.0 where the user verification was “preferred”, not requesting the PIN always.
Discoverable passkeys maintain the same high level of security. Your private keys remain locked in your device’s secure hardware, and you still need the same biometric or PIN authentication to access them. If someone finds your YubiKey, they’d still need your PIN to access anything.
For those who want an extra layer of security, we plan to introduce configurable two-factor authentication (2FA) solutions for Internet Identity. We don’t have all the details ironed out yet, but we’ll share more as soon as we start building it. Rest assured, security remains a top priority.
Users with only a II 1.0 (non-discoverable) passkey will still be able to sign in within the II 2.0 migration flow. After signing in, they’ll be prompted to register a new discoverable passkey for future use.
Recovery phrase will be available as a recovery method? Will it require an Anchor ID to use it, or is that number simply part of the phrase and it doesn’t change anything? Or is it enough to provide the seed phrase without an identity number to restore it?
Can we make a vote to decide user prefer which way, currently already has 2.7 million users, If Dfinity requires all users to abandon the original II anchor number login method and faces strong opposition from many community members, it seems that there will be a relatively significant impact on the news.
Due to both II moving to a new domain and the discoverable requirements, user’s will need to register a new passkey for their existing identities.
As mentioned earlier, we plan to introduce secure solutions that directly address the concerns mentioned earlier in this thread. Removing security assumptions and simplifying user flows is the groundwork to enable building these and other solutions.
Seed phrases are still pending design and implementation, thus not available in II 2.0 yet at this moment. The current idea is to no longer rely on identity numbers in II 2.0 with newly created seed phrases either.
Hello i just tried to set up a new II v2.
Since every name of the ID needs to be unique will those names from the beta be resettet that i can use it for the final version.. ?
Or just unique in your own II… or worldwide… ?
To be honest i was one of the people that complained about this, but because I thought this could introduce security risk due to anchord id being removed and if someone steal my yubikey could have access just by holding it.
But now with II v2.0 when you login it will ask a pin ID (something the yubikey has always allowed to do but II V1.0 didn’t allowed) so this PIN will be needed in order to access to your internet identity (II) this is way more safe, and useful in my opinion, this will remove some friction of end user having to remember or stored the anchord id, when they created an II, so If now they simply have to go to the service, use their passkey (yubikey, iphone, laptop, or security key) they just have to introduce it, enter the PIN (if they configured it and it’s device allows to do so) and they are in, it’s so much user friendly.
Over the past few years we’ve done interviews with both developers and end users and anchor numbers are usually one of the main complaints for adoption.
Actual seed phrases will not change right? So if i have my seeds stored on different locations (countries) I don’t have to go and update it To a new seed phrase right???
If the current method of combining numbers with mnemonic phrases continues to work, then I’m a bit confused as to why the numbers (the anchor number login method) will be removed in the future.
