I’m one of those guys that likes to have only hardware keys for II in the case of a Remote Administration Tool (RAT) taking over my PC.
I realized that II identity does not require re-authentication when adding new passkeys or a seed phrase. So after I sign in to II, a malicious actor could use a RAT to generate a seed phrase and take the account without issue. The same is true of sending large amounts of ICP from the NNS.
I’m sure I’m not the only one that would love the extra security of having the option of verifying II before generating a new key/seed-phrase. I haven’t found this conversation mentioned since >2 years, where it was mentioned as important feature to add at some point: Ledger security device - #8 by kpeacock
Just reigniting the conversation, or maybe I’m just the only one this paranoid.
I realized that II identity does not require re-authentication when adding new passkeys or a seed phrase. So after I sign in to II, a malicious actor could use a RAT to generate a seed phrase and take the account without issue.
I’m not entirely sure I understand your concern. However, if you have generated a seed phrase for your II before and enforced a lock on it, a malicious actor cannot take over the account unless that actor already knows your prior seed phrase.
You are right, and we do want to add this to II. However, a lot of other features are also competing for development resources and so far it has not yet made it to the top of the list unfortunately.
Just a note on sending large amounts of ICP: The NNS dapp does support hardware wallets, which does protect the assets stored there against such an attack.
Also, in the identity and wallet standards working group we are standardizing interaction protocols for transaction approval, which will address the concerns here as well (depending on the implementation).
Rest assured, this is an important topic to us and we are quietly working in the background to eventually address this. Thanks for bringing it up.
To be clear, I’d prefer to permanently disable the seed phrase option. Having a seed phrase means there exists data alone to steal an II, not having one (right now) means a hacker can generate one whenever I sign in with my hardware.
And understood @frederikrothenberger . Thanks for clearing that up.
For anyone who stumbles on this, I’ve been using a pretty solid solution. These features are available thanks to this 2021 discussion that I missed: Internet Identity Lack Of Security
You can create a seed phrase and then disable the changing of it without the existing seed phrase. (I didn’t understand this. I guess my seed phrase is now just between me and the NSA).
Then add neurons and high value tokens inside the Ledger wallet (and for canisters the the CLI tool).
In this way, an attacker that somehow got access to your account could replace the keys, but not access what was inside the ledger, or your canisters for that matter. Then you could recover it with your seed phrase/security key regardless of what the attacker does.
The only limitation I see with this is that you can’t move existing Neurons, or non-ICP assets (ckBTC) into the hardware only account. But it’s a minor thing, e.g., an 8-yr neuron could be totally lost by an attacker who replaces your II, but with this method they can’t move the neuron and will be booted once you recover anyway.