Long Term R&D: Internet Identity (proposal)

Roman · January 7, 2022, 7:54am

Because to use the Internet Identity (II) jeopardizes your II and then your funds if you used II to hold your funds.

You can read this thread about it : Internet Identity Lack of Security.

One of the most important messages in this thread, from Timo, Principal Researcher at Dfinity :

Let’s make some analogies before you ditch II entirely . How much money would you store in or access through MetaMask, MEW, etc. (without connecting a hardware wallet to them)? About the same you can store in II. Both depend on browser security. If the browser/OS is compromised then you can lose funds.

The point I made is that II is a software wallet. Software wallets have the advantage that they can store key material and you don’t have to confirm every single interaction on an external device and display. But if the browser/OS is compromised then the key material is at risk. Hardware wallets protect against that at the cost of having to approve every single interaction on an external device and display. Fundamentally there are only these two options, software wallet or hardware wallet and it is up to the user’s judgement to make the trade off.

Here, to illustrate, “browser compromised” means for example that your browser can swap out an URL under the hood and display a green padlock when there shouldn’t be one.

Now, in some further detail, II actually tries to improve over wallets like MetaMask. Where those wallets store key material permanently on disk (at least encrypted), II doesn’t. II only creates session keys that are valid for 30 min. The permanent keys are inside the biometric sensor or Yubikey. That is an improvement because it shortens the attack window for certain attacks.

And this :

Internet Identity Lack Of Security

I think there is a major misunderstanding here. The II was not meant to be used for holding stake in the amounts that are thrown around here. It is not about having one II or two different ones. You simply don’t use II at all for these kind of amounts.

II is a convenience feature for everyday use. It is not a security feature for long-term storage.

II is and remains a “software wallet” no matter how you use it, even if you use it with a Yubikey and even if your FIDO device is PIN protected. When you connect a FIDO device it is only used once to sign the browser’s session keys. After that all interaction is initiated and signed by the browser alone. Hence II is only as secure as your browser, regardless of how secure your phrase, biometric sensor or Yubikey is. You cannot entrust significant value to this environment.

The only safe ways to hold significant value is with an air-gapped computer and the proper tools such as quill or with a Ledger Nano connected to the NNS dapp as a hardware wallet. In the latter case every single transaction gets confirmed on the hardware wallet’s display and signed inside the hardware wallet. The browser is then untrusted. There is no II at play with the hardware wallet.

Using a hardware wallet is different from using a FIDO device to log into your II. The former is a true hardware solution, the latter is still essentially a software wallet. The two are not to be confused.

I think because of this misunderstanding the discussion is getting derailed. Whales don’t ask if they can have one or two IIs. Whales don’t use II for storing value.

I am not saying that II can’t be improved or that the discussion here doesn’t have value. I am just saying we are getting derailed if we’re discussing using II for long-term/cold/high value staking or storage.

Topic		Replies	Views
Long Term R&D: Decentralized CA and DNS (proposal) Roadmap	8	2421	June 3, 2024
Motion Proposals on Long Term R&D Plans Roadmap	17	8096	June 10, 2022
Long Term R&D: Secure OS (proposal) Roadmap	4	1904	December 20, 2021
Long Term R&D: Storage Subnets (proposal) Roadmap	44	5330	January 3, 2024
Long Term R&D: Integration with the Ethereum Network Roadmap	147	29888	May 5, 2024

Long Term R&D: Internet Identity (proposal)

Related Topics