NNS Sign in and Passkeys

I’m trying to setup my wallets for use. So far I created a test NNS account, great.
The browser, Chrome, seems unable to export passkeys!

I tried to create one on another machine on the Chromium and Firefox browsers it wants a security key. I don’t have a security key. How can I connect a wallet to it - I tried the Plug wallet and it didn’t work.

I searched online for hardware wallet solutions. It seems Ledger has an ICP app and I can connect a hardware account to an internet identity - but I’m unable to create one in a satisfying way. I think if I connected a ledger to my test dev account, I’m still unable to export it and therefore unable to use it on another device.

This is frankly infuriating, I feel I don’t have control of my keys interacting with the ICP network and must trust Google Chrome on 1 specific computer. Please help.

If you log in to Internet Identity you should be able to add additional authentication mechanisms. Personally I have several hardware devices and a passphrase set up. A passphrase in particular is very resilient to all sorts of things that could go wrong but is also something you want to keep safe and use rarely. But you can use the passphrase to connect all sorts of other authentication mechanisms.

How can I export my passphrase - or is that not possible & I have to use passphrase + make a copy of the private key?

Passkeys are non-exportable by design. This is not specific to Internet Identity, that’s just how the passkey technology works.

There are (since recently) two answers to this:

  1. In some cases, passkeys are automatically synchronized across your devices. For instance, on Apple devices linked with the same iCloud account, you can opt in to iCloud Keychain, which will make the passkeys available across all devices where this option is set. That’s very user friendly for day-to-day use, but may be considered insufficiently secure for handling large token amounts.
  2. You can always go to the Internet Identity management interface and link (or unlink) further devices to your II. That means you can add further devices, and you can also set up a recovery phrase for II if you wish to do so. (Some redundancy is recommended, but whether you solve that through multiple devices or by a passphrase depends on your own preferences.)

If the device you’re trying to add does not support web authentication by itself, which may be the case for old devices that do not have a proper security chip installed, then you will need an external security device such as a Yubikey (or comparable) or – my favorite especially for recovery – a Ledger Nano with the FIDO U2F app installed.

Don’t get too hung up by the word “connect” here. The Ledger Nano works with ICP in a very similar way to how it works for other blockchains: You can maintain your ICP tokens and neurons with your Ledger Nano. You can then use the NNS front-end dapp to interact with the Ledger Nano, but that’s by no means necessary, you can also use Ledger Live or command-line tooling. Even if you use your Ledger Nano with the NNS front-end dapp, this does not entangle the two in any persistent way; all your tokens will be completely controlled by the Ledger Nano and not by the NNS front-end dapp in that case.

  1. You can add a recovery phrase to your II via the Internet Identity management interface, as described above. When you add a recovery phase, it will be shown on your screen and you can copy it wherever you want.
  2. If you use a Ledger Nano, your recovery phrase is the one you used to set up the device. You can use the same recovery phrase in quill, and I believe that even the one used by Plug is compatible (but haven’t tried in production).