Hi Rich, thanks for your interest in the project!
Canisters don’t require any sort of authentication by default. The JS agent sets users up with an AnonymousIdentity, which is typically going to have permission to request data from canisters. Think of DSCVR’s logged-out view. However, as apps get more sophisticated, it becomes useful to have a persistent identity so that a user can log in as the same person repeatedly. That, along with high security by default, is what the Internet Identity is solving for.
Privacy with Internet Identity
The authentication code for the Internet Identity is pretty simple. It’s all inspectable at https://github.com/dfinity/internet-identity, and the identity is stored simply as a user number, a credential from the WebAuthentication creation ceremony, and an anonymous public key. The Internet Identity doesn’t know who you are, and doesn’t share any information between apps, not even your user number. It is simply a way of reliably logging in anonymously as the same user with multiple devices, while only requiring you to configure those devices once.
Internet Identity as mandatory
Hope this helps!