Consider adding social recovery to the Internet Identity. It would be excellent for users to create their own personal trust networks, allowing other IIs to have the power to regenerate lost IIs or have other powers, controlled by the creator of the II.
The fact that II cryptographic information is only stored on locally-owned devices is quite scary…one natural disaster, one bad encounter on the street, etc could result in a lost II. It needs to be decentralized.
I’m currently running a disaster test, assuming I lose my device will I be able to login to my account using another device without having to worry about security key stored in some kind of local device?
Guess what, I couldn’t. I can’t generate a security phrase except I have a security key store in an external device (like Yubikey or something like that).
This is something we need to look into.
For those using Mobile device, if you lose your phone your accounts are gone and if you have funds in it that becomes worst.
We need to have a decentralised recovery mechanism so that you can login with any device anywhere provided it’s your fingerprint or login with your phrase key you have written somewhere not on security device.
When you login with a new device the server will sense your fingerprint and request for a seed Phrase for confirmation.
The Internet Identity allows you to add arbitrary cryptographic keys to your account, and it’s API is open. So I think this could be done as a community-created add-on. For example, it could be a a static webpage that, fully on your computer:
Creates a threshold ECDSA key with your desired n-out-of-m property.
Shows you the m secret key shares to distribute among your friends.
Gives you the link (clickable or as QR code) that would add the public key as a new “device” to the Internet computer.
If you need to recover, with your new device;
You go to the Internet Identity page, and go through the add-device flow.
You take the generated add-device-link and paste it in the recovery page.
You also paste enough of the secret key shares.
The recovery page adds your new device to II and you are back in action.
(I hope I am not missing something, but this might work very well).
So all it takes is a bit of crypto programming in JavaScript and a single static page that you can host on the Internet Compute or elsewhere (no backend needed). At least a working prototype should not be too hard.
Of course, there is a question of whether this should be offered natively by the Internet Identity. But one doesn’t have to wait for it, and one does not have to work for DFINITY to build it.
Yes, for an MVP a separate service might be fine, but I’m wondering if this shouldn’t just be integrated into the II directly. Since the code is all open (I believe the canisters as well, if that’s needed), technically someone in the community could actually work on adding this to the II system directly.
The barriers to creating this functionality outside of DFINITY seem relatively low (when compared with something like extending chain key with ECDSA for example).
This is definitely an issue I’ve been thinking about. I’m also not sure yet how the general public will manage II. I see the potential for a lot of frustration. Maybe this can be solved with good UX?
Another permutation on social recovery is having a system to somehow enroll public authorities in a process where physical documents could facilitate recovery. Maybe not useful if someone loses access to social media but very useful in the event of financial loss after a catastrophic event or total loss of device anchors.
I agree, centralized entities could be useful as guardians as well. You could imagine registering a private key share with a custodian who records your name, address, phone number, ID, social security card, etc to provide an excellent level of assurance as to your identity. Only in the case that they absolutely know you are you and are requesting access to regenerate your key, would they intervene and help as part of the threshold regeneration.
So you could have 3 friends and 2 centralized custodians be your web of trust, or 4 friends and 1 centralized custodian, etc.
Can you describe the hostile takeover scenario? The threshold requirement should take care of that, because you would need say 3/5 IIs to all decide basically at the same time that a new key should be regenerated
It’s unlikely it would happen but if 3/5 turned on you there is a potential for them to assume ownership of lost II. A biometric would increase trust though not perfect that the actual owner approved and is present for the re-generation. Could be an optional feature. Maybe it would be needed if the one (or two) central authorities were a bank or other institution that has their own identity verification protocols.
Well WebAuthN already supports biometrics so I think we’re good Creating a requirement for a biometric would be another question, but doesn’t necessarily seem too difficult, hopefully
good point. biometrics not stored on nns. They live on mobile device. If it was stored (or maybe it’s hash) than it could be used as a final auth method that reconnects the anchor to person. Not sure but fun to think about.
Essentially from my recovery phrase, I generate a bunch of QR codes that represent threshold key shares of the original recovery phrase; meaning that one needs a quorum of QR codes to recover the recovery phrase. Then I ship these QR codes (laminated, of course) via USPS to different folks that I know and trust across the globe. I no longer have my recovery phrases and I hope NEVER to use the recovery phrases. However if I do, I am secure without knowing the actual recovery phrase.
With internet identity, recovery phrase rotation is doable. Recovery phrase rotation is nice for folks who intend to keep their wallets for decades; because people change, friends change, folks pass away, I have yet to figure out how I would do this with stoic.