What to do when 'Windows Security' asks for a USB key

I have tried multiple browsers (Firefox, Chrome), updated to the newest versions running on fully updated Windows10. I have set up a login PIN in Windows Security.

No matter what I do, when I try to use ‘New user? Register with Internet Identity’ at https://identity.ic0.app/ I am eventually prompted by Windows Security to enter a USB hardware key. I do not have such a key.

How can I register without such a USB key?

3 Likes

No. You need a key. The only solution other than a YubiKey is to use a ledger running Fido U2F.

2 Likes

Question 1: How will the masses use this Internet Computer?
How will the masses ever adopt the ‘Internet Computer’ if the entry threshold is that high?
Imagine an aging grandmother, a homeless person on a shared computer in a library or a young man in Africa with spotty internet access and a ‘family phone’.

Question 2: How do I get a ledger running Fido U2F?
Can you please elaborate how I would use a ‘ledger running Fido U2F’?

8 Likes

By the way over a million accounts on Ledger were compromised in 2020. Do you see that as a matter of concern? You basically force people to buy a hardware key (and block one of their USB ports!) or force them to use a system that was recently compromised. Both not very desirable options I think.

3 Likes

1: Yes, I and others have pointed it out on here and other places. It’s a solution which might make sense to those living and working in Silicon Valley but for the real world it’s a terrible idea.

  1. Install fido u2f as detailed in the link I provided. Then when you’re prompted to enter security key on the identity log in you will be able to use that to do it.
4 Likes

Thank you for those answers. So mass adoption is hampered by the hardware key requirement (or knowledge and skills to get a ledger). Is the, presumably global, ‘Internet Computer’ then a toy for savvy, well connected and affluent members of the world’s computer elite? A playground for the rich and well educated?

Are there any plans to get to a place where onboarding of average internet users becomes possible? An Internet Computer that offers products and services to a handful of members of the elite seems pointless. Unless the masses of people act as consumers there is no economic future for this project. Do I see that wrong?

4 Likes

Most smartphones have biometrics now. So for mobile users it’s fine, easier than having to remember a password for the aging grandmother in your example. The bigger issue there is if you lose your registered devices you lose your whole account across the IC. So if you’ve only got your phone registered and you lose your phone your account and data has gone with it. I’m sure a solution to both issues will come forward in time but I’m very surprised nobody anticipated these complaints and got in front of it.

2 Likes

Those are some really good questions, I’m hoping the DFINITY team makes coming with a software solution their top priority otherwise I agree that the outlook is looking rather grim.

1 Like

I understand having to go to market NOW in order to make use of the crypto bull market (and to forestall any leaks of the open source software to competitors). But it does not instill confidence in me that, after 5 years of development, the only ways to create an account on the Internet Computer is

a) A hardware key that 99.99999% of the people will never have or
b) A Ledger account (a million of which were compromised last year)

How such a lack of usability planning could happen is a bit beyond me.

2 Likes

A viable (temporary) alternative would be to establish identity the same way crypto exchanges are doing it right now. By asking personal details (name, address, phone, …) and upload of a legal document. This should be good enough for now to get mass onboarding going.

Again, why this has not been thought about as a problem ahead of time is beyond me. Seems a bit like ivory tower silo thinking of Silicon Valley users who can’t imagine what life is out there in the real world.

1 Like

Well there’s also the biometric solution but that’s limited to mobiles which is maybe fine for static websites but many types of applications are not suited for smartphones.

I hate to say that. But I will stay away from biometrics solutions for as long as I can! Because you can always change passwords and recover accounts with recovery-emails. But if your biometrics data is in any way stolen/forged/spoofed/… there is NO way for you to undo that.

Biometrics is not an option for me. I do not like big brother solutions like that.

I agree with you here, biometric solutions are not that safe as long as the firmware is closed-source. I don’t trust it much either.

Sorry, I’ve been focused in other threads, and didn’t mean to leave this one unanswered.

For launch, we targeted the most secure path possible for our users, who would be entrusting our NNS app and cycles wallet with holding value, while also not requiring any Personally Identifiable Information. We will continue developing for the most approachable onboarding we can manage while maintaining our security goals.

We have some more testing to do in order to make sure Windows biometrics start working without a security key, but otherwise a security key is the best solution for the security-conscious.

As for privacy concerns with biometrics, it is highly secure with the WebAuthentication standard. Your device signs with a private key, and the Internet Identity only stores the public key result from the authentication ceremony. We don’t have any ability to trace or identify your device apart from whether it is able to successfully sign subsequent credential requests.

3 Likes

I don’t personally use windows, but this might be worth a shot: authentication - How to use webauthn without key fob - Stack Overflow

1 Like

The concerns with biometrics is not with the IC but the scanner’s firmware which you can’t know whether it stores the biometric data securely or not. Considering the Patriot Act in US, we really can’t be sure there’s no backdoor with closed-source programs.

1 Like

I don’t think being ‘security-conscious’ is the issue here.

As far as I can see, any dapp that has a user sign in using their identity cannot be done fullstop on a laptop without the correct hardware. It’s a huge issue for adoption, in my opinion.

Thanks for those answers! Any chance we might get a ‘normal’ login process (passwords plus 2FA or Google Authenticator or some such) at some point?

Please let’s stop this “poor person in Africa” meme.
Smartphones are available in Africa (where I live) for USD40, an amount virtually everybody interested in technology can afford. Heck, people in the villages have smartphones. Every student in high school and above has a Huawei/Infinix/Nokia/Tecno smartphone. As you can imagine, all those are Android devices and they all have a minimum of screen lock which is sufficient for the NNS.

Moreover, most people won’t be staking ICPs, they would buy for speculation purposes and keep on centralised exchanges. People like us who are tech-aware enough to stake can afford multiple devices for wallet backup or a Yubikey.

That said, the team should keep exploring more intuitive (but SECURE) ways of wallet/key management.

[Post unhidden, again. I wonder what anyone finds off-topic in this post. It’s a direct response to a wrong assumption. Or does anyone hate the truth?]

2 Likes

If ICP was any other project I might agree with you. But it is not. If I understand the vision right then ultimately the Internet Computer should become THE platform to which today’s centralized and corporatized internet migrates. And for that we need mass-adoption and EASY access to canisters and the services they offer. And, as I understand it, right now the only way to get access to any canister-based service is by logging on with a hardware key.

And my point is that this is a massive obstacle to adoption. (Heck, I am a software developer, about as computer savvy as they come, have developed in a dozen languages and I still, after several days, have not logged on to the Internet Computer. Because inertia, having to buy a hardware key and getting it to work has, so far, been a hurdle I did not have enough motivation to cross). And that’s my point. Yes, with enough motivation any hurdle can be crossed. But for mass adoption those technical hurdles must be as minute as possible. It must become EASY. And right now it isn’t.

5 Likes