Why Internet Identity returns different Principal?

Hi recently I found the II actually returns different principal when I auth different website, but Plug and Stoic principal is static. Could anyone explain to me why?

Meanwhile, could I enable user make payment by NNS default wallet? When user auth our website by II, they will get the different principal so basically made a new account. That’s tedious to prompt users to transfer the ICP from NNS to a new II account.

II returns a different principal per service to make it hard to track you across services, everyone’s least favorite thing in web2. This is sensible for II as a general authentication mechanism; the thing you’re observing is NNS using II’s principal for your account. Plug stores your key offline and Stoic has its own auth mechanism that accepts II to log in, but provides its own principals.

The general pattern for accepting payments in one of these services is to, rather than have one address that you look at the sender for each payment for (since users may be sending money from anywhere, not just the NNS), instead have an address per user, with the subaccount consisting of the bytes of the II principal you know. This is, for example, how you create a canister by burning ICP: you make an ICP transfer to the cycles minting canister, under the subaccount of the bytes of the principal who will become its new controller, and then you notify the CMC of the block index that the transaction took place in. (Specifically, the first byte of the subaccount stores the principal length, followed by the principal’s bytes, followed by as many zeroes as necessary.) You can calculate the correct account-ID based on the principal they are authenticating with, and display it in the frontend.