Internet Identity: The End of Usernames and Passwords

The Internet Identity blockchain authentication system enables you to sign in securely and anonymously to dapps on the Internet Computer.

The Internet Computer is the world’s first truly internet-scale public blockchain. Unlike other blockchains, it can process and store any amount of data. It also hosts smart contracts (blockchain software logic) that run at web speed with vastly higher efficiency than before. These are able to serve interactive web content directly to end users, enabling a broad range of systems and services to be built entirely on the blockchain in the form of dapps, without dependence on legacy tech, such as cloud services. Now finally, it is possible to build and run even hyperscale tokenized social media entirely on a public blockchain.

The purpose of the Internet Computer is to extend the internet by making it possible for nearly all systems and services to be rebuilt and reimagined as secure dapps using smart contracts hosted in cyberspace — which will process and store all of their data without augmentation by legacy tech and its services. This will drive a “blockchain singularity” where nearly every system and service eventually runs entirely from public blockchain.

To avoid the security issues that plague password authentication on the traditional web, the Internet Computer blockchain introduces a new cryptographic authentication system. This new system, called Internet Identity, is extraordinarily easy to use, in sharp contrast to existing systems used to authenticate to blockchains over the web.

Essentially, it allows end users to authenticate to dapps on the blockchain using their devices, in a way made possible by the “Chain Key” cryptography used by the Internet Computer. End-user devices can be traditional HSM devices, such as a YubiKey, or mobile devices that contain a TPM chip, such as a laptop or phone. For example, many thousands of people are already authenticating themselves to dapps running entirely on the Internet Computer using the fingerprint sensor on their laptop, or FaceID on their phone. In each case, fantastic usability is provided, and even though public key cryptography is being securely applied within the secure chips inside of the devices involved, the users never have to touch key material themselves and benefit from a seamless, low friction experience.

Internet Identity is being constantly refined to make it compatible with more and more devices that support a web standard called WebAuthn. If you have an older device, and your browser does not support the standard in a way that works with Internet Identity (so that you can use, for example, a fingerprint sensor to authenticate), then you can augment it with an HSM device such as a YubiKey. This can be made convenient too. For example, you can purchase a YubiKey that supports NFC, that allows you to sign in via, say, a phone, just by tapping it with the key. Luckily, consumer devices are increasingly including such authenticators by default.

The way that Internet Identity enables users to securely authenticate to dapps on the blockchain via their devices is revolutionary.

You can try the Internet Identity authentication configurator directly at https://identity.ic0.app/ (the page comes directly from the Internet Computer blockchain).

This allows you to create identities known as IIs (pronounced eye-eyes). Each identity has an “Identity Anchor” that you can memorize to reconnect with it (Identity Anchors are deliberately short). These anchors are not secrets that unlock IIs in any way, but you shouldn’t share them.

You can create any number of IIs. For example, you might create an II for blockchain social media dapps, another II for DeFi and staking, and so on. To each II you can add any number of devices. For example, if you create an II for usage with social media, you might add the fingerprint sensor of your laptop, Face ID on your phone, and a YubiKey or two for backup (so if you lose your laptop and your phone, you can reconnect with the II, delete your old devices and add new ones).

When you authenticate to a dapp or service on the blockchain, it sees a dedicated pseudonym rather than the phone number, which prevents you being tracked across dapps and services, and preserves your anonymity.

Imagine a world in which you can:

  1. Securely authenticate yourself online without ever needing an email, username, or password — using only your device to log in.
  2. Log in to internet services without ever being tracked and without your information being mined by tech companies.
  3. Authenticate yourself with a greater degree of convenience than with practically any kind of authentication system that you use today.

How Internet Identity works

Internet Identity builds on the WebAuthn protocol and uses secure cryptographic authentication, giving users three options to authenticate themselves:

  1. The built-in biometric authentication methods in your smartphone or your laptop (e.g., Face ID, Touch ID, or fingerprint scanner).
  2. The password or pin that users normally use to unlock their computer or mobile phone.
  3. A security key plugged into the USB port of your computer (e.g., YubiKey).

When you first create an Internet Identity via the interactive web content at the blockchain web address https://identity.ic0.app, the security chip on your device will generate a unique cryptographic key for which the public key will be stored on the Internet Computer together with the Identity Anchor that is generated for you. The Identity Anchor is the umbrella identity under which you can reconnect to the II on the various devices you wish to use. You can use the Identity Anchor associated with an II to register new devices, so you can use applications seamlessly across all of your devices.

Take careful note of the Identity Anchors associated with each II that you use. If you lose the Identity Anchor, you will not be able to use Internet Identity to manage your devices or access your applications. Furthermore, it’s critical to add more than one authentication device under the same Identity Anchor for redundancy.

One major advantage of the Identity Anchor is that it is not security-sensitive. It won’t be tied to any PIID, so it doesn’t matter if somebody learns about an Identity Anchor (subject to the aforementioned concern).

For detailed steps on how to use Internet Identity, refer to:

How do users interact with dapps using Internet Identity?

When a user first loads the front end of a given canister smart contract (e.g., when using a dapp or “open internet service”, which is an autonomous dapps controlled by a tokenized governance system), that front end displays a button for users to authenticate themselves, similar to the Single Sign-On (“SSO”) services many are already familiar with.

When the user clicks on the button, the browser opens a pop-up with the Internet Identity, which allows the user to manage the keys and identities.

Using Internet Identity, the user authenticates using the device and method of their choice, then authorizes access to the app. Then, the browser is redirected to the canister smart contract front end and can access the canister under the user’s selected II. (This mechanism uses the session key and delegation mechanisms. The canister front end generates a session key pair and transfers the public key to the Internet Identity. If the user confirms, the Internet Identity generates a delegation and returns it to the canister front end.)

Once you have verified your identity in the browser using one of the three methods already outlined, you are prompted to confirm your registration. To register your device, you will create an Identity Anchor. This Identity Anchor is unique, but it is not a secret, so you should save it in multiple places. Your browser will remember the Identity Anchor of the II that you used, but you will need it if you log in on a different computer, or if you clear your browser state. Again, if you lose your Identity Anchor and are logged out on all devices, you will not be able to use the II involved.

In contrast to signing in via Single Sign-On, the complete authentication flow in the identity provider happens on the user side, so there is much less exposure of private user actions and less risk of tracking by large tech corporations.

Notably, Internet Identity will also give the user a different pseudonymous identity for every canister front end that they log into, to prevent them being tracked, enhancing anonymity and privacy.

As a thought experiment, if Internet Identity DID NOT give the user a different identity for every canister front end they logged into, the Internet Identity would allow every front end to log in under the user’s single principal. If that user interacts with unrelated services — for example, a social media network and an e-commerce site — these unrelated companies could correlate the user’s behavior on these sites. And in the worst-case scenario, the front end of the social media network could now maliciously call the canisters of the e-commerce site and make orders posing as the user.

This is why Internet Identity provides a different pseudonymous identity to every dapps and service that a user interacts with using some particular II.

Improved authentication

Internet Identity enables you to authenticate securely and anonymously when you access decentralized applications (dapps) that use the authentication system.

Unlike most authentication services, your Internet Identity does not require you to set and manage passwords, generate a cryptographically secure seed phrase, or provide any personal identifying information to applications or to the service. Essentially, behind the scenes, Chain Key cryptography is used to certify each device that you associate with an II. Now you can use the authentication methods you choose such as facial recognition from a smartphone, your computer unlock password, or a security key.

Give it a try at https://identity.ic0.app. For a step-by-step guide to registering your devices, see our documentation.
_____

Stay tuned for more releases detailing the technologies behind the Internet Computer.

Start building at sdk.dfinity.org and join the developer community at forum.dfinity.org.

--

--

--

A DFINITY Foundation Resource

Recommended from Medium

Proposed SEC Cyber Rules — What Security Organizations Need to Know

Super safe video meetings based on spontaneous encrypted links

Top 5 Problems When Buying Insurance by hubb

When Does Armed Security Make A Wise Choice For Your Business

Nullbyte-1: Vulnhub Walkthrough

Bypass AV/EDR with Safe Mode?

Samana Smart city Advance details

samana smart city developments

Here’s everything you need to know about the WannaCry attacks

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
DFINITY

DFINITY

The Internet Computer is a revolutionary blockchain that hosts unlimited data and computation on-chain. Build scalable Web3 dapps, DeFi, games, and more.

More from Medium

The Internet Computer Community Adopts 25 Proposals for Future Crypto Innovation

The Game-Changing InfinitySwap General Development Roadmap

The Internet Computer — ICP vs ETH (Technologically & Fundamentally)

SubDAO Will Bring DAO Capabilities to Moonriver/Moonbeam