Internet Identity: Easy Web3 Authentication
An introduction to secure blockchain authentication supported by the Internet Computer.
Internet Identity allows users to create sessions with Web3 services and dapps, and sign traditional blockchain transactions. They can do this with supreme security, ease and convenience, and in a completely decentralized way.
Creating a session using Internet Identity
The gif below shows someone creating a session on a Web3 service (or “dapp”) that’s running 100% from the Internet Computer (IC) blockchain.
They are “signing-on” using blockchain technology.
What just happened?
The person is using the the fingerprint sensor on their laptop to authenticate themselves and log on to a messaging dapp called OpenChat, which anyone can access using a web browser.
Had they been using their phone, they might have used Face ID…
Internet Identity allows them to sign-on to accounts on Web3 services and dapps from any of their devices. It also allows the use of special authentication devices such as a Ledger wallet or YubiKey.
Once you have an Internet Identity “anchor,” you can assign multiple devices without limit, and easily remove old devices. Possession and control of the physical devices is what gives you quick access.
With Internet Identity, here are some things you don’t have to do:
- Remember a password.
- Keep your password safe from hackers.
- Keep a private key handy (e.g. a seed phrase)
- Keep your private key safe from hackers.
So what is happening in the above video when the user touches their fingerprint sensor to sign-on to their OpenChat account?
Out of sight, inside their laptop, there is a special secure chip called a “TPM” (most modern personal computing devices, including phones, now have one) which is used to maintain a copy of “private keys” for the owner. When the user presses their fingerprint sensor, it lets the TPM know that it can cryptographically sign a new Web3 session using the private key assigned to the service, which signs the user in.
What’s amazing about this system is that the private keys never leave the TPM. In fact, it’s impossible for anyone, including the user, to obtain copies of the private keys inside, because the TPM won’t share them, and the hardware is tamperproof. This means nobody can steal them, ever!
Internet Identity also keeps users anonymous, by preventing them from being tracked across services they use.
Every user of Internet Identity (II), an advanced blockchain authentication system tailored for Web3, gets all these benefits.
When compared with old-school blockchain authentication methods, in many respects Internet Identity provides a quantum leap forward in security, usability and decentralization — enabled behind the scenes by modern cryptography.
Some people say Internet Identity should now replace username/passwords and old-school blockchain authentication.
Why do we need this?
It would be difficult to find a single internet user who has not faced either user experience or security issues when authenticating to web services.
With traditional web2 applications, often a username and password is required to authenticate. The username/password model has a number of shortcomings, most notably:
- Username/password pairs are generally stored in centralized databases which are increasingly prone to be breached. There’s even a convenient website to check if your email or passwords have appeared in publicly released data leaks.
- User-chosen passwords are easily crackable by machines. To quote xkcd on password strength:
Through 20 years of effort, we’ve successfully trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess.
Yet, there is a recent success story from the world of web2 authentication; web authentication was standardized by the W3C and recommends using a second factor to authenticate to web services. Studies show that now 83% of people are somewhat or very familiar with 2 factor authentication 🥳
Web authentication also popularized delegation. By logging in to one service (e.g. Google or Facebook), a user can delegate authentication to that service — this is what you know as ‘sign in with BigTech’ — which massively simplified the password problem for users.
Before we get too excited, what’s the state of web3 authentication?
Because of the design of many blockchains, it’s necessary to hold tokens to pay for interaction (e.g. via transaction or gas fees) which are often stored in a (browser or hardware) wallet. When a user creates a wallet, they generate a public/private key pair which roughly correspond to the username and password pair of web2.
However, rather than sending the public/private keys to be checked against records in a database, the private key (which never leaves the user’s device) is used to sign an interaction thereby generating a digital signature, which can be later verified by the public key (which is accessible to everyone.)
So, in web3, the password/private key never leaves the device — this seems like progress, right? Perhaps, but it’s also a case of ‘one step forward, two steps back..’ We’re reverted to a single factor of authentication, so anyone with access to the user’s device can sign interactions, and it leaves the user open to the phishing attacks seen so often in web2.
It’s also slow. Because it’s required to sign every blockchain interaction, it means the user has to sit there clicking sign for much too long.
Why is Internet Identity different?
It takes the best of both worlds. When a user creates an Internet Identity, a public and private key pair are generated (à la web3 wallets), then delegation (à la web2) is used to create a session allowing the user to interact with the blockchain via a web3 dapp without needing to authenticate every time.
If we revisit the gif above, we saw the OpenChat app (which has integrated II) generate a short-term session key. This session key was then signed by the user (via the fingerprint sensor) creating a scoped delegation allowing OpenChat to authenticate the user and provide access to all its functions.
Session Creation A new session is created for each dapp that a user authenticates to using their II. This is made possible by leveraging chain key cryptography.
Delegation Instead of requiring a user to confirm each request to and from the IC, we wrap requests in a session and delegate scoped confirmation to the app for a period of time.
It should start to become clear now that Internet Identity is very much inspired by, and builds upon, web authentication.
Why not call it ‘Internet Authentication?’
This is a great question which has a subtle but meaningful answer. While it’s true that we talk a lot about the ‘end of passwords’ and web/internet service authentication, there’s an elephant in the room that often goes unmentioned; the username.
- Usernames in web2 services generally correspond (one way or another) to an email address. This means that there’s a unique identifier for a given user that can be used to track logins across different apps and services (notably by Google or Facebook via ‘sign in with BigTech’ services).
- In web3 users are identified by the public key of their browser wallet and given the public nature of popular blockchain protocols, anyone can search a user’s key in a block explorer and find every interaction the user has made with the blockchain.
Your email address or your public key is your digital name, coupled with a password or private key, forms your digital identity. It has become more common to have multiple email addresses (e.g. personal, social, work) or wallets which helps to spread any threat to your digital identity, but, as we’ve seen earlier, adding complexity to password or key management leaves the user more vulnerable. Moreover, it’s often the case that our different accounts and our different sessions are all created and managed by the same single centralized service, resulting in what some might call, privacy theatre. 🎭
There are two key elements that shift II from being an authentication protocol to being an identity service:
- Unlinkability is provided across apps. As there is no central authority issuing and managing Identities, this means that two different dapps creating sessions with a single II, will not be able to distinguish where it’s the same underlying user or not.
- Short & memorable anchors allow users to easily create and manage multiple identites for use across different devices and for different purposes.
- The Reverse gas model of canister smart contracts running on the IC mandates that dapp developers pay the computation on the blockchain. This means that users can interact with dapps without needing to own or store tokens — this allows to decouple financial activity with a general digital presence.
And so we have Internet Identity
The best of both worlds, and more. Throughout this journey we’ve seen that by using Internet Identity, you can:
- Securely authenticate yourself online without ever needing an email, username, or password — using only your device to log in.
- Log in to internet services without ever being tracked and without your information being mined by tech companies.
- Authenticate yourself with a greater degree of convenience than with practically any kind of authentication system that you use today.
You can generate an Internet Identity directly at https://identity.ic0.app/ (the frontend is also served directly from the IC).
To have a full walkthrough of getting your own Internet Identity, how to set up multiple devices, and how to add recovery methods, see the wiki article:
For a more detailed dive down the Identity rabbit hole, see Director of Research Björn Tackmann’s post:
If you’re a developer and would like to leverage Internet Identity as authentication method for your dapp, see the documentation:
The way that Internet Identity enables users to securely authenticate to dapps on the blockchain via their devices is revolutionary.
See a demo from when Internet Identity launched!
Give it a try at https://identity.ic0.app. For a step-by-step guide to registering your devices, see our documentation.
_____
Stay tuned for more releases detailing the technologies behind the Internet Computer.
