Difference between revisions of "How to create an Internet Identity"

From Internet Computer Wiki
Jump to: navigation, search
m (II recovery images)
 
(11 intermediate revisions by 4 users not shown)
Line 1: Line 1:
 +
It has long been known that usernames and passwords have been a weak point of an individual's security on the web. In order to combat this and provide increased security to users on the Internet Computer (IC), the Internet Identity (II) blockchain authentication system was developed.
 +
Internet Identity enables you to use your devices to [https://support.dfinity.org/hc/en-us/articles/8858469084820 authenticate] and sign in pseudonymously to dapps on the Internet Computer. Anyone with a traditional HSM device, such as a YubiKey, or mobile devices that contain a TPM chip, such as a laptop or phone can generate Internet Identities and start using dapps on the IC.
  
The Internet Identity blockchain authentication system enables you to sign in securely and anonymously to dapps on the Internet Computer.  
+
==Getting Started==
 +
[[File:Welcome.png|right|200px|Internet Identity welcome page]]Suppose you want to interact with dapps running on the Internet Computer. It's often the case that you will need to authenticate or login to access and use the features of the dapp. Currently, the easiest way to authenticate is by using an identity anchor obtained from Internet Identity.
  
==Getting Started==
+
Internet Identity associates each identity anchor with a unique user number. Dapps the user logs in to do not learn this user number. Instead, Internet Identity creates a pseudonymous identifier on a per user, per dapp basis. The dapp can see it is the same user that logged in before, but does not know user it is or whether the user also uses other dapps.
[[File:Welcome.png|right|200px|Internet Identity welcome page]]Suppose you want to interact with dapps running on the Internet Computer. It's often the case that you will need to authenticate or login to access and use the features of the dapp. Currently, the easiest way to authenticate is by using an identity anchor obtained from Internet Identity (II).
 
  
An identity anchor can be thought of as a universal user-number that you will need to login to any dapp that supports Internet Identity.
+
[https://www.youtube.com/watch?v=oxEr8UzGeBo Click here] to see a demo video of Internet Identity, while below the steps to get started with your own internet identity are described.
  
 
The quickest way to get started and generate an identity anchor, is to navigate directly to the Internet Identity dapp: https://identity.ic0.app/
 
The quickest way to get started and generate an identity anchor, is to navigate directly to the Internet Identity dapp: https://identity.ic0.app/
Line 11: Line 13:
  
 
Alternatively, if you are trying to access a dapp, for example the NNS frontend dapp, you will see that you are prompted to login. When clicking the login button, you will be redirected to the Internet Identity screen (as seen on the right) where you can either login if you have an identity anchor, or create a new one if you don't.  
 
Alternatively, if you are trying to access a dapp, for example the NNS frontend dapp, you will see that you are prompted to login. When clicking the login button, you will be redirected to the Internet Identity screen (as seen on the right) where you can either login if you have an identity anchor, or create a new one if you don't.  
 +
 +
You will have to do this on a device that offers a method of authentication that Internet Identities can work with such as a fingerprint reader or face lock/unlock features. If your computer or phone do not offer these, then a security key such as a Yubikey can be purchased.
  
 
==Creating an Anchor==
 
==Creating an Anchor==
[[File:ii_anchor_created.png|right|200px|Internet Identity welcome page]]After selecting that you would like to create an Internet identity anchor on the II homepage, you will be directed to a screen where you are prompted to provide the name of the device on which you are generating the Anchor, e.g. iPhone, Laptop, Yubikey.  
+
[[File:ii_anchor_created.png|right|200px|Internet Identity welcome page]]When you select that you would like to create an Internet identity anchor on the II homepage, you will be directed to a screen where you are prompted to provide the name of the device on which you are generating the anchor. Detailed directions for different types of devices are available for [https://support.dfinity.org/hc/en-us/articles/8286962694420-How-do-I-add-a-phone-to-my-Internet-Identity- iPhone or Android phone] with fingerprint recognition, [https://support.dfinity.org/hc/en-us/articles/4403351925140-How-do-I-add-another-computer-to-my-Internet-Identity- laptops], and [https://support.dfinity.org/hc/en-us/articles/8286962818964-How-do-I-add-a-physical-security-key-to-my-Internet-Identity- a security device] such as a Yubikey.  
 +
 
 
Upon entering the device name, your device will prompt you to allow "identity.ic0.app" to use either a dedicated security key, or with an authentication method of the device you are using, if that option is available.
 
Upon entering the device name, your device will prompt you to allow "identity.ic0.app" to use either a dedicated security key, or with an authentication method of the device you are using, if that option is available.
 
For example, if your device has biometrics enabled to unlock it, you might see the option to use those as your authentication method. You can also use the password that unlocks your computer or a pin that unlocks your phone, depending on the device you’re using.
 
For example, if your device has biometrics enabled to unlock it, you might see the option to use those as your authentication method. You can also use the password that unlocks your computer or a pin that unlocks your phone, depending on the device you’re using.
Line 20: Line 25:
 
After that, you will be redirected to a screen which displays your newly created identity anchor! Note that on this screen there is a suggestion to record your identity anchor number. This is the number that you will need to enter to authenticate to dapps running on the IC.  
 
After that, you will be redirected to a screen which displays your newly created identity anchor! Note that on this screen there is a suggestion to record your identity anchor number. This is the number that you will need to enter to authenticate to dapps running on the IC.  
  
==Account recovery==
+
==Establishing recovery methods==
 
After creating your identity anchor, you will be directed to a page that allows to add a recovery mechanism, or to skip this step. There is a warning here, which notes that if your browser history is cleared, your authentication keys will be deleted from this device. For this reason, it's highly recommended to assign multiple devices or to use a security key or a seed phrase as a recovery mechanism. When you select to add a recovery mechanism, you are given two choices; either generate a seed phrase which you should store securely, or to use an extra security key. [[File:ii_setup_recovery.png|right|200px|Internet Identity recovery setup]]
 
After creating your identity anchor, you will be directed to a page that allows to add a recovery mechanism, or to skip this step. There is a warning here, which notes that if your browser history is cleared, your authentication keys will be deleted from this device. For this reason, it's highly recommended to assign multiple devices or to use a security key or a seed phrase as a recovery mechanism. When you select to add a recovery mechanism, you are given two choices; either generate a seed phrase which you should store securely, or to use an extra security key. [[File:ii_setup_recovery.png|right|200px|Internet Identity recovery setup]]
 
===Seed phrase===
 
===Seed phrase===
Line 27: Line 32:
 
If you choose not to use a seed phrase as a recovery method, you can use a dedicated security key to recover an identity anchor in the event that you lose access to your authorized devices. This key must be different from the ones you actively use to authenticate to Internet Identity using the given identity anchor. Keep this key somewhere safe and ensure it is available only to you. As above, anyone in possession of this security key will be able to take full control of your identity anchor. You will need to know the identity anchor to begin recovery.  
 
If you choose not to use a seed phrase as a recovery method, you can use a dedicated security key to recover an identity anchor in the event that you lose access to your authorized devices. This key must be different from the ones you actively use to authenticate to Internet Identity using the given identity anchor. Keep this key somewhere safe and ensure it is available only to you. As above, anyone in possession of this security key will be able to take full control of your identity anchor. You will need to know the identity anchor to begin recovery.  
 
===Skip this step===
 
===Skip this step===
It is not advisable to skip this step, unless you are sure that you will not need to remember this Anchor.  
+
It is not advisable to skip this step, unless you are sure that you will not need to remember this anchor.  
  
 
==Adding a Second Device==
 
==Adding a Second Device==
Line 48: Line 53:
 
If you have lost your anchor number and no longer have access to your authorized devices, you can recover your lost identity using either the seed phrase or the security key used during the initial setup process.  
 
If you have lost your anchor number and no longer have access to your authorized devices, you can recover your lost identity using either the seed phrase or the security key used during the initial setup process.  
 
[[File:ii_seedphrase.png|right|200px|Recover a lost identity with seed phrase]]
 
[[File:ii_seedphrase.png|right|200px|Recover a lost identity with seed phrase]]
To recover your lost identity, first navigate to https://identity.ic0.app/ and select the '''Lost access and want to recover?''' link at the bottom of the page. After this, you will be directed to a page asking to enter the anchor number for the lost identity. Note that the first string of the seed phrase is the anchor number, so you can always find it there. Once you enter the anchor number for the identity you are trying to recover, you will be directed to a page that requires you to enter your seed phrase. Once you copy your seed phrase and click continue, your identity will be recovered.  
+
To recover your lost identity, first navigate to https://identity.ic0.app/ and select the '''Lost access and want to recover?''' link at the bottom of the page.  
 +
After this, you will be directed to a page asking to enter the anchor number for the lost identity. Note that the first string of the seed phrase is the anchor number, so you can always find it there. Once you enter the anchor number for the identity you are trying to recover, you will be directed to a page that requires you to enter your seed phrase. Once you copy your seed phrase and click continue, your identity will be recovered.  
  
  
Line 62: Line 68:
 
===Availability===
 
===Availability===
 
Since an anchor's key material is generated and stored on the user's device, it is not the case that a particular service or application can hinder the availability of an individual's anchor as a method of authentication.
 
Since an anchor's key material is generated and stored on the user's device, it is not the case that a particular service or application can hinder the availability of an individual's anchor as a method of authentication.
 +
 +
==Quick Links==
 +
* For a more technical overview check the [[Internet_Identity_technical_overview|II technical overview]] page.
 +
* [https://medium.com/dfinity/internet-identity-the-end-of-usernames-and-passwords-ff45e4861bf7 Internet Identity Medium post] which gives an overview of Internet Identity and how to get started.
 +
* [https://medium.com/dfinity/web-authentication-and-identity-on-the-internet-computer-a9bd5754c547 Web authentication medium post] where Björn Tackmann gives an overview of the core ideas of web authentication and describes how Internet Identity came to be the way it is.
 +
* [https://www.youtube.com/watch?v=oxEr8UzGeBo Video Demo] showcasing Internet Identity and showing how to generate an anchor.
 +
* [https://smartcontracts.org/docs/ic-identity-guide/what-is-ic-identity.html Developer Centre] introduction to Internet Identity.
  
 
==FAQ==
 
==FAQ==
  
 
===Do I need to use Internet Identity to use all dapps on the IC?===
 
===Do I need to use Internet Identity to use all dapps on the IC?===
No, II is an authentication ''option'' that can be used by the developers of the dapps. Developers may choose they do not need authentication, or if they do want authentication, they can use anything else. II is very popular because building authentication systems is very hard to do securely so it is a boon for many developers, but they can choose to use something else if they find their users do not need it.
+
No, II is an authentication ''option'' that can be used by the developers of the dapps. Developers may choose they do not need authentication, or if they do want authentication, they may opt for another solution. II is very popular because building authentication systems is very hard to do securely so it is helpful for developers but they have freedom of choice.
  
 
Examples:
 
Examples:
* [https://m7sm4-2iaaa-aaaab-qabra-cai.raw.ic0.app/ Motoko Playground] is a dapp on the IC that does not require II.
+
* [https://m7sm4-2iaaa-aaaab-qabra-cai.raw.ic0.app/ Motoko Playground] is an example of a dapp on the IC that does not require II and instead allows direct anonymous usage.
  
 
===How do I get an identity anchor from Internet Identity?===
 
===How do I get an identity anchor from Internet Identity?===
Line 82: Line 95:
 
If you lose your device and want to recover, you can click on the 'Lost access and want to recover' link at https://identity.ic0.app/.
 
If you lose your device and want to recover, you can click on the 'Lost access and want to recover' link at https://identity.ic0.app/.
  
If you have an identity anchor tied to only one device and you lose that one device, you will be locked out. As a best practice, we recommend adding multiple devices and recovery mechanisms to every identity anchor.
+
If you have an identity anchor tied to only one device and you lose that one device, you will be locked out. As a best practice, it is recommended to add multiple devices and recovery mechanisms to every identity anchor.
  
 
===How can I add more devices?===
 
===How can I add more devices?===
Line 90: Line 103:
  
 
===Does Internet Identity share my personal information with dapps when I authenticate?===
 
===Does Internet Identity share my personal information with dapps when I authenticate?===
No. Internet Identity uses a different Principal (a "pseudonym") for each dapp that you authenticate to using Internet Identity. Since the pseudonyms Internet Identity generates for you are different for each dapp, dapps cannot use them to track you outside of their realm.
+
No. Internet Identity uses a different principal (a "pseudonym") for each dapp that you authenticate to using Internet Identity. Since the pseudonyms Internet Identity generates for you are different for each dapp, dapps cannot use them to track you outside of their realm.
  
 
===Does Internet Identity support Windows Hello?===
 
===Does Internet Identity support Windows Hello?===
Line 104: Line 117:
 
=== Is there a way to revoke a dapp's access to my identity anchor?===
 
=== Is there a way to revoke a dapp's access to my identity anchor?===
 
There is no explicit revocation method, but privilege delegation to Internet Identity is limited in time, so will expire. Alternatively, simply once the browser tab is closed, the delegation is gone.
 
There is no explicit revocation method, but privilege delegation to Internet Identity is limited in time, so will expire. Alternatively, simply once the browser tab is closed, the delegation is gone.
 +
 +
==See Also==
 +
* '''The Internet Computer project website (hosted on the IC): [https://internetcomputer.org/ internetcomputer.org]'''

Latest revision as of 14:43, 27 February 2023

It has long been known that usernames and passwords have been a weak point of an individual's security on the web. In order to combat this and provide increased security to users on the Internet Computer (IC), the Internet Identity (II) blockchain authentication system was developed. Internet Identity enables you to use your devices to authenticate and sign in pseudonymously to dapps on the Internet Computer. Anyone with a traditional HSM device, such as a YubiKey, or mobile devices that contain a TPM chip, such as a laptop or phone can generate Internet Identities and start using dapps on the IC.

Getting Started

Internet Identity welcome page

Suppose you want to interact with dapps running on the Internet Computer. It's often the case that you will need to authenticate or login to access and use the features of the dapp. Currently, the easiest way to authenticate is by using an identity anchor obtained from Internet Identity.

Internet Identity associates each identity anchor with a unique user number. Dapps the user logs in to do not learn this user number. Instead, Internet Identity creates a pseudonymous identifier on a per user, per dapp basis. The dapp can see it is the same user that logged in before, but does not know user it is or whether the user also uses other dapps.

Click here to see a demo video of Internet Identity, while below the steps to get started with your own internet identity are described.

The quickest way to get started and generate an identity anchor, is to navigate directly to the Internet Identity dapp: https://identity.ic0.app/ Here, you will be welcomed with a screen prompting you to enter your identity anchor. If you are just getting started, then you need to create an identity anchor by selecting Create an Internet Identity Anchor.

Alternatively, if you are trying to access a dapp, for example the NNS frontend dapp, you will see that you are prompted to login. When clicking the login button, you will be redirected to the Internet Identity screen (as seen on the right) where you can either login if you have an identity anchor, or create a new one if you don't.

You will have to do this on a device that offers a method of authentication that Internet Identities can work with such as a fingerprint reader or face lock/unlock features. If your computer or phone do not offer these, then a security key such as a Yubikey can be purchased.

Creating an Anchor

Internet Identity welcome page

When you select that you would like to create an Internet identity anchor on the II homepage, you will be directed to a screen where you are prompted to provide the name of the device on which you are generating the anchor. Detailed directions for different types of devices are available for iPhone or Android phone with fingerprint recognition, laptops, and a security device such as a Yubikey.

Upon entering the device name, your device will prompt you to allow "identity.ic0.app" to use either a dedicated security key, or with an authentication method of the device you are using, if that option is available. For example, if your device has biometrics enabled to unlock it, you might see the option to use those as your authentication method. You can also use the password that unlocks your computer or a pin that unlocks your phone, depending on the device you’re using.

Once you grant access, you will be redirected to solve a captcha. After solving this, you will be prompted to choose an account to sign in to "identity.ic0.app". If you are registering for the first time you can select to sign in with the Passkey (which was generated and is stored on your device) otherwise you can choose to sign in with an external security key. After that, you will be redirected to a screen which displays your newly created identity anchor! Note that on this screen there is a suggestion to record your identity anchor number. This is the number that you will need to enter to authenticate to dapps running on the IC.

Establishing recovery methods

After creating your identity anchor, you will be directed to a page that allows to add a recovery mechanism, or to skip this step. There is a warning here, which notes that if your browser history is cleared, your authentication keys will be deleted from this device. For this reason, it's highly recommended to assign multiple devices or to use a security key or a seed phrase as a recovery mechanism. When you select to add a recovery mechanism, you are given two choices; either generate a seed phrase which you should store securely, or to use an extra security key.

Internet Identity recovery setup

Seed phrase

If you have used digital wallets before, perhaps you are used to securely maintaining seed phrases, if not, it is never too late to learn. Selecting this option generates a cryptographically-secure seed phrase that you can use to recover an identity anchor. Make sure you store this phrase somewhere safe and it is known only to you, as anyone who knows the seed phrase will be able to take full control of this identity anchor. Note that the first string in your seed phrase is the identity anchor. You will need this number to begin the recovery process.

Security key

If you choose not to use a seed phrase as a recovery method, you can use a dedicated security key to recover an identity anchor in the event that you lose access to your authorized devices. This key must be different from the ones you actively use to authenticate to Internet Identity using the given identity anchor. Keep this key somewhere safe and ensure it is available only to you. As above, anyone in possession of this security key will be able to take full control of your identity anchor. You will need to know the identity anchor to begin recovery.

Skip this step

It is not advisable to skip this step, unless you are sure that you will not need to remember this anchor.

Adding a Second Device

Internet Identity adding a new device

It is good practice to add a second device for a number of reasons.

  • It is often the case that you will want to login to dapps from more than one device, eg. from a mobile phone, and later from a laptop.
  • Adding a second device allows to more easily recover your anchor or account should it get lost from one device.

The most straight forward way to add a second device is to navigate to https://identity.ic0.app/ on the device that you would like to add. Once there, you can select the option "Already have an Anchor but using a new device". After clicking this, you will be directed to a page where you can enter your existing identity anchor. Upon entering your anchor number and clicking continue, you will be prompted to allow access to either a security key, or your current device. Choose your preference (e.g. Yubikey or fingerprint scan), and then you will be directed to a screen displaying a url (and its equivalent QR code).

Internet Identity adding a new device link

To add the new device, you need to enter the url or scan the QR code on the original device with which you first authenticated. For example, if you originally generated your identity anchor on a mobile phone, and now are attempting to add your laptop as a second device, you should scan the QR code generated on the laptop with your phone.

Upon scanning the QR code with the original device, you will be directed to the app where you can confirm that you are attempting to add a new device. One you confirm, you will be asked to name the new device (In the example above, an appropriate name would be 'Laptop'). After this, both devices should appear in the Anchor Management page of identity.ic0.app.

Authenticating

When you have created an identity anchor and added devices, logging into dapps is a simple process. When you navigate to a dapp that supports authenticating with Internet Identity, simply click on the login button to be directed to the II frontend where you can enter your anchor number and authenticate.

After this, you will be directed to a page requiring you to authorize the authentication. After selecting Proceed you will finalize the authentication process and be redirected and logged in to the dapp.

Recover a lost identity

Recovering a lost identity

If you have lost your anchor number and no longer have access to your authorized devices, you can recover your lost identity using either the seed phrase or the security key used during the initial setup process.

Recover a lost identity with seed phrase

To recover your lost identity, first navigate to https://identity.ic0.app/ and select the Lost access and want to recover? link at the bottom of the page. After this, you will be directed to a page asking to enter the anchor number for the lost identity. Note that the first string of the seed phrase is the anchor number, so you can always find it there. Once you enter the anchor number for the identity you are trying to recover, you will be directed to a page that requires you to enter your seed phrase. Once you copy your seed phrase and click continue, your identity will be recovered.


Note that the recovery page on the II dapp is the only page in which you should ever enter your seed phrase.

Key Features

Ease of Use

Internet Identity provides a secure way for users to generate identity anchors and authenticate to applications running on the Internet Computer without the need to remember and manage passwords.

Privacy

No personal identifying information is needed to generate an anchor and as Internet Identity generates different pseudonyms for different applications, privacy is provided for users as interactions across dapps cannot be tracked.

Availability

Since an anchor's key material is generated and stored on the user's device, it is not the case that a particular service or application can hinder the availability of an individual's anchor as a method of authentication.

Quick Links

FAQ

Do I need to use Internet Identity to use all dapps on the IC?

No, II is an authentication option that can be used by the developers of the dapps. Developers may choose they do not need authentication, or if they do want authentication, they may opt for another solution. II is very popular because building authentication systems is very hard to do securely so it is helpful for developers but they have freedom of choice.

Examples:

  • Motoko Playground is an example of a dapp on the IC that does not require II and instead allows direct anonymous usage.

How do I get an identity anchor from Internet Identity?

The one and only place to generate an identity anchor is to visit https://identity.ic0.app/.

Detailed instructions can be found by visiting https://smartcontracts.org/docs/ic-identity-guide/auth-how-to.html

Do I really need to link another device or save the seed-phrase?

Although it is not necessary, it is really useful to link another device or to save the seed-phrase in case you lose access to your identity anchor on a particular device. Further, as your identity anchor may be used to generate accounts for wallets or dapps, access to these may also be lost if you lose access to your identity anchor.

What happens if I lose my device?

If you lose your device and want to recover, you can click on the 'Lost access and want to recover' link at https://identity.ic0.app/.

If you have an identity anchor tied to only one device and you lose that one device, you will be locked out. As a best practice, it is recommended to add multiple devices and recovery mechanisms to every identity anchor.

How can I add more devices?

If you want to add another device, you can click on the 'Already have an anchor but using a new device?' link at https://identity.ic0.app/

Detailed instructions can be found here: https://smartcontracts.org/docs/ic-identity-guide/auth-how-to.html#_add_a_device

Does Internet Identity share my personal information with dapps when I authenticate?

No. Internet Identity uses a different principal (a "pseudonym") for each dapp that you authenticate to using Internet Identity. Since the pseudonyms Internet Identity generates for you are different for each dapp, dapps cannot use them to track you outside of their realm.

Does Internet Identity support Windows Hello?

Yes! Internet Identity supports authenticating via Windows Hello. If Windows Hello is set up on your PC then Internet Identity will offer you to authenticate through Windows Hello.

Detailed instructions can be found here: https://smartcontracts.org/docs/ic-identity-guide/hello-guide.html

Why can't I log in with a new device?

If you can't log in with an existing identity anchor, it may be the case that the anchor hasn't been added to the new device. If this is the case, simply visit https://identity.ic0.app/ , click on the 'Already have an anchor but using a new device?' link, add the device and try again.

It may also be the case that the face ID or the fingerprint system is not enabled on the device. Ensure that these are enabled, and try to log in again.

Is there a way to revoke a dapp's access to my identity anchor?

There is no explicit revocation method, but privilege delegation to Internet Identity is limited in time, so will expire. Alternatively, simply once the browser tab is closed, the delegation is gone.

See Also