How to create an Internet Identity
It has long been known that usernames and passwords have been a weak point of an individual's security on the web. In order to combat this and provide increased security to users on the Internet Computer (IC), the Internet Identity (II) blockchain authentication system was developed. Internet Identity enables you to use your devices to authenticate and sign in pseudonymously to dapps on the Internet Computer. Anyone with a traditional HSM device, such as a YubiKey, or mobile devices that contain a TPM chip, such as a laptop or phone can generate Internet Identities and start using dapps on the IC.
Suppose you want to interact with dapps running on the Internet Computer. It's often the case that you will need to authenticate or login to access and use the features of the dapp. Currently, the easiest way to authenticate is by using an identity anchor obtained from Internet Identity.
Internet Identity associates each identity anchor with a unique user number. Dapps the user logs in to do not learn this user number. Instead, Internet Identity creates a pseudonymous identifier on a per user, per dapp basis. The dapp can see it is the same user that logged in before, but does not know user it is or whether the user also uses other dapps.
Click here to see a demo video of Internet Identity, while below the steps to get started with your own internet identity are described.
The quickest way to get started and generate an identity anchor, is to navigate directly to the Internet Identity dapp: https://identity.ic0.app/ Here, you will be welcomed with a screen prompting you to enter your identity anchor. If you are just getting started, then you need to create an identity anchor by selecting Create an Internet Identity Anchor.
Alternatively, if you are trying to access a dapp, for example the NNS frontend dapp, you will see that you are prompted to login. When clicking the login button, you will be redirected to the Internet Identity screen (as seen on the right) where you can either login if you have an identity anchor, or create a new one if you don't.
Creating an Anchor
When you select that you would like to create an Internet identity anchor on the II homepage, you will be directed to a screen where you are prompted to provide the name of the device on which you are generating the anchor, e.g. iPhone, Laptop, Yubikey.
Upon entering the device name, your device will prompt you to allow "identity.ic0.app" to use either a dedicated security key, or with an authentication method of the device you are using, if that option is available. For example, if your device has biometrics enabled to unlock it, you might see the option to use those as your authentication method. You can also use the password that unlocks your computer or a pin that unlocks your phone, depending on the device you’re using.
Once you grant access, you will be redirected to solve a captcha. After solving this, you will be prompted to choose an account to sign in to "identity.ic0.app". If you are registering for the first time you can select to sign in with the Passkey (which was generated and is stored on your device) otherwise you can choose to sign in with an external security key. After that, you will be redirected to a screen which displays your newly created identity anchor! Note that on this screen there is a suggestion to record your identity anchor number. This is the number that you will need to enter to authenticate to dapps running on the IC.
Establishing recovery methods
After creating your identity anchor, you will be directed to a page that allows to add a recovery mechanism, or to skip this step. There is a warning here, which notes that if your browser history is cleared, your authentication keys will be deleted from this device. For this reason, it's highly recommended to assign multiple devices or to use a security key or a seed phrase as a recovery mechanism. When you select to add a recovery mechanism, you are given two choices; either generate a seed phrase which you should store securely, or to use an extra security key.
If you have used digital wallets before, perhaps you are used to securely maintaining seed phrases, if not, it is never too late to learn. Selecting this option generates a cryptographically-secure seed phrase that you can use to recover an identity anchor. Make sure you store this phrase somewhere safe and it is known only to you, as anyone who knows the seed phrase will be able to take full control of this identity anchor. Note that the first string in your seed phrase is the identity anchor. You will need this number to begin the recovery process.
If you choose not to use a seed phrase as a recovery method, you can use a dedicated security key to recover an identity anchor in the event that you lose access to your authorized devices. This key must be different from the ones you actively use to authenticate to Internet Identity using the given identity anchor. Keep this key somewhere safe and ensure it is available only to you. As above, anyone in possession of this security key will be able to take full control of your identity anchor. You will need to know the identity anchor to begin recovery.
Skip this step
It is not advisable to skip this step, unless you are sure that you will not need to remember this anchor.
Adding a Second Device
It is good practice to add a second device for a number of reasons.
- It is often the case that you will want to login to dapps from more than one device, eg. from a mobile phone, and later from a laptop.
- Adding a second device allows to more easily recover your anchor or account should it get lost from one device.
The most straight forward way to add a second device is to navigate to https://identity.ic0.app/ on the device that you would like to add. Once there, you can select the option "Already have an Anchor but using a new device". After clicking this, you will be directed to a page where you can enter your existing identity anchor. Upon entering your anchor number and clicking continue, you will be prompted to allow access to either a security key, or your current device. Choose your preference (e.g. Yubikey or fingerprint scan), and then you will be directed to a screen displaying a url (and its equivalent QR code).
To add the new device, you need to enter the url or scan the QR code on the original device with which you first authenticated. For example, if you originally generated your identity anchor on a mobile phone, and now are attempting to add your laptop as a second device, you should scan the QR code generated on the laptop with your phone.
Upon scanning the QR code with the original device, you will be directed to the app where you can confirm that you are attempting to add a new device. One you confirm, you will be asked to name the new device (In the example above, an appropriate name would be 'Laptop'). After this, both devices should appear in the Anchor Management page of identity.ic0.app.
When you have created an identity anchor and added devices, logging into dapps is a simple process. When you navigate to a dapp that supports authenticating with Internet Identity, simply click on the login button to be directed to the II frontend where you can enter your anchor number and authenticate.
After this, you will be directed to a page requiring you to authorize the authentication. After selecting Proceed you will finalize the authentication process and be redirected and logged in to the dapp.
Recovering a lost identity
If you have lost your anchor number and no longer have access to your authorized devices, you can recover your lost identity using either the seed phrase or the security key used during the initial setup process.
To recover your lost identity, first navigate to https://identity.ic0.app/ and select the Lost access and want to recover? link at the bottom of the page. After this, you will be directed to a page asking to enter the anchor number for the lost identity. Note that the first string of the seed phrase is the anchor number, so you can always find it there. Once you enter the anchor number for the identity you are trying to recover, you will be directed to a page that requires you to enter your seed phrase. Once you copy your seed phrase and click continue, your identity will be recovered.
Note that the recovery page on the II dapp is the only page in which you should ever enter your seed phrase.
Ease of Use
Internet Identity provides a secure way for users to generate identity anchors and authenticate to applications running on the Internet Computer without the need to remember and manage passwords.
No personal identifying information is needed to generate an anchor and as Internet Identity generates different pseudonyms for different applications, privacy is provided for users as interactions across dapps cannot be tracked.
Since an anchor's key material is generated and stored on the user's device, it is not the case that a particular service or application can hinder the availability of an individual's anchor as a method of authentication.
- For a more technical overview check the II technical overview page.
- Internet Identity Medium post which gives an overview of Internet Identity and how to get started.
- Web authentication medium post where Björn Tackmann gives an overview of the core ideas of web authentication and describes how Internet Identity came to be the way it is.
- Video Demo showcasing Internet Identity and showing how to generate an anchor.
- Developer Centre introduction to Internet Identity.
Do I need to use Internet Identity to use all dapps on the IC?
No, II is an authentication option that can be used by the developers of the dapps. Developers may choose they do not need authentication, or if they do want authentication, they may opt for another solution. II is very popular because building authentication systems is very hard to do securely so it is helpful for developers but they have freedom of choice.
- Motoko Playground is an example of a dapp on the IC that does not require II and instead allows direct anonymous usage.
How do I get an identity anchor from Internet Identity?
The one and only place to generate an identity anchor is to visit https://identity.ic0.app/.
Detailed instructions can be found by visiting https://smartcontracts.org/docs/ic-identity-guide/auth-how-to.html
Although it is not necessary, it is really useful to link another device or to save the seed-phrase in case you lose access to your identity anchor on a particular device. Further, as your identity anchor may be used to generate accounts for wallets or dapps, access to these may also be lost if you lose access to your identity anchor.
What happens if I lose my device?
If you lose your device and want to recover, you can click on the 'Lost access and want to recover' link at https://identity.ic0.app/.
If you have an identity anchor tied to only one device and you lose that one device, you will be locked out. As a best practice, we recommend adding multiple devices and recovery mechanisms to every identity anchor.
How can I add more devices?
If you want to add another device, you can click on the 'Already have an anchor but using a new device?' link at https://identity.ic0.app/
Detailed instructions can be found here: https://smartcontracts.org/docs/ic-identity-guide/auth-how-to.html#_add_a_device
No. Internet Identity uses a different principal (a "pseudonym") for each dapp that you authenticate to using Internet Identity. Since the pseudonyms Internet Identity generates for you are different for each dapp, dapps cannot use them to track you outside of their realm.
Does Internet Identity support Windows Hello?
Yes! Internet Identity supports authenticating via Windows Hello. If Windows Hello is set up on your PC then Internet Identity will offer you to authenticate through Windows Hello.
Detailed instructions can be found here: https://smartcontracts.org/docs/ic-identity-guide/hello-guide.html
Why can't I log in with a new device?
If you can't log in with an existing identity anchor, it may be the case that the anchor hasn't been added to the new device. If this is the case, simply visit https://identity.ic0.app/ , click on the 'Already have an anchor but using a new device?' link, add the device and try again.
It may also be the case that the face ID or the fingerprint system is not enabled on the device. Ensure that these are enabled, and try to log in again.
Is there a way to revoke a dapp's access to my identity anchor?
There is no explicit revocation method, but privilege delegation to Internet Identity is limited in time, so will expire. Alternatively, simply once the browser tab is closed, the delegation is gone.