What is Internet Identity

From Internet Computer Wiki
Jump to: navigation, search

In order to access and interact with applications running on the Internet Computer, it is often necessary for users to authenticate. One of the most commonly used methods to authenticate on the Internet Computer is via Internet Identity.

Internet Identity (II)(https://identity.ic0.app/) is a blockchain authentication framework supported by the Internet Computer. Users begin the process by creating identity "anchors" to which they assign compatible cryptographically enabled devices, such as the fingerprint sensor on a laptop, the face ID system on a phone, or a portable HSM, such as a YubiKey or Ledger wallet. Thereafter, they can signup and authenticate to dapps running on the Internet Computer using any of the devices they have assigned to their anchor. This provides a high level of convenience, allowing users to authenticate to dapps with a very low level of friction, yet, while also benefiting from a high level of security and without the need to directly manage or handle cryptographic key material themselves. The system offers some degree of privacy for users, by ensuring that whenever an anchor is used to interact with a dapp, the dapp sees a specially generated pseudonym for that dapp, which prevents the dapp from tracking users across the various dapps they use. A user can create as many identity anchors as they wish.

Unlike most authentication methods, users are not required to set and manage passwords or provide any personal identifying information to dapps or to Internet Identity.

How the technology works

Internet Identity builds on Web Authentication (WebAuthn) API supported by modern web browsers and operating systems, and the "chain key cryptography" framework that powers the Internet Computer. Essentially, the Internet Computer signs the list of public keys inside the devices assigned to each anchor using its master chain key, which client side code, for example running in the web browser, is aware of.

Dapps that integrate with Internet Identity prompt the user to authenticate using an identity anchor. If the user doesn't have an identity anchor yet, it is easy to create one and add authentication methods to it. For more details, see How to use Internet Identity. For each device added, a pair of cryptographic keys (private and public key) is generated. The public key is stored on the Internet Computer blockchain, while the private key remains locked inside the authentication device together with any biometric data that governs access to it. Adding multiple authentication devices to an identity anchor allows the user to access dapps across all of their devices.

When a user accesses a dapp that uses Internet Identity for authentication, they first specify the identity anchor they want to use. After authenticating using an identity anchor using an assigned device, their browser connects to Internet Identity and generates a session key for use with that dapp. Finally, the user is asked to authorize access to the dapp.

The user's browser downloads the authorization and then redirects the user to the dapp. The dapp verifies the authorization from Internet Identity and grants the user access as an application-specific anonymous identity that we call a pseudonym. Internally, users have a different pseudonym for each dapp, but a pseudonym for any single dapp is the same across all of the user's devices. All devices of a particular user simple represent different methods they can use to authenticate their Internet Identity anchor.

A user can register as many identity anchors as they want for redundancy, or different purposes. For example, a user may create an anchor for use with SocialFi or GameFi, and another for use with pure DeFi. They may only feel comfortable adding facial recognition to their SocialFi and GameFi anchor, say, and only use more secure portable HSM devices like YubiKeys and Ledger wallets with their pure DeFi anchor.

See also: