Internet Identity - Authentication on the Internet Computer

What is Internet Identity?

The Internet Identity (II) is an anonymous blockchain authentication framework supported by the Internet Computer. In order to access and interact with dApps running on the Internet Computer, it is often necessary for users to authenticate. Internet Identity allows users to sign-on to accounts on Web3 services and dapps from any of their devices, securely and anonymously. It also empowers users to authenticate themselves without the need for usernames and passwords using biometric or hardware solutions.

Why is Internet Identity needed?

Let’s look at the current web2 and web3 authentication situation:

Now, while web2 has improved its ways of authentication (web authentication was standardized and recommends using a second factor authentication, and delegating authentication to BigTech platforms is often an option) it often requires a username and password to authenticate. These are normally stored in centralized databases which are increasingly more exposed to breaches or data leaks. Also most (user-chosen/ if not computer-generated) passwords are very easily crackable by current technology.

In web3 it’s often necessary to hold tokens which are stored in wallets. When a user creates a wallet, they generate a public/private key pair which is basically the same as in web2 (username & password). The difference here is, that the private key never leaves the user’s device and is used to sign an interaction, which can then be seen by everyone (because your public key is, well, public). So, we’re back to a single factor of authentication where anyone with access to the user’s device can sign interactions (phishing attacks à la web2). It’s also required to sign every single time, and signing blockchain transactions is not the fastest process…

Internet Identity picks the best features of web2 and web3, generating a public and private key pair and then creating a session through delegation, allowing the users to interact with the blockchain without needing to authenticate every time, and all this, at web-speed!

from DFINITY Github

Whats the process of using Internet Identity?

If a user has already created their own Internet Identity, this simple 3-step process occurs (Read a step-by-step guide on how to set up your Internet Identity here):

1. When the user accesses a dApp that uses Internet Identity for authentication, they first choose the identity anchor they want to use (for example: 189231)

2. The user is prompted to authenticate and asked to authorize access to the dapp

Authentication methods are:

• Fingerprint Sensor on Smartphones/Laptops

• Face ID

• Hardware security keys (for example YubiKey or Ledger wallet)

3. The user is redirected to the dApp and it verifies the authorization from Internet Identity and grants the user access as a application-specific anonymous identity (“pseudonym”)

What makes Internet Identity special?

Convenience

• Internet Identity allows users to authenticate to dApps in a seamless manner on any of their devices that are assigned to their anchor without any friction - with no password needed.

• Additionally, users do not have to manage cryptographic keys themselves, which prevents theft/mistakes. Users can also add many devices to the same identity anchor, which means they could add their smartphone and desktop computer to an identity anchor. Possession and control of the physical devices is what gives you quick access.

• Short & memorable anchors also allow users to easily create and manage multiple identites for use across different devices and for different purposes.

• The Reverse gas model of the Internet Computer mandates that dapp developers pay for the computation on the IC blockchain. This means that users can interact with dapps without needing to own tokens — decoupling financial activity with a general digital presence, and opening up web3 for many more users who would have been scared by it.

Security

• Despite the convenience, Internet Identity does not use passwords and usernames to log in, and therefore avoids the security pitfalls that plague legacy password authentication systems on the traditional web as well as existing systems that are used to authenticate to blockchains over the web (eg. wallets). Internet Identity takes advantage of the Web Authentication (WebAuthn) API to provide secure cryptographic authentication: This means that a user authenticates by "something they have" (a phone/ledger) rather than "something they know" (a password).

• In addition to adding multiple devices and using security keys, a user can optionally set up recovery mechanisms to secure their Identity.

Privacy

• The Internet Identity ensures that whenever an anchor is used to interact with an application, the dapp sees a specially generated pseudonym, because the Internet Identity gives the user a different identity for every canister front end that they log into, which is great for privacy. Many blockchain authenticators allow every front end to log in under the user’s single principal: In this case, if the user interacts with applications, these could track user’s behavior on these sites or maliciously call the canisters of sites and act in the user’s name. And anyone could search a user’s key in a block explorer and find every interaction the user has made with the blockchain. Therefore, the Internet Identity service generates a different identity for every front end that the user logs into, with the front ends differentiated by their hostname.

• Unlike most authentication methods, users are also not required to provide any personal identifying information to dapps or to Internet Identity.

How does Internet Identity work?

Internet Identity builds on the Web Authentication (WebAuthn) API supported by modern web browsers and operating systems, and the "chain key cryptography" framework that powers the Internet Computer itself. Basically, the IC signs the list of public keys inside the devices assigned to each anchor using its master chain key, which client side code, for example running in the web browser, is aware of.

Dapps that enable Internet Identity prompt the user to authenticate using an identity anchor. Users create identity “anchors” they can use to authenticate themselves with. An anchor is a number attached to a user's identity (for example: 189231). This number is auto-generated by the system and there is only one per identity. These anchors are assigned to compatible cryptographically enabled devices, such as the fingerprint sensor on a smartphone/laptop, face ID system or portable Hardware Security Module such as a Ledger wallet or YubiKey. This way, they can signup and authenticate to dApps running on the Internet Computer using any of the devices they have assigned to their anchor. For each device added, a pair of cryptographic keys (private and public key) is generated. The public key is stored on the Internet Computer blockchain, while the private key remains locked inside the authentication device together with any biometric data that governs access to it. Adding multiple authentication devices to an identity anchor allows the user to access dApps across all of their devices.

It’s possible to register as many identity anchors as you want for different purposes. For example, you can create an anchor for use with Social Media or Games, and another for DeFi. This could help to decouple financial activity with a general digital presence, as many may only feel comfortable adding facial recognition to “general purpose” anchors, but for example want to use more secure HSM devices like Ledger wallets for the “pure DeFi” anchor.

Trying out Internet Identity ourselves

For examples sake, let’s log into the NNS (Network Nervous System - the brain of the Internet Computer) with our Internet Identity on a laptop, and figure out what’s happening. We’re using the built in fingerprint sensor of a MacBook Air to authenticate here!

After authenticating using an identity anchor using our laptop, the browser connects to Internet Identity and generates a session key for use with that dapp. Now, the user is asked to authorize access to the dapp.

So what’s happening in the above video when we touch the fingerprint sensor to sign-in to the NNS?

A secure chip inside our laptop called a “TPM” is used to maintain a copy of “private keys” for us. When the we use the fingerprint sensor, it lets the TPM know that it can cryptographically sign a new Web3 session using the private key assigned to the service, which signs us in. The private keys do not ever leave the TPM. It’s currently impossible for anyone, even the user, to obtain copies of the private keys inside, because the TPM won’t share them, and the hardware is impossible to breach. The user's browser now downloads the authorization and then redirects the user to the dapp. The dapp then verifies the authorization from Internet Identity and grants us access as an application-specific anonymous identity (called: pseudonym).

TL;DR

Internet Identity allows you to conveniently, securely and anonymously authenticate yourself in web3 without ever needing an email, username, or password — using only your device to log in.

It is a good achievement in security, usability and decentralization — enabled behind the scenes by modern cryptography and the Internet Computer. Some people say Internet Identity should replace username/passwords and “old-school” blockchain authentication.