top of page

Internet Identity: The End of Usernames and Passwords

The Internet Identity service enables you to authenticate securely and anonymously when accessing applications on the Internet Computer.



The Internet Computer, a blockchain computing platform that extends the functionality of the public internet, provides security by replicating data and computation across multiple independent data centers. To avoid the security issues that plague password authentication on the traditional web, the Internet Computer implements proper cryptographic authentication. The Internet Identity service is a crucial component of this approach. End users can use it to sign up and log in to hosted internet services that are built with smart contracts, with their personal devices protected by end-to-end cryptographic security.

The Internet Identity service allows you to log in to an open internet service without a username or password, instead using much more convenient and secure device authenticators. Such cryptographic authenticators are built into all newer computers and smartphones. With older devices, you can use external security keys via NFC or USB ports. Consumer devices are increasingly including such authenticators by default. Conveniently, you don’t need to handle any cryptographic key material. Facilitating authentication through devices is revolutionary, improving the usability of online authentication as well as its security. The Internet Identity service, which you can access via the Internet Identity service portal, is an identity provider that is similar to the “Sign in with [Google or Facebook]” functionality that you’re familiar with from the web, with several key differences.

Imagine a world in which you can:

  1. Securely authenticate yourself online without ever needing an email, username, or password — using only your device to log in.

  2. Log in to internet services without ever being tracked and without your information being mined by tech companies.

  3. Authenticate yourself with a greater degree of convenience than with practically any kind of authentication system that you use today.


How Internet Identity works


Internet Identity builds on the WebAuthn protocol and uses secure cryptographic authentication, giving users three options to authenticate themselves:

  1. The built-in biometric authentication methods in your smartphone or your laptop (e.g., Face ID, Touch ID, or fingerprint scanner).

  2. The password or pin that users normally use to unlock their computer or mobile phone.

  3. A security key plugged into the USB port of your computer (e.g., YubiKey).

When you first register with Internet Identity through the Internet Identity service portal, the security chip on your device will generate a unique cryptographic key that will be stored on the Internet Computer together with the user number that is generated for you. The user number is the umbrella identity under which you can authenticate the various devices and browsers that you use. You can use your user number to register your other devices so that you will be able to use applications seamlessly across all of your devices.

Take careful note of your user number. If you lose your user number, you will not be able to log into the Internet Identity service to manage your devices or access your applications. Furthermore, it’s critical to add more than one authentication device under the same user number for redundancy.

One major advantage of the user number is that it is not security-sensitive. It won’t be tied to any PIID, so it doesn’t matter if somebody learns your user number.

How do users interact with Internet Identity?

When a user first loads the front end of a given canister (e.g., when using an open internet service), that front end displays a button for users to authenticate themselves, similar to the Single Sign-On (“SSO”) services many are already familiar with.

When the user clicks on the button, the browser opens a pop-up with the Internet Identity, which allows the user to manage the keys and identities.

From the Internet Identity service, the user authenticates using the device and method of their choice, then authorizes access to the app. Then, the browser is redirected to the canister front end and can access the canister under the user’s identity. (This mechanism uses the session key and delegation mechanisms.

The canister front end generates a session key pair and transfers the public key to the Internet Identity. If the user confirms, the Internet Identity generates a delegation and returns it to the canister front end.)

Once you have verified your identity in the browser using one of the three methods already outlined, you are prompted to confirm your registration. After you have registered your device, you will receive a user number. This number is unique, but it is not a secret, so you should save the number in multiple places.

Your browser will remember your user number, but you will need it if you log in on a different computer, or if you clear your browser state. Again, if you lose your user number and are logged out on all devices, you cannot log in to the Internet Identity service to manage your devices or access any of your applications.

This is an example of what a successful registration of a new Internet Identity looks like:

In contrast to signing in via Single Sign-On, the complete authentication flow in the identity provider happens on the user side, so there is much less exposure of private user actions and less risk of tracking by large tech corporations.

Notably, the Internet Identity service will also give the user a different identity for every canister front end that they log into, the main advantage of which is user privacy and security.

As a thought experiment, if the Internet Identity service DID NOT give the user a different identity for every canister front end they logged into, the Internet Identity would allow every front end to log in under the user’s single principal. If that user interacts with unrelated services — for example, a social media network and an e-commerce site — these unrelated companies could correlate the user’s behavior on these sites. And in the worst-case scenario, the front end of the social media network could now maliciously call the canisters of the e-commerce site and make orders posing as the user.

This is why the Internet Identity service generates a different identity for every front end that the user logs into and the user’s actions on different services are not so easily tracked. While the front end is still able to call any canister on the Internet Computer using the user’s identity, it is only ever the identity that is associated with the front end performing the calls.

Improved authentication

The Internet Identity service enables you to authenticate securely and anonymously when you access applications that use the service as an authentication method. A different identity is created for each application you log in to, and you will be able to use all of your registered devices or authentication methods to log in to the same account.

Unlike most authentication services, your Internet Identity does not require you to set and manage passwords, generate a cryptographically secure seed phrase, or provide any personal identifying information to applications or to the service. Instead, you use the authentication methods you choose such as facial recognition from a smartphone, your computer unlock password, or a security key.

The Internet Identity service is an improved method for user authentication over today’s conventional approaches.



Source: Medium


The Tech Platform

0 comments

Recent Posts

See All

Comments


bottom of page