Internet Identity: The End of Passwords

“Passwords are like underwear.” Ah! An oh-so-racy quip, but true.

Passwords help safeguard our sensitive information and serve as an integral part of our (online) lives. From email accounts and cloud storage to crypto wallets and online identities, passwords are the only thing separating you from a lot of potential trouble.

Since the internet's early days, passwords have evolved from simple to something much more sophisticated. Websites and apps have now raised the bar on specifications like password length, character case, and special character requirements.

This is no surprise. After all, no matter how cybersecurity improves, bad actors always seem to be a step ahead of the good guys, with their myriad tools and fresh data dumps of leaked personal information. Like wolves, they are always on the prowl looking for careless internet users to devour.

Is the Concept of Passwords Outdated?

Since enterprise deal in highly sensitive information, it’s a common sight for organizations to educate new employees on password security practices during onboarding. These organizations usually enforce stringent security standards and utilize complex management solutions which allow employees to avoid having to create multiple passwords. Password management tools have trickled down, touted for their ease of use and purported security.

But even password management solutions are hackable, and they're now prime targets for hackers. In late November 2022, leading password manager LastPass suffered a data breach — the second major hack of the year — which left millions of users vulnerable.

Based on Verizon’s popular Data Breach Investigations Report, 81% of hacking-related breaches are caused by stolen, recycled, or weak passwords. Interestingly, that data point was culled from the 2017 DBIR, and four years on, the stats are almost similar (61% of breaches).

My private data was leaked some years back--a digital nightmare to deal with. For the next few weeks, I was bombed with swathes of “Suspicious Login” emails from various locations worldwide. Each time I received an alert it felt like the universe was saying, “you should have known better.”

I had to change all my passwords across hundreds of online accounts. It was an experience not easily forgotten. I admit, it broke me: I could never fully trust passwords to keep me safe any more.

Now, whenever I come across password recyclers (people who use one password for multiple accounts), memories come flooding back and I relive my experience. And yet I perfectly understand why some people tend to reuse the same passwords. Strong passwords are hard to remember and having multiple difficult-to-remember log-ins can be a burden in and of itself.

Current Identity Solutions Are Flawed

Current identity management solutions are rife with issues. Let’s take a look at some of the key challenges:

Identity and password management solutions tend to be centralized, as they rely on a single entity for managing and verifying user identity. It’s typical for organizations to adopt third-party services for accessing their websites and apps (aka delegation), e.g., signing in with a Facebook or Google account.

Another major flaw is their extreme dependence on servers and instances, which presents another centralized point of failure. As a consequence, they’re becoming a prime target for malicious actors, like ants flocking to a source of sugar. These attack vectors potentially expose organizations to large-scale hacks and data breaches.

Another issue is that current identity solutions are highly vulnerable to social engineering attacks. We've seen multiple social engineering attacks happen to high profile NFT figures, who get hacked because they absent-mindedly click a link that seems legitimate (whether it's opening what looks like an innocent investor email or an NFT minting link).

Furthermore, the digital identity landscape is currently heterogenized. This means that various identity solutions each have their own air-gapped systems, and on the surface, this seems like a good solution. However, this fosters a fragmented ecosystem since each identity management software is incompatible with the next. Interoperability is thrown out the window for the sake of security. Not only do you have to keep track of numerous log-ins, but this makes it difficult to build applications that leverage collaborative identity management.

Finally, most of these systems are prone to data privacy breaches at the mercy of a malicious verifying authority. The 2018 Facebook-Cambridge Analytica data scandal remains fresh in our memories, where the British political consulting firm was exposed for using data obtained from Facebook without user consent.

In a nutshell, the current identity solutions are typically inefficient, outdated, and worst of all, vulnerable to all sorts of attacks. Security is an issue that affects everything from financial institutions, healthcare providers, government agencies, and more, as our lives become increasingly digitized.

To mitigate these sorts of problems, the DFINITY Foundation developed Internet Identity (II), a secure blockchain authentication framework supported by the Internet Computer.

Enter Internet Identity, A Web3 Authentication Solution

I’m not the only one who thinks passwords are obsolete solutions. The DFINITY Foundation created Internet Identity to provide strong security without the burden of remembering complex passwords.

Using Internet Identity, anyone can anonymously create sessions with Web3 services and decentralized applications and verify blockchain transactions. With II’s completely decentralized architecture, you can connect to apps (and services) with utmost security, simplicity, and comfort.

Creating a session (DFINITY lingo for "signing on") on the Internet Computer is as easy as breathing. You simply have to create an Internet Identity “anchor” first.

This person is logging in to OpenChat (a messaging dapp on the Internet Computer) by using the fingerprint sensor on their Macbook

Thanks to Internet Identity, you can authenticate with any of your devices using various methods, including biometrics (like via Apple's Face ID) or hardware security devices like Yubikey or Ledger.

Best of all, your anonymity is guaranteed since there’s no link — at least without your consent — between your personal information and the services you authenticate to. Internet Identity uses a different principal (pseudonym) for each dapp. This prevents you from being tracked across dapps and your data from being leaked on the internet.

“But,” you may be wondering, “how exactly does all this work under the hood?”

Internet Identity, Explained

Internet Identity requires your device to have a TPM or a relevant equivalent. A TPM is a security chip that is capable of housing a copy of your private keys.

The TPM lives in a trusted environment, separated from other programs your device runs. When you log in with your Internet Identity, it asks the TPM to cryptographically sign a brand newsession using the dapp’s assigned private key, securely signing you in.

Your biometric data never leaves your device and better still, your device password is never revealed to Internet Identity.

Your Internet Identity log-in sends a signature request to the TPM chip (or, again, its equivalent) for each new session and receives a response based on whether the authentication is successful. In other words, your device authenticates you, not the Internet Computer. The IC only receives instructions from your device after authentication.

Your TPM chip generates, and maintains, the public-private key pairs for each dapp service, but it never shares them with you or Internet Identity. This means absolutely no one — not even DFINITY! — can access your private keys or your identity.

Why Internet Identity?

In a single sentence, Internet Identity is the best solution for secure identity management.

Internet Identity builds on the concept of delegation by wrapping authentication requests separately. This eliminates having to confirm new requests every time you want to sign in to a dapp. In other words, Internet Identity passes the task of user authentication to your device and grants scoped confirmation to the dapp for a period. This enables you to interact with dapps on the Internet Computer without having to sign in every time.

Your Internet Identity allows you to quickly and conveniently access supported web3 services using your devices. Once you set up your anchor, you can connect multiple devices and remove unavailable devices without hassles. Learn how to set up your Internet Identity anchor with our guide here.

Closing Thoughts

It should be clear at this point that we can't trust present password and identity solutions to keep us safe. They rely heavily on passwords, and passwords just don't cut it — we deserve better.

Passwordless authentication is the future of identity management, and the Internet Identity offers a novel approach to web3 authentication, allowing you to safely access supported services using a variety of devices and authentication methods.


Connect With Us:

Twitter | Telegram | Instagram | Facebook | Email



  • Disclaimer: The views and opinions expressed on this website are solely those of the original author and other contributors. These views and opinions do not necessarily represent those of the CoinHustle staff and/or any/all contributors to this site.