Using the IC

How Internet Identity works

Let’s explore how Internet Identity utilizes Web Authentication (WebAuthn) to power anonymous blockchain authentication

IC Academy » Internet Identity » How Internet Identity works

How does Internet Identity work?

Internet Identity makes usernames and passwords obsolete. Let’s have a look at how Internet Identity works.

Functionality of Internet Identity

Modern operating systems and web browsers support Web Authentication (WebAuthn), which is utilized to power a key function of Internet Identity. Another integral part of Internet Identity is the Internet Computer’s “chain key cryptography” framework.

Elements of Internet Identity

Web Authentication (WebAuthn) API

The Web Authentication API enables authentication with public key cryptography, thereby allowing passwordless authentication

"Chain Key Cryptography" Framework

The Chain Key cryptography framework is a set of cryptographic protocols orchestrating the Internet Computer’s nodes

How Internet Identity works

When a user signs into a dApp on the Internet Computer, a list of public keys inside the user’s assigned devices are signed using its master chain key. The client-side code running in the user’s authenticated smartphone, web browser, or Yubikey/Ledger is aware of this master chain key.

dApps integrating with Internet Identity can be accessed by users who authenticate themselves by using an identity anchor. For each new device a user adds to their identity anchor, a new pair of cryptographic keys is generated. This includes both private and public keys.

How is the generated pair of cryptographic keys stored?

Public Key

Stored on the Internet Computer blockchain

Private Key

Remains locked inside the authentication device.

Any biometric data governing access to the private key remains locked inside the authentication device.

By creating multiple identity anchors (i.e. by adding multiple authentication devices), Internet Identity users can seamlessly log into dApps across all of their devices.

The process of logging into a dApp via Internet Identity

Specify identity anchor

User is asked to specify the identity anchor they want to use

Authenticate identity anchor by using assigned device

User authenticates using an identity anchor and a device assigned to the anchor

Browser connects to Internet Identity

After authenticating, the user’s browser connects to Internet Identity

Browser generates a session key for use with the dApp

After connecting to Internet Identity, the user’s browser generates a session key for use with the dApp

Authorize access to the dApp

In the last step, the user is asked to authorize their access to the given dApp

Once access to the dApp is authorized, the user’s browser downloads the authorization and redirects to the dApp. The downloaded authorization is verified by the dApp before pseudonymous access (i.e. as an application-specific anonymous identity) is granted.

How are pseudonyms utilized?

Devices just represent different methods of authenticating to a dApp via Internet Identity anchor.

Across dApps

Different pseudonym for each dApp

Across devices

Same pseudonym for a single dApp across devices

The number of identity anchors that can be registered is not limited, giving users the option to create various anchors for different purposes. For example, a user might want to create an identity anchor for DeFi via facial recognition and a different anchor via HSM devices such as Ledger wallets or YubiKeys for GameFi.

Create Internet Identity

Internet Identity gives you access to the Network Nervous System, your ICP tokens and IC dApps. Find out how you can create your Internet Identity in 2 minutes.

Create your Identity

Internet Computer Wallets

Explore the different options you have to store and stake your ICP and to participate in the governance of the Internet Computer. Learn more about IC wallets.

Explore wallets