The team behind Internet Identity 2.0 has responded to user concerns about its latest authentication upgrade, confirming key changes to how security credentials are handled, and clearing up what identity numbers did—and didn’t—do in version 1.0.
To start with, they’ve emphasised that the identity number users were familiar with was never intended as a security feature. It was only an identifier, and the actual protection always came from the device itself—through biometrics, PINs, or hardware keys. Depending on that identifier for security, they say, was never advisable. Now with version 2.0, that misunderstanding is being directly addressed.
Under the new system, when a user registers a passkey using the WebAuthn API, they’ll be asked to verify their identity—meaning they’ll need to use Face ID, a PIN, or another method configured on their device. This is different from the previous version, where that step was marked as “preferred” rather than required, allowing some logins to happen without re-authentication.
For users with a YubiKey, this change will mean entering a PIN each time it’s used with Internet Identity. The company says this approach keeps private keys safely locked within the device’s secure hardware. Even if someone got hold of a YubiKey, they would still need the correct PIN to access credentials.
The shift has caused some concern among users still relying on older passkeys. Those with a version 1.0 passkey tied only to a Ledger device, for example, may be wondering if they’ll be locked out. The response: no, not yet. Internet Identity 2.0 includes a migration flow that allows sign-in with a non-discoverable key. But once in, users will be prompted to register a new discoverable passkey to continue using their identity in the future.
That said, it won’t be possible to keep using version 1.0 methods forever. Due to changes in both the domain Internet Identity operates on and the way discoverable credentials are handled, everyone will eventually need to register a new passkey to keep things running smoothly.
Questions have also been raised about possible fail-safes. If the Internet Identity subnet were to go down for maintenance, could users retrieve their private keys in a standard format like a PEM file to access their assets elsewhere? That isn’t supported yet, but the idea of compatibility with custom frontends has clearly been noted. For now, though, the team is focused on improving how security and usability work together.
Seed phrases—another popular fallback for restoring access—are not yet available in version 2.0. The plan is to eventually introduce them without tying them to an identity number, but that feature is still in design.
Further changes are in the pipeline. A configurable two-factor authentication system is being developed for those seeking more control and additional security layers. While details are still being finalised, the intention is clear: build towards a simpler and more reliable authentication system that avoids assumptions and puts transparent control back into users’ hands.
There’s still work ahead for Internet Identity 2.0. But the early updates show a clear direction—fewer illusions about security, firmer controls in place, and more options promised for users who want to customise how they log in and protect their identity.
Community Discussion