Summary
Users who create an Internet Identity (II) account via a third-party website and rely solely on Windows Hello (PIN/biometrics) are permanently locked out after the initial redirect. The Windows Hello authentication option vanishes, leaving no way to sign in again. Additionally, even users who manage to log in a few times may see the PIN option disappear unexpectedly.
Affected Users
- Those who create an II from a dapp/website (immediate redirect back to the site after account creation).
- No opportunity to add a recovery phrase, passkey, or any backup method during onboarding.
- Primary/only auth method: Windows Hello (PIN or biometrics).
Reproduction Steps
- From a dapp/website, initiate II login → "Create New Identity".
- Complete Windows Hello enrollment (PIN/biometrics).
- Upon success, user is immediately redirected to the dapp — no II management screen shown.
- Close browser/session and attempt to log in again to the same dapp (or
identity.ic0.app).
Result:
- Windows Hello option is missing from the login modal.
- Only "Recovery Phrase" or "Add Passkey" options appear (neither available to the user).
- User is permanently locked out.
Intermittent Behavior (Additional Observation)
Even when users do get past the initial login:
- The PIN login option disappears after 2–3 successful logins.
- No error message; the UI simply omits Windows Hello.
- Recovery phrase (if saved earlier) remains functional → confirms the identity still exists.
Expected Behavior
- After II creation, users should see the Identity Management dashboard before redirect.
- Users must be prompted or allowed to add a recovery phrase or secondary method.
- Windows Hello should remain a stable, persistent login option.
Environment
- OS: Windows 11
- Browser: Chrome / Edge (latest)
- II Version:
internet-computer/identity (latest at time of test)
- Tested on:
identity.ic0.app and multiple dapps using II login
Workaround
None for locked-out users. Users with foresight to save a recovery phrase during rare dashboard access can recover.
Impact
- Critical: Users lose access to dapps, NFTs, tokens, etc., tied to the identity.
- Affects all Windows Hello-only users onboarding via dapps.
Suggested Fix
- Delay redirect after II creation until user confirms backup method.
- Force backup flow (recovery phrase) before allowing dapp redirect.
- Ensure Windows Hello anchor is persistently stored and displayed in login UI.
- Add fallback UI if platform authenticator becomes unavailable.
Glad I saved my recovery phrase — otherwise this would’ve been a total loss.
Please prioritize — this is a user lockout vector affecting a growing Windows user base.
Summary
Users who create an Internet Identity (II) account via a third-party website and rely solely on Windows Hello (PIN/biometrics) are permanently locked out after the initial redirect. The Windows Hello authentication option vanishes, leaving no way to sign in again. Additionally, even users who manage to log in a few times may see the PIN option disappear unexpectedly.
Affected Users
Reproduction Steps
identity.ic0.app).Result:
Intermittent Behavior (Additional Observation)
Even when users do get past the initial login:
Expected Behavior
Environment
internet-computer/identity(latest at time of test)identity.ic0.appand multiple dapps using II loginWorkaround
None for locked-out users. Users with foresight to save a recovery phrase during rare dashboard access can recover.
Impact
Suggested Fix
Glad I saved my recovery phrase — otherwise this would’ve been a total loss.
Please prioritize — this is a user lockout vector affecting a growing Windows user base.