Internet Identity Email Recovery Is Now Live on ICP

High attention and emotional sentiment detected.

The foundation shared the news in a 09:00 GMT post on X. According to DFINITY, no seed phrase is needed for the new recovery flow. Instead, Internet Identity verifies each request directly on-chain.

What DFINITY Announced

Internet Identity is the Internet Computer’s passwordless login system. Specifically, it uses passkeys and security keys to sign in to dApps without exposing a persistent identifier.

Until now, recovery relied on a 24-word recovery phrase or a backup device. The new option adds email to that list. So users gain another way back in once their devices are gone.

In its announcement, DFINITY put it plainly. “Lose every device, and you still get back in with a message from your own inbox,” the post said.

From Recovery Phrases to Email

Internet Identity launched as a privacy-first login system for the Internet Computer. Initially, users protected their anchor with either a 24-word recovery phrase or a second device.

Through late 2025, DFINITY improved how recovery phrases activate and verify. The II 2.0 migration then refined the wider experience while keeping older setups compatible.

Email recovery is the next step in that arc. It extends self-sovereign identity to people who never felt safe guarding a seed phrase.

How Internet Identity Email Recovery Works

Setup happens at id.ai. First, log in with an existing passkey or device. Then open the Access and Recovery section and register an email address.

Recovery runs in reverse. First, a user enters their anchor number on id.ai and selects the recovery option. Next, Internet Identity sends a verification message to the registered email.

The message carries a link or code. Internet Identity validates that token on-chain. After it confirms, the user can add a new passkey and sign in again.

The email itself is sent by the canister, so the flow stays inside Internet Identity’s trust boundary. DFINITY tested the same setup earlier on a staging site, beta.id.ai, before flipping it on for everyone.

How Email Recovery Changes Internet Identity Security

No Seed Phrase, By Design

The headline detail is what the flow removes. There is no 24-word secret to write down, hide, or lose. As a result, email recovery targets the part of onboarding that scares mainstream users most.

Still, email recovery does not replace the older methods. DFINITY says it supplements passkeys, recovery devices, and recovery phrases. So anyone who already set up a phrase keeps it as a fallback.

Verified On-Chain Through NNS Proposal 141991

The upgrade is live in production, not in beta. It shipped in the release-2026-06-02 build of Internet Identity.

Token holders approved it through NNS proposal 141991, which enabled the recovery emails feature and a security fix. The feature had sat disabled in production before that vote.

The release ties back to a specific commit, 230a8061, and to pull requests numbered 3963, 3972, and 3973. So developers can read the exact code that powers Internet Identity email recovery.

Additionally, anyone can verify the deployment independently. The II canister, rdmx6-jaaaa-aaaaa-aaadq-cai, shows a module hash that matches the release on its public dashboard.

The Security Trade-Off

Email recovery improves the experience, yet it also shifts the risk. A recovery phrase sits offline, away from attackers. An inbox does not.

Because of that, the new channel leans on the security of a user’s email provider. Phishing and inbox takeovers become relevant attack paths. Some users raised this concern within hours of the launch.

For balance, the model still asks Internet Identity to verify each request on-chain. So the email works as one controlled channel, much like a recovery device does today.

Community Reaction

Early sentiment on X leaned positive among ICP supporters. In particular, many users framed the change as a win for onboarding newcomers who fear losing a seed phrase.

Not everyone cheered, though. A few users questioned email security and asked what happens if an inbox gets hacked. No major security researcher has weighed in yet.

The market stayed quiet too. ICP showed no clear price move or volume spike around the 09:00 GMT post, partly because the news is only hours old. Tier-one outlets had not covered it at the time of writing either.

What Comes Next for Internet Identity Email Recovery

Several details remain unpublished for now. DFINITY has not detailed token expiry, rate limits, or whether a linked email can be removed later.

It is also unclear whether the stored email is hashed or visible on-chain. The full phishing surface and any anti-abuse limits are not spelled out either. Official documentation is still pending, so treat these points as open until the foundation publishes more.

Mainstream users can set up Internet Identity email recovery today at id.ai. Meanwhile, those seeking deeper technical information can monitor the GitHub releases page and DFINITY’s official channels for future updates. As additional documentation becomes available, more implementation details may emerge regarding security controls and recovery parameters. However, this article is provided for informational purposes only and should not be considered security or financial advice.