Since a principal is a text representation of a public key of an asymmetric cryptographic key pair, each principal has an associated private key. Both keys are stored as an object referred to as an “identity.” You could install multiple identities on your machine, with each identity having a name.
Identities are stored in your user directory at
~/.config/dfx/identity/<identity_name>/identity.pem
path. Tools like dfx use identity file (.pem) to interact with services at the runtime to prove that you are really the person identified by the principal. This is similar to SSH, where you need to have access to the SSH private key to obtain access to servers where the public key was added.
If you lose your identity file (for example, by losing your computer) you won’t be able to identify yourself as the principal.
Identity .pem files are highly confidential so you should never share them with anyone.
For each machine, a new identity is usually created. This is very similar to SSH key management. When you install your OS from scratch and create a new user, a new user identity is created. However, you can also copy your identity from your old computer, where you had originally created it, in the same way as you can copy your SSH keys.
Internet Identity
An Internet Identity is a way of personal identification that does not require you to remember a password or store a private key. It is completely anonymous as it works directly with the user's device. There is a secure chip that most modern personal computing devices, including phones, now have called a “TPM” which is used to maintain a copy of “private keys” for the owner. When a user presses their fingerprint sensor, it lets the TPM know that it can cryptographically sign a new Web3 session using the private key assigned to the service, which then signs the user in.
Learn more about internet identity at the Internet Identity dedicated support center: https://identitysupport.dfinity.org/
Identity Anchors
You can securely access dapps that run on the Internet Computer and use Internet Identity for authentication, provided you have created an Identity Anchor and added one or more devices to it. Based on the Identity Anchor you provide to Internet Identity for authentication, it will create a different pseudonym for each dapp that you access for you. You can create as many sets of pseudonyms as you want by creating new Identity Anchors.
Dapps that integrate with Internet Identity prompt you to authenticate using an identity anchor. If you don’t have an identity anchor yet, it is easy to create one and add authentication methods to it. For more details, see Identity Support Center.
Default Identity
There is also a concept of “default identity” that is used for all interactions with the Internet Computer by default. This default developer identity is created when you interact with the IC for the first time. For example, the default identity is created (if you don’t have one already) when you run the dfx deploy command for the first time. This default identity consists of the public and private key pair generated for your local user account. Typically, this default identity is also the default owner of all of the projects you create and all of the canisters you deploy.
Updated