Understand the significance of a recovery phrase. Learn how to create, reset, safeguard it, and use it to recover your Internet Identity.

Is a Recovery Phrase as Safe as a Recovery FIDO Device?

No, it is much easier to steal a recovery phrase. Because the recovery phrase transits through your browser (when first generated, and when entered to recover a device), the data can be stolen by the browser, the OS, or by someone watching.

In contrast, when using a FIDO device like a YubiKey or a Ledger Nano, the actual key (the private material) never leaves the device. Instead, the device cryptographically proves that it has the private material through assertion (by signing a challenge with the private material). The private material never leaves the device, and never transits through your browser (only the "proof" or assertion generated by the device, which can only be used once). The FIDO device would have to be physically stolen to compromise the information.

There can be legitimate worries that the FIDO device will stop working (water damage, etc.), in which case you wouldn't be able to recover your Internet Identity. Some devices (like Ledger's Nano devices) offer to export a "recovery phrase" (unrelated to Internet Identity's "recovery phrase"), which can be used to clone or restore a device.