release-2026-06-12: Email recovery and sign-in improvements

This is Internet Identity release release-2026-06-12 for commit 9ae51005f9ab8afe26366ad45c8ea706b6ce8d3c.

Identity-number recovery has moved to the recovery page, where it now sits alongside the recovery-phrase and email options. The email-recovery DNS caching has been reworked to be more reliable, adding a new device now requires a hold-to-confirm step before entering the code, and the sign-in/sign-up disambiguation flows have been refactored. Opening identity management from the sign-in screen now lands you there already signed in. Open Cloud joins the dapps explorer and translations have been updated.

Try it out

• Staging: https://beta.id.ai
• Testing application: https://try.id.ai

What's Changed

• chore(fe): update translations (de, es, fr, id, it, nl, pl, ru, uk, ur) by @sea-snake-translation-bot in #3964
• feat(be,fe): instrument DoH failure cause for the recovery funnel by @aterga in #3990
• feat(scripts): add create-staging for provisioning new staging envs by @aterga in #3985
• feat(fe): add identity-number recovery option on /recovery by @MRmarioruci in #3983
• fix(fe): Update CLI snippet to new 'icp identity link web' syntax by @aterga in #3994
• feat(fe): update icons across recovery surfaces by @MRmarioruci in #4001
• build(deps-dev): bump vitest and @vitest/browser by @dependabot[bot] in #3965
• refactor(be,fe): explicit DoH fallback for email recovery; de-duplicate wizards by @sea-snake in #3992
• chore(be): remove OpenID credential key migration scaffolding by @aterga in #3997
• chore(ci): consolidate dependency-update workflows by @MRmarioruci in #3998
• ci: Slack notifier for PRs awaiting CI approval by @timothyaterton in #3969
• chore: drop remaining dfx mentions from comments by @aterga in #3925
• fix(ci): grant update-deps write permissions for deps workflow by @MRmarioruci in #4004
• fix(ci): use --slurpfile in notify-ci-approval to avoid ARG_MAX by @MRmarioruci in #4005
• fix(fe): hand off auth to manage tab via postMessage from authorize popover by @MRmarioruci in #3929
• feat(fe): require hold-to-confirm before entering new-device code by @MRmarioruci in #3958
• fix(fe): make support-request link one translatable sentence by @sea-snake in #4007
• feat(fe): add Open Cloud to the dapps explorer by @sea-snake in #4008
• fix(ci): notify-ci-approval dedup never matched; gate marker on confirmed send by @aterga in #4011
• docs(vc-spec): update stale internetcomputer.org links by @timothyaterton in #3960
• refactor(fe): make AuthWizard a black box by @MRmarioruci in #3991
• feat(be): add sso_domain/sso_name to stored OpenID credentials with batched backfill migration by @sea-snake in #4013
• feat(be,fe): generic stale-while-revalidate single-flight cache by @sea-snake in #3995
• chore(fe): update translations (de, es, fr, id, it, nl, pl, ru, uk, ur) by @sea-snake-translation-bot in #4012
• fix(fe): remap CLI delegation origin to legacy *.ic0.app domain by @sea-snake in #4009

Full Changelog: release-2026-06-05...release-2026-06-12

Artifacts

Filename	sha256 (links to CI Run)
internet_identity_backend.wasm.gz	917a42d0f8621ab59921b3ad320bdc2fd30951721e1687e7e5d1be035936fce9
internet_identity_frontend.wasm.gz	7f9e8557d25544dc00e72afc0f0c677e9823d66d07f8e65b671c102a44170c35
archive.wasm.gz	fd07137ca4687da569d766a2f1e16604ffd74e527e7b6bf43b7bdd0f8ed92edc

Wasm Verification

To build the wasm modules yourself and verify their hashes, run the following commands from the root of the Internet Identity repository:

git pull # to ensure you have the latest changes.
git checkout 9ae51005f9ab8afe26366ad45c8ea706b6ce8d3c
./scripts/verify-hash     --ii-hash 917a42d0f8621ab59921b3ad320bdc2fd30951721e1687e7e5d1be035936fce9     --iife-hash 7f9e8557d25544dc00e72afc0f0c677e9823d66d07f8e65b671c102a44170c35     --archive-hash fd07137ca4687da569d766a2f1e16604ffd74e527e7b6bf43b7bdd0f8ed92edc

Make sure to compare the hashes also with the proposal payload when verifying canister upgrade proposals.