Can a Digital ID Truly Prove Who You Are?
Humanity has already figured out how to create decentralized digital money — and it works. But lately, more and more attention is turning to another deeply centralized domain: identity.
It seems like the days of carrying around a paper document with your photo are coming to an end. Enter the next wave: World ID, Humanity Protocol, Proof of Humanity, BrightID — all promising a digital revolution. Get your blockchain-based ID, and say goodbye to passports and government paperwork.
- Forbes is publishing editorials about the problems decentralized ID can solve.
- The Cryptonomist is spotlighting Blockchain ID Layer — a new app aiming to disrupt identity as we know it.
- The Democratic Republic of Congo is rolling out a national blockchain-based identity system.
But the deeper I look into how these systems actually work, the more I keep running into the same question:
Does a digital ID really prove anything more than the fact that someone — anyone — currently has access to a private key or a device?
How It Works in the Real World
With a paper passport, things are pretty straightforward. You show your document, the person checking it compares the photo — “yep, looks like you.” If someone else shows up with that same passport, the deception will quickly fall apart. Even if you let a friend borrow your passport, they won’t pass the face check when they try to use it. That’s what a real ID means: “I am exactly who I claim to be.”
The “protocol” behind a paper passport simply prevents anyone else from using it. That’s why I think people often worry too much about sharing their passport details. Even a perfect copy of a passport is useless if you’re not the person it was issued to — the photo will betray you!
That said, this “protocol” often gets ignored in practice. Sometimes people don’t bother checking the photo at all. Other times, they accept a passport — or just its data — without the owner being present. So I do respect those who prefer not to share their ID details. Especially since many of our clients at rabbit.io feel this way. They come to us to exchange crypto because traditional exchanges require passport-verified registration, while on rabbit.io you can make a swap without it.
What Alternatives to Passports Does the Crypto Industry Offer?
Lately, I keep seeing headlines like “One person — one ID!” and “Your data, your control!”
Looks cool. You scan your eye once — and boom, you’re registered as a verified human being in the digital world. You get a soulbound token or some kind of credential, and now you can vote in decentralized communities, receive airdrops, or prove your uniqueness in any online app.
- Take World (ex-Worldcoin), for example. They built a device that scans your iris and stores a unique hash of it on the blockchain — not the image itself, just a mathematical fingerprint.
- There’s also Humanity Protocol, which does the same but with palm prints.
- And Proof of Humanity, which relies on video recordings and social approval.
- BrightID maps your connections to other people and verifies that you’re not just another bot account.
- Idena makes people solve CAPTCHAs in real time to prove they’re humans — and unique ones.
Each of these systems tries to answer the same question: how can we make sure that every person has just one digital identity, and that this identity isn’t tied to any government or email login?
And Here’s Where Things Get Interesting
All these systems focus on making sure that one person gets only one ID. But what they rarely address is the next, much trickier question: How can we make sure that only the same person continues to use that ID afterward?
Because think about it — with a traditional passport, someone might steal it, but they won’t get far. They’ll show up, and the person checking it will look at the photo and realize: “Wait, this isn’t you.”
But in the world of crypto IDs, that second layer of verification — the one that happens when you use the ID — often just doesn’t exist. In many systems, once your ID is issued, all that matters is whether you are still the only one who controls the private key or the device it’s stored on.
And that means the system no longer identifies you. It just identifies whoever is holding the key right now.
Device Binding Isn’t a Real Solution
I often hear things like, “But the key is stored only on your device — no one else can use it!” That’s a misconception.
Devices get lost, hacked, handed in for repairs, or lent to someone else. Anyone who gains full access to your phone automatically gains full access to all your credentials too. There are no real barriers standing in their way.
And if the owner intentionally lets someone else use their ID — say, to trick the system on purpose — then tying the ID to a device rather than to biometrics just makes the deception easier.
Will Biometrics Save the Day?
In response to criticism about private keys being easily transferable, many projects started adding biometrics — Face ID, fingerprints, palm scans. With World ID, after scanning your iris at the Orb, you’re asked to enable Face Auth, so supposedly only “your” face can unlock the app. Sounds reassuring, right? But here comes the first major hole in the system — the one people don’t usually talk about.
Any biometric authentication on a phone — whether it’s Face ID or a fingerprint — is simply a way to unlock the device. It doesn’t actually prove that you are the one using it. You can go into your phone’s settings and add your friend’s or relative’s fingerprint, and now they’ll have exactly the same access to your app as you do. Worse, someone who has physical control over you — say, while you’re asleep, unconscious, or under pressure — can add their own biometric data and start using your ID.
The system can’t tell whose fingerprint or face it’s seeing. All it knows is that “one of the approved biometric profiles” authenticated the action. So all those promises that “only the original user can access their World ID” are, frankly, wishful thinking.
Some projects do make it harder to fake. Humanity Protocol scans your palm and requires the same palm for future access. Proof of Humanity requires a video of your face, and you can’t just upload someone else’s later. But even those don’t solve the deeper problem: you can’t be sure who you’re actually dealing with. Is it the person who scanned their own hand or face? Or someone else pointing a scanner at the original user’s hand — or a camera at someone else’s face?
Social Protocols and the Idea of “Uniqueness”
Projects like BrightID and Proof of Humanity take a different route: no biometrics, just proof of uniqueness through social connections or mutual endorsements — sometimes with a selfie or a short video. A “unique human” in this context simply means not a bot, not a duplicate account. That’s the only thing these digital IDs are designed to confirm. They don’t aim to prove that the person using the ID is the same individual who originally created it.
This approach is great for bot prevention and adds a layer of integrity to online voting or airdrop systems. But if you hand over access to your account to someone else, they’ll continue to “be you” as far as the system is concerned — there’s no check to verify who’s actually holding the phone at any given moment.
Linking to a Government Document (Passport, Driver’s License)
Some projects offer to include a “proof element” — for example, reading data from a real biometric passport via NFC to add verified citizenship or age to your decentralized ID.
But here’s the catch. Most of these solutions don’t actually compare your face to the photo in the passport. They just check the digital signature and confirm that the fields match. So if you happen to have someone else’s passport, you can easily link it to your ID — and the system won’t detect the substitution.
Only centralized services — banks, KYC providers, etc. — typically require a live selfie or video comparison. Decentralized, Web3-style solutions usually avoid such privacy compromises.
Live Selfie in Web3
Many people say, “In the future, we’ll have perfect ZK and SSI systems — everything will be stored only on the user’s device, selfies will be used for verification, and privacy will be fully preserved!” But here’s the issue: if all biometric data is stored only on the user’s side, then what exactly will the verifying party compare the live selfie against?
Exactly — the user will have to send their photo or biometric template to an external service (usually a cloud-based AI), and then just hope that the service deletes the data right after the check. There are no guarantees.
So, What’s the Bottom Line?
The decentralized digital IDs currently being developed in the crypto industry really do represent progress — especially when it comes to giving users control over their own data.
They offer solid protection against mass forgery, multi-accounts, and bot farming. They preserve anonymity — no one knows your name unless you choose to reveal it. They make it easy to prove “I’m a real person” without uploading your passport or filling in personal data on every new website.
But here’s what they don’t offer: a strong guarantee that the person using the ID is the same one who originally received it.
What these systems really protect is the fact that someone controls a private key — or a device. Not a one-to-one link with a specific human being.
Biometrics, social graphs, verification tokens — they’re great at stopping bots. But they don’t protect against a very human scenario: when the original user voluntarily (or under pressure) gives someone else access to their device or keys.
So take any claim like “only the owner can use their digital ID” with a healthy dose of skepticism. What you’re really getting is just a token — and a key to access it. A key that can be forgotten, lost, shared, or taken.
If you want stronger guarantees, stay vigilant and don’t fall for fairy tales about blockchain magic. Blockchain is great for storing and transferring value — not for identity. And without the good old “photo in a passport,” we’re still missing a critical piece. Just like we still need in-person checks to compare that photo with the actual face of the person holding the document.
