Comparative analysis of various mechanisms for establishing a global Proof-of-Personhood (PoP) mechanism has been made.* The following table provides an overview of the relevant PoP mechanisms (including their footprint as to key requirements of an effective PoP):
Table: PoP mechanisms (click to zoom)*
Online accounts
The most straightforward approach to establishing a presence on the web at scale is to leverage existing accounts such as email, phone numbers and social media. This approach is ineffective, however, since a single individual may possess multiple accounts on each platform. Furthermore, accounts are not tied to a specific individual, making them easily transferable to other parties. Furthermore, the CAPTCHAs that are commonly used to prevent bots are ineffective in this context, as any human can pass multiple of them. Even the most recent implementations, which rely on an internal reputation system, have limitations.
KYC
It is common practice for online services to request proof of identity (typically a passport or driver's license) in order to comply with Know-Your-Customer (KYC) regulations. In theory, this could be used to deduplicate individuals globally, but in practice, it fails for several reasons. KYC services are making it challenging to develop KYC verification in a privacy-preserving manner. To utilize the services of a KYC provider, it is necessary to share sensitive data with them. This issue can be resolved by utilizing zkKYC and NFC-readable IDs. The relevant data can be accessed by the user's mobile device and locally verified as it is digitally signed by the issuing authority. The proof of unique human identity can be achieved by submitting a hash based on the information of the user's ID without disclosing any private information. The main disadvantage of this approach is that the number of NFC-readable IDs in circulation is significantly lower than that of regular IDs.
Web of trust
The concept of a "web of trust" is based on the decentralized verification of identity claims. To illustrate, the classic web of trust used by PGP involves users convening in person for "key signing parties" to verify the ownership of keys through the presentation of identity documents. More recently, projects like Proof of Humanity are developing web of trust solutions for Web3. These allow for decentralized verification using face photos and video chat, eliminating the need for in-person verification. However, given the reliance on individuals in these systems, there is a risk of human error.
Social graph analysis
The objective of social graph analysis is to utilize data regarding the connections between individuals (or the absence thereof) to ascertain which users are genuine. For instance, one might conclude from a relationship network that users with more than five friends are more likely to be genuine users. It should be noted that this is an oversimplified inference rule. Projects and concepts in this space, such as EigenTrust, Bright ID and soulbound tokens (SBTs), propose more sophisticated rules. SBTs are not designed to be a proof of personhood mechanism but are complementary for applications where proving relationships rather than unique humanness is needed. However, they are sometimes mentioned in this context and are therefore relevant to discuss.
Social relations act as a distinctive identifier for individuals when it is challenging for them to establish another profile with a sufficiently diverse range of relationships. If users are unable to create additional relationships, they will only be able to maintain a single profile with rich social relations, which can serve as their PoP. One significant challenge with this approach is that the necessary relationships are slow to establish on a global scale, particularly when relying on entities such as employers and universities. It is not immediately evident how institutions can be persuaded to participate, particularly at the outset when the value of these systems is still limited. Furthermore, it seems inevitable that soon, AI (possibly assisted by humans acquiring multiple "real-world" credentials for different accounts) will be able to build such profiles on a large scale. In essence, these approaches necessitate the abandonment of the concept of a singular human entity. They entail the acceptance of the potential for some individuals to possess multiple accounts that, from the perspective of the system, manifest as discrete, unique identities. Therefore, while the social graph analysis approach is valuable for many applications, it does not meet the fraud resistance requirement for PoP as set out above.
Biometrics: Face recognition, Iris scans and others
It should be noted that the aforementioned systems are unable to verify uniqueness on a global scale in an effective manner. In untrusted environments, the only viable means of differentiating individuals is through biometrics. Biometrics represent the most fundamental means of verifying both human identity and uniqueness. Most importantly, they are universal, enabling access irrespective of nationality, race, gender or economic status. Furthermore, biometric systems can be highly privacy-preserving if implemented correctly. Furthermore, biometrics facilitate the building blocks by providing a recovery mechanism (even in the event of memory loss) and can be utilized for authentication purposes. Consequently, biometrics facilitate the person-binding of the PoP credential.
It is important to note that different systems have different requirements. The authentication of a user via FaceID as the rightful owner of a phone is a markedly different process from the verification of billions of individuals as unique. The primary differences in requirements pertain to accuracy and fraud resistance. In the case of FaceID, biometrics are essentially being used as a password. The phone performs a single 1:1 comparison against a saved identity template to determine if the user is who they claim to be. It is considerably more challenging to establish global uniqueness. The biometrics must be compared against a database of previously registered users, which will eventually contain billions of records. If the system is not sufficiently accurate, an increasing number of users will be incorrectly rejected.
Iris scans are providing another form of biometrics. Using Iris scan can be a viable way to PoP, however, it needs thorough consideration of data privacy. Approaches like World ID suffer because regulators in several countries have banned the Worldcoin project, citing its collection of biometric data as a critical privacy threat.
DNA biometrics
The error rates and therefore the inclusivity of the system is majorly influenced by the statistical characteristics of the biometric features being used. DNA biometrics can outperform other biometric modalities. It is several orders of magnitude more accurate than the current state of the art in face recognition. But also compared to Iris scans, DNA biometrics can outperform, given a minimum number of Short Tandem Repeats (STRs) loki being analyzed.
For example, DNA biometrics can go beyond 1 false match in 100 trillion in case of 13 STRs loki analyzed. Thus, DNA analytics can be more fraud resistant compared to other biometrics. DNA biometrics exhibit a high stability over time. The approximately 25,000 human genes hardly change during a person's life.
While the current coverage of DNA biometrics is almost 10 percent in the US and some 3 percent in the EU population, their use will increase rapidly in the coming years as individualized medicine and biopharmaceuticals progress. As much as Cell & Gene Technology (CGT) is leveraged as the future diagnostics standard in medicine, DNA biometrics will be inclusive to everyone. While the understanding of distinctive genes and the role they play for certain diseases grows, the scope of DNA sequencing (genotyping vs. comprehensive genome sequencing).
* Credits to TfH, who provided a comparative analysis of most mechanisms, which were revised and corrected by the DSI view
Please share and contact us: