The battle between humans and machines reignites: The logic and practice of Web 3 identity management

Author: Chloe, IOSG Associate

DID & PoP Authentication and Management

In the last issue, "The Human-Machine Game Has Just Begun," we discussed why DID and PoP are particularly important in Web 3.0. This week, we will delve into the concepts of DID and PoP, and introduce several verification methods and leading projects related to PoP.

PoP (Proof of Personhood) and DID (Decentralized Identifier) are both concepts of identity management. When we mention "identity management," the first thing that comes to mind is the ID card. Everyone has an ID number, a string of digits that accompanies a person throughout their life. When identity verification is needed, we present our ID, which has our photo printed on it. This way, the person and the ID correspond, proving "I am me." Our lives are inseparable from this small document; it is required for taking college entrance exams, opening a Weibo account, and paying social security after starting work. Therefore, more and more "identity information" is attached to the ID number, forming a person's identity in society.

Universal Identity Management Logic

Whether in real-world identity management or Web 3.0's DID, the following logic applies.

• Marking individuals. First, we need an identifier to "mark" a person. This identifier must be unique and immutable, like an ID number.
• Verifying identity. Secondly, we need to verify the identifier. Typically, identity verification in the real world is done by proving ownership, such as holding an ID document or verifying through biometric information (fingerprint recognition, facial recognition, etc.). When a person has a unique "identifier" marked, and this correspondence is verified as correct, a biological person is equivalent to an identity.
• Transferring data. Finally, a person's data will be "transferred" to this identity, including social data, geographical location, workplace, and all other relevant information will be attached to the identity. This is the general process of identity management in the real world.

(Image source: IOSG Ventures)

The Uniqueness of DID

So what is special about DID? First, DID is "decentralized." Unlike traditional identifiers controlled by centralized authoritative institutions, DID's identifier should be self-owned, independent, and reliant on a P2P decentralized network. Secondly, the verification methods for DID are also different; they are not proven by holding a certain document.

Instead, they are verified through encrypted public-private key pair signatures. Finally, the focus of personal information is also different. The information here mainly consists of on-chain activities, such as which NFTs were purchased, how many transaction records exist, what chain games were played, etc. This on-chain data will be attached to the identifier.

This process seems to have no essential difference from centralized identity management. However, DID does not require the individual to go to an institution; it is conducted online. This creates many problems that real-world identity systems have never encountered, namely, before all identity management procedures are initiated, how to verify whether the person on the screen is AI or a biological person?

Our previous article "The Human-Machine Game Has Just Begun" specifically addressed solutions to this problem, which can be viewed by clicking the link; we will not elaborate further here. Next, we will introduce several mainstream PoP verification methods.

(Image source: IOSG Ventures)

Various Practices of PoP

Proof of Personhood, as the name suggests, is based on the identity verification of biological persons. How can we effectively distinguish between biological persons and AI? Nowadays, the development of artificial intelligence has reached a level where it can defeat humans in many fields, such as AlphaGo defeating the world Go champion. Therefore, to successfully identify AI and biological persons, we need to focus on the weaknesses of AI.

First, the simplest and most direct logic is that humans and AI look different. AI can mimic human thinking but finds it challenging to imitate human appearance, such as pupils, skin texture, and other biological features. Therefore, the most direct way is to showcase biological features for identification, a method known as Pseudonym Parties.

Just like attending an interview, users need to participate in online or offline gatherings to showcase their facial features, voice, and other biological characteristics to prove they are biological persons.

Secondly, another significant characteristic that distinguishes humans from AI is social attributes. Humans are social animals and inevitably form social connections with those around them, which robots do not possess. Therefore, the Web of Trust leverages this characteristic to verify through social attributes.

If a user has been using multiple social platforms for a long time and has more interactions with others, the probability of that person being a bot decreases.

Additionally, unlike AI, humans are very good at logical thinking and pattern recognition, which is precisely a challenge that machine learning struggles to overcome. Reverse Turing Tests utilize this characteristic. Reverse Turing Tests have been around for many years and are widely applied. Everyone has likely encountered a pop-up window containing nine image blocks, asking users to select the blocks containing traffic lights/motorcycles/zebra crossings to complete the identification; this is an application of the Reverse Turing Test.

Currently, most leading projects in the PoP space adopt one or more of the above mixed verification methods. For example, Proof of Humanity and BrightID verify through Pseudonym Parties and social relationships. The logic of these two projects is similar, both verifying through video consensus within small circles.

BrightID has also innovated on this basis, introducing a new verification method based on the user's position in the social network graph—Bitu verification. The Bitu verification method assesses how close each of a user's social relationships is to the center of the network. If a user associates with completely unrelated unfamiliar accounts, they will receive a penalty, increasing the cost of "malicious behavior."

However, Proof of Humanity and BrightID still have some issues. First, they require users to "show their face" and disclose some personal data, which sacrifices user privacy to some extent. Another drawback is that organizing meetings, manual verification, and maintaining the PoP network are too costly, reducing scalability.

When it comes to highly scalable verification methods, we must mention another frontrunner—Idena Network. To obtain verification from Idena Network, users need to qualify for the test, which means obtaining an invitation code from already verified users.

This is the first "checkpoint" set by Idena for users, requiring some actual interpersonal relationships to obtain the verification code. After obtaining the verification code, users must participate in an online Reverse Turing Test at a designated time synchronized globally.

Moreover, after completing the test, users are also required to participate in designing new tests. Only through these multiple checkpoints can they obtain "Human" certification. The protocol theoretically has the highest scalability and efficiency in the current PoP industry, but in practice, the image questions are uploaded by users, which is quite cumbersome and time-consuming for users, and the quality of the questions is relatively low.

In the long run, it is only a matter of time before the questions are cracked by AI. The project mechanism also requires users to re-verify after a certain period, which is time-consuming and labor-intensive. Overall, this solution does not have a significant advantage over social verification.

Idena User Verification Levels and Numbers

The exploration of DID and PoP still has a long way to go. Currently, most DID solutions are focused on accumulating on-chain/off-chain data for users, such as the recently popular SocialFi projects, CyberConnect, Galaxy, etc., which establish social graphs and user profiles for users.

However, the discussion and exploration of "identifiers" are still relatively lagging, as people generally equate Web 3.0 identifiers with wallet addresses. A person can only have a unique identity but can apply for countless wallet addresses. Fortunately, Sismo has taken the first step in this direction. Sismo is a DID solution that utilizes zk technology to issue badges to users based on on-chain activities.

Users can designate other wallet addresses and aggregate the activity badges of other wallet addresses under the same ENS domain. This resolves the conflict between users having multiple wallets and a unique identity while protecting user privacy. However, users can still apply for multiple ENS domains.

Currently, the industry's exploration of identifiers is diverse, but the widespread promotion of these applications still has a long way to go. As the foundation of Web 3.0, DID will surely see more innovative projects exploring it in the future. Stay tuned to IOSG for more articles related to Web 3.0.