The internet's identity layer is quietly being rebuilt
Went down a rabbit hole on this over the weekend.
Online identity is breaking in a measurable way. IBM's 2025 report puts the average breach at $4.44M globally. Stolen credentials show up in 53% of breaches (Verizon). Sumsub clocked a 700% YoY jump in deepfake fraud. Deloitte projects $40B in US generative AI fraud losses by 2027.
- Passwords are toast. Document KYC is increasingly spoofable with off-the-shelf AI. Three real replacements are forming in parallel, and most people haven't noticed.
- Government digital ID. Aadhaar covers 1.3B people. EU is rolling out eIDAS 2.0. Mature, state-backed. Doesn't cross borders, and if you're undocumented you're invisible.
- Document zero-knowledge proofs. Humanity Protocol, zkPassport. Prove things about yourself without revealing the document. Low friction. Problem is the underlying document still has to be real, and AI fakes are getting good.
- Biometric proof of human: World ID is the one I kept circling. A device called an Orb takes images of your face and eyes, converts them to a cryptographic identifier, images never leave the device. Around 18M verified across 160 countries. Tinder is piloting it in Japan for age and bot resistance. Most AI-resistant of the three.
My honest read is none of these wins outright. You end up with a stack. Bank uses government ID. Dating app uses biometric proof of human because age verification is legally required in places like Japan and you can't fake an Orb with Midjourney. Forum login uses ZKP because nobody needs nuclear-grade assurance to comment on a recipe.
The real question isn't whether verification gets stronger. It's who owns the verification layer.