What is proof-of-personhood (PoP)?

What is proof-of-personhood?

As AI advances, distinguishing human activity from that of machines is becoming critical. Proof-of-personhood (PoP) offers one answer.

It is a mechanism that attests to a person’s “humanness” and uniqueness. The method has spread because bad actors create large numbers of fake accounts to manipulate voting or the distribution of rewards.

PoP also ensures that every participant in a project has an equal vote and share of rewards. Crucially, unlike other popular consensus mechanisms such as proof-of-work (Proof-of-Work, PoW) or proof-of-stake (Proof-of-Stake, PoS), PoP does not allocate voting rights or rewards in proportion to committed resources.

The need for proof-of-personhood systems is also driven by the threat of deepfake abuse.

Why does it matter?

Advanced AI can augment human capabilities—while already creating plenty of headaches.

• 2014: a five-month Sybil attack was carried out by unknown actors on the Tor network. Developers later created software that exposed numerous alias nodes. They uncovered schemes for overwriting bitcoin wallet addresses, redirecting to phishing sites, and a set of nodes used to study the possibility of deanonymising the network.

• 2024: a Reddit user won a wager by passing verification with a generated image. The ID card was created by the AI model Stable Diffusion. Notably, the generated character’s name was given as “Your Mom”. The technology particularly worries the financial sector: according to The Wall Street Journal, instances of AI-enabled fraud in 2023 jumped by 700%.

See more

AI will rapidly accelerate broad use of private key cryptography and decentralized ID.

Check out this Reddit “verification post” and ID made with Stable Diffusion. When we can no longer trust our eyes to ascertain whether content is genuine we’ll rely on applied cryptography. pic.twitter.com/6IjybWRhRa

— Justin Leroux (@0xMidnight) January 5, 2024

PoP is meant to tackle these problems.

First, PoP enforces a natural rate limit via account verification, largely preventing Sybil attacks at scale.

Second, it allows content filtering—for example, granting access only to accounts confirmed as belonging to a unique human. That helps curb the viral spread of AI-generated disinformation.

What proof-of-personhood methods exist?

Proof-of-personhood can be used to attest “humanness” in various ways. Here are some of the most common:

Online Turing tests

Today, CAPTCHAs try to rate-limit automated Sybil attacks by using automated Turing tests to tell humans from machines. Despite partial success, the method still fails to stop one person from obtaining multiple accounts—one only needs to solve several CAPTCHAs in a row.

This method has other drawbacks. For example, users with poor eyesight or learning difficulties may struggle to complete the puzzles.

Biometric verification

Specialised platforms use biometric methods to verify identity, such as facial recognition, fingerprints, palm geometry, retina or iris scans, and signatures.

In-person verification

Another way to prove personhood is in-person verification, often via attendance at events. In this case participants can receive, for example, SBT that reflect their verified status.

Social-graph verification

Another approach relies on users within a social network verifying one another’s identities.

This approach can be criticised for lacking a direct way to ensure a participant has not created fake identifiers and colluded with others to have them endorsed.

A related problem is that graph-based Sybil-detection algorithms typically find only large clusters, making small attacks hard or even impossible to detect.

Time-locked wallets

Another approach is for users to lock funds for a set period so their activity can be tracked over time. This can serve as evidence of unique human behaviour, adding a layer of defence against Sybil attacks. However, the method is not foolproof.

Zero-knowledge proofs

Zero-knowledge proofs (ZKP) let users attest to attributes such as age or nationality without revealing the underlying data. This can be implemented in a decentralised system where participants prove uniqueness without disclosing personal information.

What PoP projects are out there?

Several projects are working on blockchain-based identification protocols. They let users prove their identity without relying on centralised institutions. These protocols can be integrated with decentralised applications to provide consistent proof-of-personhood across a network.

Recent hype around Worldcoin has brought fresh attention to PoP, but the concept is not new. In 2014 Vitalik Buterin proposed building a “system of unique identification” for cryptocurrencies. From that idea, PoP has evolved into several projects using the approach.

Among them:

• Gitcoin Passport. The project aggregates “stamps” from Web2 and Web3 authenticators, serving as credentials for cross-platform identity checks without revealing private information.

• Idena. Requires participating in a CAPTCHA game at a scheduled time to prevent multiple participation.

• Proof of Humanity. Combines webs of trust with reverse Turing tests, implements dispute resolution, and creates a list of verified users.

• BrightID. Hosts “verification parties” over video for mutual verification via the Bitu system, which requires a sufficient number of verified users to vouch for a person.

• World ID of the Worldcoin project. An open, permissionless identity protocol that anonymously verifies personhood using zero-knowledge proofs.

HumanCode. A project that identifies users by palm prints and is available to any smartphone owner. In April 2024, it entered into a partnership with TON Society.

What are PoP’s drawbacks?

While PoP offers innovative ways to prove digital identity and authenticate users, the mechanism has notable downsides:

• privacy and data-security concerns. Although ZKP alleviates some data-protection issues, users may still hesitate to undergo PoP checks;

• cost and complexity. Building and maintaining a decentralised PoP system that is robust and secure demands significant investment and highly skilled engineers;

• criminal threats. Biometrics can provide unique identification, yet pose risks including theft or misuse of data;

• authentication errors. There is a risk of false negatives or false positives, which undermines the effectiveness and fairness of a PoP platform.