2023 catalyzed a fresh wave of enthusiasm around “consumer crypto,” in part driven by the rise of products like friend.tech, but also by an acknowledgement of the industry’s over-investment in infrastructure vs. end-user applications. Many now predict that 2024 will be a breakthrough year for crypto’s application layer, as teams building everything from games to DePIN services to social experiences compete to onboard the next cohort of users.
However, even as crypto’s use cases become more compelling, the problem of identity – specifically sybil-resistance – remains significantly underrated as a bottleneck to the success of crypto’s consumer-facing applications.
Everything is downstream of identity
The problem of onchain identity is not a new one, although despite years of development and private investment, it remains largely unsolved. Even as volumes and activity grew exponentially during the last cycle, many well-intentioned founders still burned all their runway by doubling down on false signals and mistaking inorganic usage for product-market-fit. In the absence of strong sybil-resistance, this is likely to play out similarly in the coming 2024-2025 cycle.
Until recently, the majority of mindshare has been focused on reputation, decentralized identity (DIDs) and privacy – all of which are important but fundamentally do not address the problem of “proof of personhood” (PoP). Most PoP solutions on the market today were conceived of for the purpose of combating AI-enabled disinformation and sybil attacks, but increasingly, it seems as though crypto will need its own PoP solutions for similar albeit different reasons. It is no secret that the highly financialized nature of crypto creates powerful incentives for fraudulent and adversarial behavior, most notably hacks and sybil farming. However as we evolve beyond the ad-subsidized model of web2 into the user-owned model of web3, value-extracting centralized platforms will give way to more open networks and protocols that continuously distribute rewards and ownership to end-users. Without robust identity solutions, crypto teams will find themselves in an endless battle to protect their products and treasuries from adversarial actors, and the core value proposition of crypto as a technology for scaling incentive alignment is severely undermined.
Whether intentional or not, early DeFi airdrops from projects like Uniswap and dYdX set an unsustainable industry standard by rewarding end-users with tens (and sometimes hundreds) of thousands of dollars simply for using the product. Many crypto-natives have now come to expect lucrative airdrops simply for engaging with a product, even if their usage is passive or one-time. As a result, many teams are adapting by using more stringent eligibility criteria and being more strategic around mitigating the activity of bots and multi-wallet human farmers.
Anyone who has spent meaningful time working on crypto sybil resistance will concede that it is, unfortunately, an ever-evolving game of cat and mouse. Just as crypto teams working towards risk mitigation become more sophisticated in their techniques, so do sybil farmers. 2023 was a massive year for the sector, with content uploads and searches for “airdrops'' on YouTube reaching an all time high, as well as increasingly advanced farming tools coming to market. This alarming article by Kerman Kohli highlights some of the most extreme examples, including products that automate wallet deployments and various kinds of onchain actions while offering protection against any sybil-resistance techniques crypto teams may be using to weed farmers out.
This dynamic is not only damaging to most startups, but also has a deeply adverse effect on the signal quality of onchain data. Despite blockchains often being praised for their “openness” and “transparency,” the financial incentive to game key metrics (active wallets or volume) is so significant as to render most onchain user activity data functionally useless. This represents an existential challenge for crypto founders who are struggling to establish ground truth on the most basic metrics, such as number of unique human users, cost of customer acquisition (CAC), or lifetime customer value (LTV). Without access to high-signal onchain data or the growth tools and playbooks they power, attracting and retaining users will remain an uphill battle for the industry.
Exploring the Design Space
There are two main ways to think about identity in the context of proof of personhood: uniqueness and humanness.
Uniqueness has to do with whether an account interfacing with an application is a unique human or one of many accounts being operated by a single individual. Most founders will tell you that one wallet per unique human user is the gold standard, although as they exist today, crypto wallets are not well-suited to enforce this. Some projects will resort to tried-and-true solutions such as KYC, which come with meaningful tradeoffs.
For those unfamiliar with the concept of “identity assurance levels,” according to the National Institute of Standards and Technology, identity assurance levels (IALs) convey “the degree of confidence that a person’s claimed identity is their real identity.” Identity solutions generally fall into one of three categories:
Some confidence (Level 1) – identity is self-asserted; verification is not required (i.e. email account)
High confidence (Level 2) – identity is attested to by some 3rd party; in-person or remote verification is required (i.e. government-issued IDs, credential documents, address verification)
Very high confidence (Level 3) – identity is attested to by some 3rd party using biometric data; in-person verification is required (i.e. TSA agent verifies photo ID or fingerprints)
Humanness has to do with whether an account’s activity is being generated by bots or real human beings. Today, discerning humanness is arguably an easier task than discerning uniqueness, mostly because human users are generally still more sophisticated than bots. Teams that invest aggressively in tools like honeypots and data-driven monitoring & detection infrastructure can often mitigate meaningful amounts of bot-driven activity, although multi-wallet human farmers are a different beast.
Longer term, discerning humanness is likely to become a more challenging and amorphous problem, in part because of the way some accounts may oscillate between bot-generated activity and human-generated activity. This dynamic will only be exacerbated by humans deploying bots (“agents”) to traverse the internet and transact on their behalf. Many of the more ambitious (and controversial) identity solutions, such as Worldcoin, are attempting to address this “proof-of-personhood” problem — notably, many rely on various flavors of KYC or biometric data.
Importantly, when verifying uniqueness and/or humanness, it is critical that identity verification takes place on an on-going basis. Identity solutions that only verify at the point of identity creation are especially susceptible to sybil attacks and fraudulent behavior, which can include anything from selling access to self-custodial wallets (i.e. an OTC points trade) all the way up to more coordinated attacks (i.e reverse engineering a project’s identity and/or reward system).
The ideal identity solution would provide the highest level of assurance without adding too much UX friction or compromising on sovereignty. However, because no such solution exists (yet), crypto founders are forced to make whatever tradeoffs make the most sense for their use case.
Promising Solutions
Attestations: cryptographically signed claims made by one identity about itself or another identity
Although generally not well-suited for PoP, attestations are a foundational primitive for crypto identity. They correctly understand identity as a compilation of reputation credentials, where different aspects of an identity are relevant or valuable based upon context (i.e. local vs national, official vs informal). An open and composable standard for creating attestations and schemas, like the Ethereum Attestation Service, should meaningfully expand the onchain identity space as well as remove the need for “identity providers” to keep reinventing the wheel with proprietary solutions.
Progressive Proof-of-Personhood: rewarding users over time based on proven uniqueness
While no solution is completely foolproof, KYC and biometrics are definitely amongst the highest assurance identity tools available today. However, crypto comes with a few idiosyncrasies that weaken the viability of these solutions:
Industry-wide aversion to KYC / value placed on privacy & sovereign identity
Biometrics generally aren’t used for or within consumer apps (except for health & fitness)
The need for continuous & dynamic identity assurance
The primary goal of progressive PoP is to design systems that reward users over time for proving their uniqueness/humanness through taking specific actions. The challenge, on the other hand, is in avoiding the incentivization of resource waste and making sure the actions being rewarded actually map well to uniqueness.
Closing Thoughts
In many ways, online identity primitives never evolved much beyond low assurance solutions such as email accounts, and without the financial incentives of crypto or the proliferation of generative AI, it’s possible they never would’ve had to. For all the innovation these technologies will bring to the world in the coming years, they will also make the identity problem significantly more difficult and complex for the foreseeable future. This is why it's so important that identity in crypto is about much more than decentralized identifiers (DIDs) or privacy mixers – the very viability of crypto-economic incentives are at stake.
If you’re building, thinking or writing about anything related to these topics, please feel free to reach out! Thoughts and feedback are welcome as always.