Feb 2, 2026
The Problem: Why Wallets Aren't Enough
Web3 was built on a simple premise: your wallet is your identity. But this creates a fundamental vulnerability: wallets are cheap to create, and humans are not.
What this means in practice:
One person can control hundreds or thousands of wallets
Incentive programs attract industrial-scale farming operations
Governance votes can be bought through Sybil attacks (creating multiple fake identities)
Community metrics become meaningless when you can't distinguish real users from bot swarms
The core challenge: How do you verify someone is a unique human without forcing them to doxx themselves?
The Three Approaches to Web3 Identity
There isn't one "right" way to prove you're human. Different use cases need different tradeoffs between privacy, friction, and certainty. Here, ‘identity’ does not mean a fixed real-world identity. It means the minimum signals needed to answer a specific coordination question.
1. Behavioral Signals (What You Do)
Analyze onchain activity patterns to distinguish real humans from coordinated farms.
How it works:
Machine learning models evaluate wallet transaction history
Patterns like transaction timing, gas usage, and interaction diversity indicate human vs. bot behavior
Multiple wallets showing identical behavior patterns get flagged as potential Sybils
Tradeoffs:
✅ Zero user friction–works in the background
✅ Privacy-preserving–no personal data required
❌ New users with minimal onchain history can't be verified
❌ Sophisticated attackers can mimic human patterns
When to use: Pre-filtering large wallet lists, passive screening, or as a first layer before requiring active verification.
Example: Human Passport's Model-Based Detection scores any EVM address for Sybil risk without requiring the user to do anything.
2. Activity-Based Credentials (What You've Proven)
Collect verifiable credentials from various platforms to build up a "humanity score."
How it works:
Users voluntarily connect accounts (social media, verified credentials, onchain activities)
Each verified activity earns a "Stamp" with a weight
Stamps are stored as verifiable credentials, proof that you completed the activity without revealing personal details
Projects set threshold scores (e.g., "need 20+ points to participate")
Tradeoffs:
✅ Highly flexible–users choose how to prove humanity
✅ Composable–stamps work across multiple apps
✅ Privacy-friendly–prove you did something without revealing who you are
❌ Requires user action and some friction
❌ Different stamps have different levels of Sybil resistance
When to use: Airdrops, governance, community access, any scenario where you need moderate-to-high confidence and can ask users to take a few verification steps.
Example: Human Passport's Stamp system lets users choose from 50+ verification methods across government ID, social accounts, web3 activity, and biometrics, combining whichever they're comfortable with.
3. Direct Identity Verification (Who You Actually Are)
Zero-knowledge proofs of real-world identity attributes without revealing the underlying data.
How it works:
KYC providers or government systems verify your identity
Zero-knowledge cryptography creates a proof (e.g., "this person passed KYC" or "this person is over 18")
The proof is verifiable onchain without exposing your name, ID number, or any personal details
Tradeoffs:
✅ Highest certainty–hardest for Sybils to fake
✅ Can prove compliance (sanctions screening, age, jurisdiction) privately
❌ Requires trusted verification partners
❌ Higher friction–users must complete KYC or ID verification
❌ Excludes people without government IDs or access to verification services
When to use: High-value scenarios (large airdrops, DeFi compliance, governance rights distribution), or when regulatory requirements demand it.
Example: Human ID enables phone verification, ID document checks, and sanctions screening ("Proof of Clean Hands") using zero-knowledge proofs–you prove compliance without exposing personal data.
The Privacy vs. Certainty Spectrum
Every identity solution sits somewhere on this spectrum:
More Privacy ←―――――――――――――――――――――→ More Certainty
Lower Friction ←―――――――――――――――――――――→ Higher Friction
[Behavioral ML] → [Activity Stamps] → [ZK Identity Verification]
The key insight: You don't need maximum certainty for every use case. Match your verification requirements to your risk tolerance.
Low risk (testnet faucet): Behavioral signals alone might suffice
Medium risk (community governance): Require a moderate Stamp score
High risk ($100M airdrop): Combine multiple methods: behavioral screening + Stamps + optional ZK verification for edge cases
How Human Passport Combines All Three
Rather than forcing a single approach, Human Passport offers a modular toolkit:
For users with zero friction:
Model-Based Detection runs in the background, scoring wallets based on onchain behavior
No action required, works immediately
For users in need to verify:
Stamps let you choose how to prove humanity: connect social accounts, verify onchain activity, complete biometrics, or pass a government ID check
Each stamp adds to your Unique Humanity Score
Your choice what to share = build the score your way
For high-assurance cases:
Human ID (by human.tech) provides real-time phone/document verification with zero-knowledge proofs
Proof of Clean Hands checks sanctions lists without storing personal data
Compliance without surveillance
For builders:
Access all this via simple APIs or smart contracts
Set custom thresholds, create branded verification flows, or embed verification directly in your app
Combine methods based on your needs
Real-World Design Decisions
When implementing humanity verification, you'll face these practical questions:
What threshold should you set?
Too low: Sybils get through
Too high: You exclude legitimate new users
Best practice: Start with proven defaults (Human Passport uses 20+ for most cases), then adjust based on your community's feedback and attack patterns
Should verification be required or optional?
Required: Maximum protection, but you'll lose some users
Optional with incentives: Better for community buy-in ("verified users get 2x rewards")
Tiered access: Different features unlock at different verification levels
Onchain or offchain verification?
Offchain (API): Flexible, easy to update, works cross-chain
Onchain (smart contracts): Composable with other protocols, trustless verification, but less flexible
Many projects use both: check offchain for eligibility, then push proof onchain for distribution
How do you handle appeals?
False positives happen, real users may get flagged as Sybils
Build in an appeals process with human review for edge cases
Transparency about the criteria builds trust
The Five Properties of Good Identity
Based on years of defending Gitcoin Grants and securing $512M+ in capital flows, effective web3 identity systems share these characteristics:
Pluralistic – Multiple ways to prove humanity (not everyone has a government ID, smartphone, or extensive onchain history)
Minimal disclosure – Prove eligibility without revealing who you are (zero-knowledge proofs are key)
Reusable – Verify once, use everywhere (your Human Passport works across all integrated apps)
Composable – Identity fits into existing flows (APIs, smart contracts, embeddable components)
Adversarially designed – Built assuming attackers will try to game it (because they will)
What to Avoid: Common Anti-Patterns
❌ Single point of failure
Relying on one verification method means one exploit breaks everything. Worldcoin's iris scanning is powerful but creates a centralized chokepoint.
❌ Retroactive filtering without transparency
Surprising users with opaque exclusions after they've participated destroys trust. Publish eligibility criteria upfront.
❌ Identity as an afterthought
Trying to filter Sybils after your airdrop is announced is late. Build verification into your design from day one for better results.
❌ Privacy theater
Claiming to be "privacy-preserving" while collecting unnecessary data. If you don't need the data, don't collect it. It becomes a liability.
Three Practical Examples
Example 1: Airdrop Protection
Goal: Distribute tokens to real community members, not farming operations
Approach:
Run Model-Based Detection on all eligible wallets (passive screening)
Flag wallets below a certainty threshold
Require flagged users to verify Stamps if they want to claim
Set claim threshold at 20+ Unique Humanity Score
Publish appeals process for false positives. Be prepared to reject still, as Sybils will try to fool you.
Result: Story Protocol protected $98M this way, filtering out industrial farms while maintaining high completion rates among real users. Tip: start verification early, at testnet, continue to mainnet. That worked very well for Story.
Example 2: L2 Governance Protection
Goal: Ensure Optimism's Citizens' House represents real humans, not Sybil attackers
Approach:
Required Human Passport verification for all 4,205 badgeholders
Verification integrated into governance participation flow
Badgeholders choose verification methods that fit their privacy preferences
Result: Optimism's retroactive public goods funding protected from manipulation while maintaining decentralized governance principles
Example 3: Proof of Clean Hands
Goal: Distribute tokens compliantly, without collecting personal data
How Ika used it:
User connects wallet and checks airdrop eligibility
Eligible users verify via Human ID (ZK-based KYC + sanctions screening against OFAC, EU, FATF, Interpol, etc.)
Upon passing, user mints a Proof of Clean Hands SBT on Sui
User returns to Ika portal and claims airdrop; no personal data exposed
Result: Ika blocked sanctioned entities and restricted jurisdictions while preserving privacy for legitimate users. No honeypot or backdoor ~ just cryptographic compliance.
Where Identity Is Heading
Expect these trends over the next 6–12 months:
Embedded verification flows – Stamp collection integrated directly into apps, no redirects
Multi-layered strategies – Combining behavioral ML + Stamps + optional ZK verification (Human ID) based on risk level
Interoperable credentials – Your verified stamps work across ecosystems
AI agent identity – Distinguishing human users from autonomous agents (and verifying who an agent acts on behalf of) is an emerging challenge the industry is still solving
Regulatory convergence – EU Digital Identity Wallets and similar frameworks will set expectations for reusable, portable credentials
Getting Started: Next Steps by Role
If you're launching an airdrop:
Start with Human Passport's Model-Based Detection to pre-filter your wallet list
Set a Stamp threshold (20+ is standard), decide between Passport App or Embed
Publish the eligibility criteria before announcing the drop
Build an appeals process for edge cases
Request Data Services analysis for already existing wallet lists from different sources before distribution
If you're building a protocol:
Read the technical docs to understand integration options
Decide which verification tier fits your risk model
Consider embedding Stamps directly in your onboarding flow (Passport Embed is perfect for it) or use one of the community tools integrating Passport in the background
If you're designing governance:
Use Onchain Passport verification for trustless voting
Set different score thresholds for different governance actions
Make verification optional but incentivized to avoid excluding early community members
If you're evaluating solutions:
Human Passport is modular, meaning you can start with one tool and add others as you scale
Over 120 projects have integrated it across airdrops, grants, governance, and community tools
The same system defending Gitcoin Grants is available via simple APIs or directly through smart contracts
The Bottom Line
Identity in web3 isn't about KYC or surveillance. It's about answering one question at scale:
"Who is this system for?"
If the answer is "humans," then you need infrastructure to distinguish real participants from industrial farming operations and duplicate identities.
The good news: you can do this while preserving privacy, user choice, and decentralization. The tools exist. The tradeoffs are well understood. The question is whether you build identity into your product now–or retrofit it later after the Sybils show up.
Ready to build Sybil-resistant infrastructure?
The age of pretending wallets are people is ending. Identity is the new coordination primitive.
