In June 2025 we published a survey on Tech Policy Press of seven national digital ID systems—examining India, Estonia, Singapore, Brazil, Nigeria, Japan, and Pakistan—to better understand the dynamics of nation state-issued digital ID systems as generative AI began to turn impersonation, document forgery, and synthetic persona creation into readily available, scalable capabilities. We examined these existing endeavors to understand what drives adoption, what facilitates trust, and how privacy and security trade off in practice as citizens decide (or in some cases, are compelled) to participate.

We learned that adoption is often driven by a sense of necessity, as digital IDs become necessary for essential services, and that promises of “decentralized” ID by some governments are often overstated rather than actual technological reality. We also found that the story isn’t purely technical: legitimacy and accountability—who controls data, who can access it, and what recourse exists when systems fail—shape whether people perceive IDs as infrastructure or coercion. We covered significant failures, from privacy violations to aging causing issues with biometric verification. Estonia was one of the few countries we looked at that built meaningful auditability into the system: citizens can view data-access logs via a “data tracker” tool that shows who accessed their personal data, when, and for what purpose.

Since we published that article, frontier models have continued to improve, and ‘agentic’ workflows have moved into wider circulation. People are experimenting with Claude’s coding and co-work tools, browser agents like OpenAI’s Operator, and open-source assistants like Moltbot (formerly Clawdbot, now OpenClaw). The predicted future of bots operating on behalf of humans is no longer a consultant’s forecast; it’s beginning to be realized. The threat model that many longtime digital identity researchers articulated, which inspired our survey of national ID systems last year, is being realized.

Identity checks used to be primarily executed with the goal of keeping bad actors out of your accounts. Now they’re about distinguishing not only a specific person from identity imposters, and legitimate credentials from forgeries, but human from bot writ large. There have been demonstrable cases in which AI-generated comment floods, some in the tens of thousands, have been used to manipulate public opinion and sway local governance decisions. The need for better tools, and the rise in fraud and manipulation, has led governments, platforms, and service providers to evaluate new means of verifying aspects of humanness. Alongside this, there are increasing calls, globally, to age-gate the web to keep children from encountering harmful content, which carry serious privacy and surveillance implications for adults as well; in some regions these calls have become law, requiring platforms to find means of compliance.

To better understand these dynamics, we undertook a survey of private digital identity issuers positioning themselves as credentialing solutions. This emerging sector spans everything from age assurance providers to proof-of-personhood systems aimed at filtering out bots and deepfake fraud. These companies are usually not directly connected to any state authority—which, for the majority who don’t trust government(s), is a point in their favor. However, private sector solutions come with trade-offs: any given provider’s product may not be widely accepted or adopted, resulting in a patchwork system in which users must maintain identities with multiple providers. This potentially compounds privacy and security risks. Providers may be less secure. They may become economically unviable, requiring users to scramble to find alternate solutions. Some leverage biometrics in a space that currently has unclear oversight. The private market also doesn’t always eliminate the involvement of national ID systems; several of the providers we examined leverage government ID when issuing their credentials.

But there are several forces converging that may result in private credentials gaining traction: fraud pressure from the emerging AI ecosystem; demand for privacy-protecting disclosure online (for example, minimizing revealed personal information in response to age gating laws); and loss of trust in government that lets these companies market themselves as neutral utilities (“we’ll verify you without the state”). Thus, it’s worth understanding the technology underpinning these companies’ offerings, and the governance and accountability structures they might be subject to.

This survey examines companies we identify as key participants in the “personhood credential” space—systems that help users demonstrate that they are a real person. Specifically, we examined established companies or projects that (a) issue a reusable credential or wallet-based identity a user can present repeatedly (rather than a one-off “is this ID real?” check), (b) position themselves as infrastructure for platforms, governments, or regulated sectors (not just a single app), and (c) represent distinct architectural approaches—centralized verification, wallet/SSI-style storage, and proof-of-personhood models.

The technological underpinnings

We were particularly interested in services that purport to offer verifiable credentials while protecting user privacy, especially via “decentralized identifiers” (DIDs)—identifiers end users control with cryptographic keys. A DID is a globally unique, cryptographically verifiable ID number that you create and fully control, rather than one assigned and owned by a platform, government, or company. It's like a self-owned digital passport number: anyone can look up neutral public metadata (such as verification keys) that lets services confirm a credential is genuine and belongs to you, but which reveals no personal information. To use a specific example that is increasingly relevant in the online world: Suppose you want to prove you're over 21 to a website without showing your full ID. You share a digital credential (like a verifiable "over-21 proof") that's signed with your private key. The website looks up your DID, gets your public key from the public metadata, and then uses that key to check the signature on the credential. If it matches, they know the credential is real, and that it really belongs to the person who controls the DID because only you have the private key that could sign it—and no central company or government needs to broker the interaction.

Building on this is a technique known as a “zero-knowledge proof” (ZKP) that allows someone to prove a statement is true without revealing the information that would usually be exposed in the act of proving it. For example, a user could show that they are over 21 without showing their whole driver’s license or revealing their birthday. Thanks to more powerful smartphones, ZKP computations are now feasible directly on mobile devices—which is why they're increasingly appearing in private digital ID systems. However it’s important to note that ZKPs can reduce unnecessary data disclosure, but they don’t erase the need to trust the underlying issuance process—or to have mechanisms for revocation, dispute, and redress when a credential is wrong or compromised.

Finally, we were interested in the nascent market in self-sovereign identity (SSI) providers—often idealized as a user-centric mechanism where individuals receive and control their own credentials in a local wallet, without a centralized ID provider mediating the interaction. In the best case, verifiers learn only what they need, and no single intermediary can observe or track every transaction. However, in practice, SSI faces significant operational challenges: it assumes a level of user sophistication and digital literacy that not everyone possesses; it has serious issues with recovery if a device is lost or keys are compromised (with workarounds often reducing true self-sovereignty); and most critically, it comes with legitimacy challenges. A wallet full of credentials is only useful if relying parties like banks, employers, or platforms accept the issuers and their verification processes as legitimate and trustworthy, and if there are credible, standardized paths to correct errors, revoke credentials, or appeal adverse decisions. These hurdles help explain why many private providers adopt blended or hybrid approaches rather than pure SSI.

Different providers are tackling these questions of trustworthiness and legitimacy in entirely distinct ways. Should trust live in a centralized verifier; in a wallet the user controls; in biometric “uniqueness” checks; or in an assurance score tuned to the risk tolerance of the relying party? The profiles below are not exhaustive, but they span the major design choices—and make the trade-offs visible.

As we analyzed the market we grouped providers into three buckets:

• Decentralized leaning, where credentials were designed to be held and presented by the user (often via a wallet), sometimes with privacy preserving features like selective disclosure or ZKP;
• Centralized, where verification and credentialing are run through vendor-operated service and databases and the vendor brokers trust between the user and counterparties; and
• Blended hybrid approaches. These buckets reflect the dominant trust model, not a pure architecture—many “decentralized” systems still have chokepoints (proprietary onboarding, vendor infrastructure, governance control), and many “centralized” systems add wallet layers for reuse.

Within each profile, we discuss the architecture, the inputs used to deliver the credential, where trust concentrates, privacy trade-offs, business model and funding information (where available), and governance/oversight information to the best of our ability (recognizing that these are private companies, and public detail is limited).

Decentralized

WorldID

World, co-founded by OpenAI’s Sam Altman and Alex Blania through their company Tools for Humanity, offers a digital identification system called WorldID that uses zero knowledge proofs (ZKP) and off-chain biometric identity verification. WorldID collects iris scans through proprietary hardware, known as “The Orb,” in order to verify user identity and “liveness,” on the premise that the “high entropy”, or randomness, of iris scans provides more privacy than traditional biometric data, such as fingerprint scans or facial recognition. This biometric data is used to generate a one-way hash, and then the raw image of the iris is purportedly deleted from the Orb device post-processing. This unique encryption code is decentralized and stored off-chain.

WorldID is part of the larger World ecosystem effort. The company says it is attempting to build “the largest human network to improve both trust online and access to the global economy in the age of AI.” Successfully verified WorldID users are given a free allocation of WorldCoin, a digital token that “functions according to the rules created by the World Network community.”

While there are no government or other identification documents required to create a WorldID—identity verification is done exclusively through The Orb’s iris scan—users can add NFC-enabled passports and other government IDs to their WorldID as additional “WorldID credentials.”

By the end of 2025, WorldID reported that it had grown to “nearly 38 million users, with 17,827,388 verified humans spanning six continents.” WorldID primarily markets itself as a means of proving liveness and identity online. For example, WorldID offers integrations with third party platforms such as Discord and Reddit, allowing for more accurate human verification and prevention of bot activity. Similarly, dating apps such as Tinder have begun using WorldID in an effort to prevent bots on their app. WorldID has expressed interest in pursuing state-level applications such as benefit transfers, official government-backed identifications, as well as incorporation into financial services, but it remains unclear how much progress has been made towards these goals.

Some countries—such as Thailand, Kenya, and the Philippines—have disputed WorldID’s claims that it actually deletes biometric data, or have prohibited the identification’s rollout out of privacy concerns. Most recently, Colombia ordered an “immediate and permanent closure” of WorldID in the country due to violations of the country’s data protection laws.

Humanity Protocol

Humanity Protocol, a Hong Kong-based company founded by Terence Kwok, is a digital identification system that uses zero knowledge proofs and off-chain biometric identity verification. Humanity Protocol operates as a “permissionless, Ethereum Virtual Machine (EVM)-compatible blockchain,” which allows any entity to create a wallet through the platform. EVM-compatible blockchain technology allows for the use of Ethereum-based tokens and interoperability within the Ethereum Ecosystem. Humanity Protocol goes through a two phase biometric checks for liveness detection: first, users must engage in a “Palm Print Recognition” process (which can be done on their phone), and then subsequently must complete “Palm Vein Recognition,” which requires special external hardware (i.e., an infrared camera). While Humanity Protocol does not explicitly delete biometric data post liveness verification, the biometric collection and verification process are done locally on device and the proofs are decentralized.

No physical documents (government or otherwise) are required to complete the identity verification process with Humanity Protocol. The digital ID is not currently partnered with any official government IDs, nor can you "digitize" or link your physical government ID with it. The company has begun a partnership with Mastercard, which allows users who link their Humanity Protocol ID and Mastercard accounts to “carry their verified identity and financial credentials across banks, blockchains, and DeFi platforms, unlocking credit, loans, and real-world financial services securely and compliantly.” Outside of banking, Humanity Protocol primarily markets itself as a bot-prevention tool, since users can use their verifiable credentials (VCs) in order to prove their uniqueness online.

Humanity Protocol has self-reported that over 8 million Human IDs have been created—however, the accuracy of this number is disputed. In leaked audio from June 2025, Kwok admitted that, “in terms of Human IDs, there were nine million created, but there were actually quite a lot that were bots… the number of people who were actually verified I think it’s approaching a million.” This would mean that nearly 88% of the Humanity Protocol network could be bots. In a statement made to DL News in response to the leaked conversation, Kwok stated that “not all Human IDs have completed biometric or social verification, and confirmed that just under one million were verifiably human.”

Proof of Humanity

Proof of Humanity (PoH) is a decentralized Ethereum-based digital ID registry built by the company Kleros. The company says its goal is to engineer “a system designed to create a trusted list of humans, verified by a decentralized community.” Unlike other market-available forms of digital personhood credentials, PoH relies on social verification via video submissions to create a “sybil-resistant registry of humans.” Users are required to submit an image and video of themselves, which then puts their credentials in a “vouching” phase – a current validated user must “vouch” for their liveliness based on provided credentials before their PoH ID is included in their registry of verified humans. Due to the vouching structure, there are initial concerns about biometric privacy, since user videos and images must be publicly uploaded in order to join the platform (i.e., no zero-knowledge proofs). The most recent version of PoH, “Proof of Humanity 2.0” introduced ‘soulbound IDs’ and multi-chain expansion. Soulbound IDs are “unique, non-transferable identifiers that link each human to a single ID”, allowing for users to recover their ID even if they lose access to their initial wallet. Multi-chain expansion allows for the PoH ID to work across “multiple chains,” allowing for increased interoperability of the ID.

The company’s registry of humans is still fairly small, with most recent reports indicating that just “over 20,000 humans have registered on the platform.” Kleros highlights many potential use cases for PoH, including online governance, UBI distribution, and decentralized social media platforms, though it is not clear if any practical applications of these potential examples have occurred yet, especially given how the credential is still largely dependent on the Web3 ecosystem. While the entirety of PoH’s funding is not known, they have disclosed taking grants from Gitcoin and Kleros. Primary concerns around PoH remain around the privacy and security implications of the social vouching process, especially in response to the potential submission of deepfakes to bypass these checks.

iDen2

iDen2 is a US-based decentralized digital identity system founded by Alfy Louis in 2022. The company says it creates decentralized Self Sovereign Identities (SSIs) that store encrypted user data locally on devices. In order to verify user identity and ensure a liveness check, iDen2 requires users to upload scans of a government ID and a selfie. The company performs document and selfie checks, then creates biometric profiles based on the images provided. If the images match, a unique ID is generated and associated with your account. This self-sovereign ID is stored locally, differentiating iDen2 from centralized verifiers. When users present a verified credential created through iDen2, it can be cryptographically checked to ensure that it was issued correctly and has not been altered.

iDen2 has self-reported having 800,000 digital identity holders through its platform, and states that 300 issuing agencies and 400 verifying agencies are using its product. iDen2 is used to verify identity and liveness by various state government agencies, such as the California Department of Health and the Maryland Department of Health and private entities such as United Healthcare and Rite Aid. In August 2025, iDen2 and Bhutan announced the launch of “Phenix,” a universal digital identity platform specifically designed for governments and enterprises. The partnership plans to combine iDen2’s technology and Bhutan’s experience with national digital identity roll out to “democratize digital identity deployment for nations worldwide.” There is no public timeline for a wider-scale public rollout of Phenix, but according to Louis, the Bhutan National Digital Identity has been deployed across 148 use cases as of April 2026. Outside of this, iDen2 has reported working alongside Sierra Leone and other African countries on using their technology to expand voting capabilities.

BrightID

BrightID is a social identity network that utilizes social graphing to ensure unique identity in digital environments without jeopardizing privacy. Users are tasked with creating their own “social graphs,” which requires them to make an account through the BrightID app and connect with other users, which is then represented to the network as an anonymized social graph. Users then receive verification “badges” based on a verification protocol analysis of their graph—currently, there are two active forms of verification, “Meets” and “Bitu.” The “Meets” verification is BrightID’s most basic verification protocol, which requires users to join a Zoom meeting with a verified “host” who can confirm that the user is a real person. “Bitu” verification relies on a user’s position within the social graph, which scores users based on their closeness to already known users. Beyond these verification protocols, users must also join at least one “group” of verified users on the platform, with some applications requiring users to join more in order to better verify liveness.

Across both protocols, the graph contains cryptographically signed keys – owned by individual users—resulting in the creation of a Self-Sovereign Identity. While the social graph and ID are decentralized, they are kept in sync through use of, ID Chain, an Ethereum-based proof of authority blockchain network. BrightID does not use biometric or facial recognition technology, and instead relies on “trusted relationships between people” in order to verify its users. Bright ID is an open source tool that is embedded into applications that would like to use it to verify the unique identity of their users. It is currently integrated into 15 apps, the largest of which being Gitcoin with 32,447 verified BrightID users as of February 2026.

Centralized

These ID providers primarily store credentials and run verification centrally.

ID.me

ID.me is a US-based digital identity verification company founded by Blake Hall, a veteran who created the platform due to difficulties securing a military discount. Rather than creating a self-sovereign or cryptographic identity credential, ID.me operates as a centralized identity and document verification tool that shares requested attributes (i.e. age, name) with the third party requesting the information. To verify liveness and identity, users must provide scans of a government issued ID (such as a passport or driver’s license) and provide a video or photo of their face to be biometrically matched to the provided documents. While ID.me stores all of this data (i.e. ID scans, biometrics) in a centralized database—it is federated, not decentralized—it only shares the “requested” information with the third party using it (such as the user's date of birth or legal name).

ID.me has been widely adopted for identity verification, particularly across federal and state governments. According to the company, over 157 million users have used ID.me across “21 federal agencies such as the Social Security Administration (SSA) and Department of Veterans Affairs (VA), as well as 50 state agencies and over 600 private sector entities,” including the Internal Revenue Service (IRS). The firm is also positioning itself to be a part of the US government’s efforts to build a “one stop national health data platform.” ID.me is also widely used across the private sector to verify discount eligibility (for groups such as veterans, students, and educators), partnering with over 5,000 stores, including Apple, Walmart, and Amazon. The company rolled out a “digital wallet” last year, which allows users to reuse their ID.me digital ID with various public and private sector organizations (instead of having to reverify for every use). As of April 2025, ID.me reported that 70 million people have used ID.me’s wallet to securely sign in and prove their identity online. As of September 2025, ID.me said it had raised $340 million in its latest funding round, valuing the digital identity wallet at over $2 billion.

Yoti

Founded in the United Kingdom by Robin Tombs, Yoti is a widely-used identity and document verification platform that additionally offers reusable digital wallets under user control. Yoti requires the submission of a government issued identification and a selfie in order to biometrically match a user’s identity and ensure liveness. Yoti has a “suite of business solutions” that dictate the way that this information is used, depending on the context and requirements of the verifying identity. Yoti is increasingly used to verify user age and identity (i.e., on social media platforms); this can also be done through privacy-preserving “age estimation processes” which provides the verifying entity an estimate of the user age based on a selfie provided without government identification and makes no effort to identify the user (if the estimation concludes the user is under the specified age, they would then have to upload government ID to dispute and/or complete the identity verification process). In addition to platform level age-verification and age-assurance, Yoti has launched a “Digital ID wallet,” which allows users to store their government ID locally and encrypted on device (and subsequently reuse the ID without having to go through the verification process every time). Once a user's identity and documents are verified by Yoti, their Digital ID is created. Users can share their Digital ID by scanning a QR code or using Yoti’s app to share the information requested by the verifying authority.

Yoti is widely used by major platforms such as Meta, Instagram, Epic Games, and Spotify for age assurance and verification compliance. In 2025, the company reported a 62% year-on-year growth in revenue, with cumulative downloads of its digital ID wallet surpassing 21.5 million by the end of the year (with the majority of downloads coming from users in the UK). Yoti has also been a key player in the United Kingdom’s efforts to ensure age verification across social media platforms and implement digital identities at the state level. The company reported that by the end of 2025, over 7.3 million digital ID wallet downloads were made in the UK, allowing users in the country to more easily access post office and banking services within the country. A 2025 Age Assurance Technology Study funded by the Australian government found that Yoti passed benchmarks in age and identity verification accuracy, as well as compliance with privacy standards. The company has been used by several platforms—such as Facebook and TikTok—to enforce and pilot social media bans for minors in Australia and the EU.

Jumio

Jumio is a US-based identity verification company that uses biometric and document verification. To verify user identity, Jumio requires users to upload a government ID, as well as undergo a selfie and AI "liveness check.” Jumio uses its own in-house liveness detection technology with “patented active illumination,” which they claim offers increased protection against deepfakes and injection attacks. As part of their liveness detection process, Jumio calculates the perceived “fraud risk” of the user undergoing liveness detection and identity verification, and either approves or rejects their identity transaction based on the risk tolerances set by the client. In October 2025, Jumio launched selfie.DONE, which utilizes the “Jumio Identity Graph” for users to reverify their identity without re-uploading their identity documents. The Jumio Identity Graph can recognize and re-verify users instantly through requesting they upload a selfie, and then matching the photo against all pre-existing selfies used in previous identity verifications conducted by the company.

According to the company’s website, Jumio has over processed over 1 billion transactions, and supports over 5,000 global ID types in 200 countries. It is used for identity verification by companies such as AirBnB, United Airlines, and Uber. Jumio and FaceTec—another biometric facial recognition company—are currently embroiled in a legal battle over the IP rights of Jumio’s facial recognition and liveness technology.

Clear

Clear is a US-based identity verification company that is primarily used at airports and event spaces (i.e., concert halls and sports venues). It verifies user identity by requiring users to upload a government ID when registering, as well as biometric data such as a fingerprint or iris scan. Once registered, users are able to provide their biometric identification at “checkpoints” instead of providing their government identification. For example, people who have registered with Clear can provide a fingerprint or iris scan at participating airports and skip checking their identification with TSA (though they still must go through security). To use Clear, users must pay upwards of $200 annually. This is a different model than most other digital identity companies, since Clear is most commonly seen as an optional, ease of access tool (compared to being necessary to access services).

While Clear is primarily used at airports, some arenas are allowing it to expedite ticket checking processes. As of early 2025, more than 25 million people have used Clear (including 7.7M active CLEAR+ members) to verify their identity, and it is available for use at 74 airports and 19 venues. In August 2025, the company announced revenues of $219.5 million, an increase of 17.5%.

Blended

Idemia

Idemia is a France-based identity and document verification company that operates by providing its clients a “level of assurance” about the user they are connecting with. To verify user identity, Idemia goes through a several-step process beginning with identifying document verification and liveness detection via face authentication and liveness detection. Idemia offers two forms of liveness detection: active liveness, which requires users to conduct a series of random actions (such as nodding) on video, or passive liveness, which requires submission of a selfie. After users upload ID documentation and conduct one of the liveness checks, Idemia then attempts to contact the issuing agency of the ID in order to verify that the user’s details provided to Idemia is in line with the information the issuing agency has on file. Users then receive a “level of assurance” (LoA). There are five LOAs, starting with “LoA0,” which means the user’s identity is a self-assertion with no assurance that the identity is verified, to “LoA4 or higher,” which “reduces the risk of sophisticated fraud requiring substantial level of identity theft expertise.” All user data is stored in an “identity proof file” that contains all of the evidence submitted and collected (biometric results, results of checks completed on submitted documents) in the verification process, which can be downloaded by the relying service. This process offers the ability to store verified IDs in the Idemia “digital wallet.”

Currently, Idemia’s digital wallet is accepted as a valid form of identity at “multiple TSA airport security checkpoints, as well as for roadside stops, and for age verification for age-restricted purchases in some States.” The company is also consulting on several government efforts to build its own state-level digital identity, including the EU Digital Identity Wallet and Colombia’s national digital transformation plan. Idemia’s public security arm has also signed a “strategic cooperation agreement” with SAMI Advanced Electronics, a regional leader in Saudi Arabia’s electronics industry. It is not clear what current adoption rates for Idemia are, but it reported €2.8 billion in revenue in 2024.

Conclusion

There is also a distinct web-3 native personhood credential ecosystem that is emerging, but we have not delved as deeply into it here because many of the projects are smaller and use cases have primarily focused on crypto-specific issues to date. Projects like Human Passport (formerly Gitcoin Passport) and Fractal ID have been built around preventing one actor from showing up as thousands of “users” to farm airdrops, manipulate votes, or overwhelm communities. They sometimes use social-graph verification or involve privacy-preserving proofs, so that applications can gate participation without requiring full legal identity.

Adjacent to that, a different set of companies, such as Persona, are emerging to handle compliance with age verification and other specific commercial contexts. That emerging ecosystem matters quite a bit for understanding the future of privacy online, but those companies are solving the problem by streamlining onboarding and compliance rather than proving uniqueness or creating persistent credentials. (There is a Gartner Magic Quadrant that has tracked the growth of the “ID verification” market.) Social media users who are engaging with tools like Persona express concerns about surveillance; distrust is prevalent and people are deeply concerned about privacy.

Nevertheless, identity is becoming infrastructure. The hardest questions are not purely technical; they’re those that relate to legitimacy, auditability, and appropriate tradeoffs between minimizing the rise in fraud, creating infrastructure for agentic autonomy, and protecting privacy and expression.