# 1.2 Why Identity Fails in Web2

Web2 identity is based on **assertion**, not proof.

The implicit contract is simple:

> “I know the password, therefore I am the user.”

The system accepts this claim without verifying:

* Who controls the device
* Who controls the cryptographic key
* Whether the intent is legitimate

This is equivalent to letting anyone who knows the right sentence walk into a locked building.

#### Why this model fails

Because the system cannot cryptographically distinguish *who* is making the claim, it:

* Breaks under phishing
* Breaks under SIM swaps
* Breaks under database breaches
* Breaks under automation and AI-driven attacks

Security teams respond with:

* CAPTCHAs
* Risk scoring
* Behavioral analysis
* Manual review

These are **probabilistic defenses**, not guarantees.

> Identity must be **proven**, not asserted.

<figure><img src="/files/PmfY5oBwQjh2rccoR2CS" alt=""><figcaption></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.kakrlabs.com/1.-foundations/1.2-why-identity-fails-in-web2.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.