Web2 identity is based on assertion, not proof.
The implicit contract is simple:
“I know the password, therefore I am the user.”
The system accepts this claim without verifying:
Who controls the device
Who controls the cryptographic key
Whether the intent is legitimate
This is equivalent to letting anyone who knows the right sentence walk into a locked building.
Because the system cannot cryptographically distinguish who is making the claim, it:
Breaks under phishing
Breaks under SIM swaps
Breaks under database breaches
Breaks under automation and AI-driven attacks
Security teams respond with:
CAPTCHAs
Risk scoring
Behavioral analysis
Manual review
These are probabilistic defenses, not guarantees.
Identity must be proven, not asserted.
Last updated 13 days ago
Was this helpful?
