1.2 Why Identity Fails in Web2
Web2 identity is based on assertion, not proof.
The implicit contract is simple:
“I know the password, therefore I am the user.”
The system accepts this claim without verifying:
- Who controls the device
- Who controls the cryptographic key
- Whether the intent is legitimate
This is equivalent to letting anyone who knows the right sentence walk into a locked building.
Why this model fails
Because the system cannot cryptographically distinguish who is making the claim, it:
- Breaks under phishing
- Breaks under SIM swaps
- Breaks under database breaches
- Breaks under automation and AI-driven attacks
Security teams respond with:
- CAPTCHAs
- Risk scoring
- Behavioral analysis
- Manual review
These are probabilistic defenses, not guarantees.
Identity must be proven, not asserted.
