Actually get 'verified' ☑️ - Decentralized Identity Proofs

How do we protect ourselves against being fooled by fake online social media accounts and conversely prove to the others that our account is the real deal?

Twitters rather limited solution is simply to make users buy a blue tick next to their name. Does having a blue verified badge next your name on a siloed platform seriously mean you are the real deal?  Given that anyone can get a badge just by buying it makes it a pretty weak way to verify.

On top of that, just because someones Twitter is verified, how do we additionally know their other true accounts that belong to the same person elsewhere?  YouTube, Reddit, website, email, Telegram etc.  YouTube and others have their own separate verification.  Who knows how many other siloed services will want you to pay to get weak verification by a centralized authority.  Not to mention that it is hard to create a private "avatar" identity, as some platforms will ask for a lot of information including a phone number and billing info, and the platform can take away verification any time.

Ultimately a more powerful approach is a Decentralized Identity Proof

And we can make it proven using cryptography (and no, we DO NOT need any "blockchain" or "Web3/4/5/6" to achieve any this either!)

Based on the same old tech that has existed for decades (OpenPGP public/private key encryption 🔐), there are ways you can create a verified online identity, proven beyond doubt - including the option to be either under your real name OR a privacy-preserving avatar of your creation.

DIY Profile website

Lets start with a simple but less trustworthy method which doesn't actually need any cryptography: build your own website and post your profile there, with the links to all your siloed accounts.  Basically like posting a bunch of social badges on your website - much like what I do at the top bar of this website (just for convenience, but not real proof as we will see later).

Here is one example of a person called 'Chuso' who posts their account links on their own dedicated profile page:

This is nice, but is this completely trustworthy?  Technically, anyone could create their own website, and post links to anyone's various siloed accounts and fraudulently claim them for their own! Is there a way to verify ownership of the accounts listed in this page?

Keybase

One way to have a profile page that is truly verified beyond doubt, is to use cryptographic identity proofs.  This involves generating private and public keys, and then using the public key to prove that a certain account, email address, website etc belongs to the same person.  One of the easiest ways for anyone to do this is to create a free profile on Keybase and then link all of your siloed accounts from there.  Keybase has ways to verify ownership of many types of accounts using your key.

Luckily 'Chuso' also has a Keybase account, so we can go there and verify whether the same person actually owns all the accounts that they have listed on their self-made profile website:

Again, this verification is done using cryptographic keys, NOT by paying someone money!  So it is more trustworthy, meaningful and cannot be easily taken away (well.. as long as you obey Keybase T&C).

Keybase is a very friendly way to create a proven online profile, with additional features for securely messaging and collaborating.  However it is still a for-profit central authority and Keybase are likely building some kind of database of user activity, or finding some other way to make money out of this which you might not like.  In fact, Keybase is now owned by the public company Zoom 🚨.  There are indeed rumors that the Keybase team was "aquihired" by Zoom to help them with their security fiasco at the time, and there might not even be much future development of Keybase.  Additionally, the server side of Keybase is not open source, so cannot be completely trusted nor verified publicly (though its client apps are open source).

Keyoxide - Decentralized option

Keyoxide is an alternative to Keybase.  It is a bit more difficult to initially set up, requiring use of terminal commands 🤓. It is also self-custodial, completely open source and has the option to be decentralized, since anyone can host their own instance.  The most common instance you can use is keyoxide.org official.

The beauty of Keyoxide is that you own your own identity and can take it anywhere.  You can tie your identity to an email address and/or a public key fingerprint.  It is self-custodial so the private key is generated on your computer and stays on you computer (remember to back it up! > /home/username/.gnupg/), and is locally encrypted by a password (don't forget this password!), and you should never let anyone see your private key (keep it encrypted and don't upload anywhere, not even to Keyoxide!).  Even though it is self-custodial, worst case if you lose your private key files or password, you will just need to generate new ones and link up all your accounts and sites all over again.

Here is our friend Chuso again, who also has posted their same public key and a long list of proven accounts on Keyoxide 😎:

Only the bearer of the secret private key that matches the public key listed on the page will be able to update data on this page, and verify accounts against it - this is crytpographically guaranteed... not centrally dictated based on whether someone paid money.

I like how each verified account can be clicked on and details of how the account has been proven can be examined ☑️.  It is also possible to encrypt a message to send to this person, which only they can decrypt using their private key - though slightly less user friendly than Keybase DM's.  Additionally a cryptographically signed message that the person sent you can be verified using the Verify Signature button.  All of this without relying on a trusted central authority (though here we are still technically using one for convenience instead of self-hosting) nor custody.  Personally I went with Keyoxide as my preferred online identity proof as I am experienced enough to set it up.  If you click the verification icon at the top right of this page, you can see my keyoxide verified page.

How do you get started with Keyoxide?

The official website is not totally helpful to a newbie, though the docs are quite good and detailed for a more technical or patient person . I would recommend the simplest way to get into it is to use keyoxidizer, which is a wizard script for Unix systems that will securely create your private/public keys, and then walk you through getting all your accounts verified.  You can also use it to manage everything in the future by simply running the script again with your email address and password.  Once you have created the keys and uploaded, you can view or share your personal Keyoxide page by going to https://keyoxide.org/[your email address]. All of your verified accounts will be publicly listed here.

Also note that your keys have a set expiry time (usually recommended is 2 years), which you can choose when creating them.  It can later be renewed, but you need to remember to do this manually (good idea to set a calendar reminder).  The keyoxidizer tool will tell you about this when you create a key.

The keyoxidizer tool is a fast way to get into creating your proofs on Keyoxide, but it is currently limited to a small number of account types.  Here is a full list of supported accounts on Keyoxide.  Some require more complicated manual processes to add them so you will need to dive into the docs and perhaps look at using a tool like gpg or Kleopatra.

Bonus: Create a verified avatar image

A great way to create a verified avatar image that automatically shows up on your Keyoxide page, is to use libravatar - a more private and self-hostable alternative to Gravatar.  Simply create a libravatar account with the same email address as your Keyoxide account, upload an image and wait a few minutes till it shows up in your profile page.