Native On-Chain Identity: capability-first, passwordless, and self-recovering
Rethinking Identity: From Passwords to Protocol-Defined Control
Keywords: identity, security, thresholds, recovery, authentication, ECDH, encryption, Bitcoin, incentives, sovereigntySubscribe
First principles
First Principles
The attempt to rebuild digital identity by replicating directory services is nothing more than the re-animation of a corpse. Accounts, tenants, issuers—each is a feudal artefact of Web2. They exist to bind the individual to an administrator’s hierarchy. They are brittle, static, central points of control. An “account” is not identity, it is an entry in someone else’s ledger. True identity is a capability, proven in the moment, inside the transaction. It is not who you are in a directory; it is what you can demonstrably do, here and now, cryptographically bound to action.
Capabilities, Not Accounts
A capability is an executable proof: the ability to authorise, to transfer, to sign, to unlock. Within a transaction, it is expressed as a valid signature or script evaluation. This collapses the abstract notion of “identity” into a concrete demonstration of power over resources. In the on-chain model, possession of the correct proof is the only thing that matters. There is no directory to check, no administrator to approve, no external resolver. A key is not an entry in a database; it is an atomic capability. When the transaction verifies, the identity is proven. When it fails, no appeal exists.
Custody With the Individual
Control of keys must never migrate into the hands of issuers or service providers. Custody belongs to the individual or their devices. External directories may exist, but only as optional conveniences, not as choke points. The litmus test is simple: if a single directory or administrator can deny access, the system is broken. True sovereignty eliminates the veto power of third parties. An identity system that allows external reset buttons or override mechanisms is theatre, not security.
Ephemeral, One-Shot Cryptography
Every interaction is unique. Each session generates fresh ECDH key pairs, used once and destroyed. If Alice selects ephemeral kAk_A and Bob selects ephemeral kBk_B, the shared secret is
𝐾 = (k_A × P_B) = (k_B × P_A)
where PAP_A and PBP_B are the respective public points. The resulting 𝐾 is session-bound, discarded at completion, and mathematically unlinkable to prior or future exchanges. This design prevents replay, prevents surveillance, and prevents correlation. No long-lived identifiers persist. Each proof vanishes once its work is complete. The system forgets, and forgetting is security.
Programmable Recovery
Loss is inevitable, and must be engineered for. Password resets, “mother’s maiden name,” or “favourite pet” are insults, not safeguards. Real recovery is threshold-based. Shamir’s Secret Sharing divides a private key 𝐾 into n pieces such that any t can reconstruct it, but fewer yield nothing.
f(x) = K + a₁x + a₂x² + … + a_{t−1}x^{t−1} (mod p)
Each participant holds a share; no one can act alone. Recovery requires deliberate recombination under the control of the individual. Recovery centres may be unknown to one another, distributed across jurisdictions, and powerless in isolation. This prevents both unilateral compromise and permanent loss. Recovery is not administrative grace; it is cryptographic certainty.
Economic Alignment
Security without economic weight is fiction. Policy acquires teeth when tied to money. In Bitcoin, rights and revocations bind directly to UTXOs. A right may be anchored to a spendable output; revocation may be enforced by destroying or reassigning that output. The identity system thus becomes inseparable from financial reality. Proofs are not just validated—they are paid for. Revocations are not just declared—they are burned into the chain. This enforces honesty not through trust, but through cost. Every participant has skin in the game.
Conclusion
A native on-chain identity system must be rebuilt from these axioms: identity as capability, custody by default, ephemeral cryptography, threshold recovery, and economic anchoring. It is mathematics and incentives, not administrators and issuers, that enforce order. To persist in the account-directory model is to cling to parchment in an age of steel. The future belongs to systems that do not ask for trust, that do not rely on gatekeepers, and that do not tolerate the existence of choke points. Anything less is regression.
Identity = capability inside the transaction
Identity as Capability
Identity is not a static label or an entry in a corporate directory. It is the capability demonstrated inside a transaction. A signature, a proof, or a satisfaction of script conditions—that is the only form of identity that matters. What exists is not an “account” but a proof that binds the right to act with the act itself.
Script as Policy
The script is the law. On-chain policy attaches directly to the spend. An output may demand: prove possession of XX, demonstrate attestation YY, satisfy threshold ZZ within time TT. Authorization does not live outside the chain; it is enforced on-chain at the point of spend. This collapses identity and authorisation into a single, verifiable unit—inseparable from the transaction.
No Directory Lookups
There is no hot-path dependency on directories or issuers. The transaction is final if and only if its attached proofs satisfy the script. If a proof cannot be demonstrated in-tx, or attached compactly to the tx/PSBT, then it is not necessary for settlement. Nothing external can veto or interpose itself in the critical path. The system admits only those proofs that can travel with the spend itself.
Short-Lived, Composable Proofs
Proofs are ephemeral. Each credential is fragmented and Merkle-ised, enabling selective disclosure. A spend need only reveal the minimal subset relevant to that transaction. The rest remains concealed, cryptographically inaccessible. Composability emerges from this design: proofs can be constructed, recombined, and destroyed without leaving residue. The capability is proven in the moment, then extinguished.
Principle
Identity here is not a persistent record, but a dynamic proof carried inside the act of exchange. Policy becomes code. Trust is replaced by script. Control resides not in directories or issuers, but in mathematics and incentives. The architecture leaves nothing to external appeal. It accepts only what can be proven in-tx, and it forgets everything else.
Passwordless by construction
Passwordless by Construction
Identity is redefined as a property of proof, not a recollection of secrets. The system eliminates the notion of passwords entirely by anchoring security in ephemeral mathematics rather than human memory.
Ephemeral ECDH
Each device or session derives a transient key from a per-device cryptographic seed. The mechanism is strictly single-use: derive once, prove once, discard. This ensures that every interaction is isolated, immune to reuse, and mathematically unlinkable to prior exchanges.
Mutual Attestation
Trust is established by both parties proving possession of their respective ephemeral private keys. These keys are bound explicitly to the transaction intent, ensuring the demonstration is contextual and non-transferable. No shared secrets exist, no central repository governs the process, and no password or phishable prompt ever arises. The proof is mutual, ephemeral, and contained within the transaction boundary.
Forward Secrecy and Unlinkability
Every session is defined by fresh keys. Even if an adversary captures past transcripts, the cryptographic isolation prevents any extrapolation to future interactions. No observer can correlate two sessions, as no persistent identifier survives beyond the scope of a single proof. The security model is designed not merely to resist compromise, but to deny it a future.
Principle
The architecture is engineered so that the concept of “password” never appears. Security flows from one-shot derivations and mutual cryptographic attestation, with guarantees of forward secrecy and unlinkability built in. Identity becomes an act of proving in the present moment, not a credential carried from the past.
Device binding and rotation
The architecture of digital identity cannot remain chained to the primitive notion of shared logins. A login is a brittle fiction: one static secret, endlessly reused, trivially stolen, and patched over by bureaucracy. The alternative is device binding. Each device carries its own cryptographic seed, a root of trust from which ephemeral proofs are derived. The individual does not “log in.” The device itself demonstrates capability.
Formally, let each device be initialised with a unique seed s. For interaction i, the device derives a private scalar:
kᵢ = H(s ∥ i) mod n
where H is a cryptographic hash and n is the order of the elliptic curve secp256k1. The public key is:
Kᵢ = kᵢ·G
with G the generator. This keypair (kᵢ, Kᵢ) lives only for that transaction. After use, kᵢ is destroyed. Thus, no long-term secret can be replayed. Each proof exists for one instant, then vanishes.
Identity in this model is not a name in a directory. It is the ability to produce the correct kᵢ at the correct time. If the device cannot, it has no standing. There is no corporate administrator to reset access. No directory to check. No master password to phish. The mathematics decide.
Rotation emerges from the same logic. When a device is lost, the system does not plead with IT support. Instead, a recovery process—mathematically encoded—authorises a new device and phases out the old. Consider a (t,n)-threshold recovery using Shamir’s Secret Sharing. A recovery secret S is divided into shares sⱼ, distributed among n custodians. The secret is reconstructed only if t or more custodians collaborate:
S = Σ λⱼ·sⱼ
with λⱼ as Lagrange coefficients over GF(p). The user must participate; no custodian alone can seize control. When a new device is added, it demonstrates possession of the reconstructed recovery secret.
The policy is enforced not by administrators but by script. On-chain logic encodes acceptance of new keys and the expiration of old ones:
Policy: Accept(K₁, K₂, …, Kₙ) → Accept(K₁, K₂, …, Kₙ, Kₙ₊₁) ∧ Timeout(Kₒₗd)
This script is binding. No appeal to human weakness alters it. Once the timeout condition matures, the old device is void. A compromised machine is excised by code, not paperwork.
Economics close the loop. Each right to transact is anchored to a Bitcoin UTXO. Revocation is not symbolic; it carries financial cost. A compromised device that lingers threatens funds. Users are compelled, by their own financial interest, to rotate devices swiftly. Bureaucracy is optional; incentives are not.
The difference is stark. In the corporate directory model, a lost laptop may remain active for weeks, access unchanged. Attackers thrive on such inertia. In the device-binding model, compromise is cut short by expiry. The mathematics are merciless, and therefore effective.
In this scheme, identity equals capability. No one “resets” you into the system. You either derive the ephemeral key demanded by the transaction, or you are excluded. The system offers no mercy and no loophole. Critics may call it harsh. Harsh is precisely what prevents fraud.
Device binding and rotation thus embody the principle of cryptographic finality. Identity exists only in proofs, bound to transactions, enforced by economics. Bureaucracy is abolished. Human weakness is irrelevant. The user stands or falls on mathematics.
Threshold recovery you actually control
The charade of “forgotten password” reset emails, the pathetic dance of mother’s maiden names and favourite pets, all of it exists to comfort bureaucrats while betraying the user. Real recovery is not begging an administrator; it is cryptographic certainty that only you, and those you explicitly empower, can resurrect control.
At the centre lies the master recovery secret S, an indivisible root of trust. This secret is never stored in one place. Instead, it is split into n Shamir shares using polynomial interpolation over a finite field GF(p). Each share sⱼ corresponds to a unique point on a polynomial of degree t−1, where t is the threshold. The secret itself is the constant term:
f(x) = S + a₁x + a₂x² + … + aₜ₋₁xᵗ⁻¹ (mod p)
Any t shares can reconstruct S via Lagrange interpolation:
S = Σ (λⱼ · sⱼ) mod p
with λⱼ = ∏ (xₘ / (xₘ − xⱼ)), over all participating indices m ≠ j.
Unlike institutional custodianship, you yourself hold at least one share. Without it, no recovery is possible. This eliminates the obscene risk of third parties colluding to seize your assets. You are mathematically bound into the quorum.
The other shares reside with Key Recovery Centres (KRCs)—independent custodians chosen for diversity of jurisdiction and governance. One may be in Zurich, another in Singapore, another in São Paulo. They may not even know of one another’s existence. They cannot collude easily, because the policy requires your own share plus a quorum of theirs.
But raw threshold cryptography is not enough. Policy layers strengthen the system. Recovery requires three interlocking constraints:-
Quorum: A minimum of t KRCs must cooperate.
-
Delay: On-chain timelocks enforce a waiting period, giving you time to abort fraudulent requests.
-
Bond: Each KRC posts collateral locked in Bitcoin. Malicious participation triggers slashing, burning their bond. Misbehaviour is punished economically, not rhetorically.
Recovery is not an instantaneous conjuring trick; it is a protocol bound to incentives and irreversible consequence.
Even more, each KRC applies its own “Know Your Factor” (KYF) check. One demands a live video call, another requires a hardware token response, a third insists on an in-person verification. These are out-of-band gates you define at setup. They fragment the attack surface. A criminal cannot bypass the system with a single breach or stolen document. Every KRC enforces its own discipline, and only your pre-authorised combinations pass.
In practice, this model means no faceless help desk can lock you out or let an impostor in. Recovery is not a process run by others “on your behalf.” It is a cryptographic ritual in which your will is indispensable, quorum is mandatory, time is enforced, and incentives are aligned. The mathematics strip away the lies of convenience and leave only the cold precision of proof.
What emerges is genuine self-sovereignty: recovery that serves the user, not the system; security built on economic alignment, not clerical trust; identity guaranteed not by a benevolent administrator but by the iron certainty of number theory.
“No password” recovery flows (practical cuts)
The juvenile fantasy of passwords ends here. Recovery is not guesswork or trust in a help desk; it is a series of cryptographically defined flows, each engineered to expect failure without ever surrendering control.
Lost device. The user presents their recovery share and initiates a recovery PSBT. Independent KRCs add their partial signatures, each weighted by the quorum policy. The chain enforces a timelock—an inescapable countdown where fraud can be stopped. When the period expires, the new device’s key is written into the policy script and the old key is atomically revoked. No administrator overrides this sequence; the protocol itself adjudicates who is in and who is out.
Lost recovery share. Control of an active device is enough to rotate a new Shamir split. Fresh shares are generated, distributed to KRCs, and the obsolete set is tombstoned by policy after a fixed delay. No stale credential lingers, no “forgotten question” waits to be replayed. The system amputates the useless limb before rot sets in.
Compromise suspicion. A paranoid mode exists for the moments when you smell intrusion. Flip the “high friction” switch and the recovery policy hardens itself. Thresholds rise, timelocks lengthen, and more KRCs are compelled into the quorum. An attacker finds not a gap to crawl through, but a wall that grows higher the harder they push. You de-escalate when you are satisfied; until then, security suffocates the threat with deliberate inconvenience.
This is not recovery as a side channel to be exploited. It is recovery as a controlled burn—mathematically defined, economically aligned, and entirely in the user’s hands.
Tying identity to money (the incentive)
Abstract promises of “trust” are worthless unless tied to skin in the game. Identity only matters when misbehaviour carries a cost, and Bitcoin provides the substrate where every action can be collateralised.
Capabilities backed by UTXOs. Each live capability is instantiated as a bonded UTXO. Its presence on-chain signals authority; its spend or revocation updates the state with finality. Abuse is punished automatically: the bond is consumed, burned, or redirected, leaving the abuser lighter in coin. Identity ceases to be an entry in a ledger and becomes a live financial position, mutable only through proof and expenditure.
Slashing for bad guardianship. Independent KRCs hold power, but not without peril. Should a custodian conspire in fraudulent recovery, the script slashes its bond. The penalty is not theoretical—value vanishes into a burn address or is transferred to the aggrieved. Guardianship is no longer a ceremonial role but a stake-backed contract, one where betrayal costs real coin. The higher the temptation to cheat, the harsher the pre-committed price of disloyalty.
Attestation markets. Even in a world of proof, signals add texture. Miners or exchanges can issue paid attestations: “this announcement was first observed here,” “this key was active at block height n.” These are ephemeral markers, cheap and commoditised, useful for instant risk checks. Crucially, they are never mandatory. No single actor becomes a choke point; instead, a market of competitive verifiers emerges, each selling fragments of credibility on demand.
When identity is inseparable from money, the system achieves alignment. Rights and responsibilities crystallise into UTXOs, recovery becomes an economic ritual, and betrayal carries the same weight as theft. Authority is no longer granted by decree—it is bought, bonded, and forever at risk of slashing.
Privacy as the default outcome
The system treats privacy not as an optional addon but as the inevitable by-product of its construction. Where Web2 bolted surveillance onto identity, here the opposite is true: anonymity is not the point, but selective, provable disclosure is.
Pairwise pseudonyms. Each interaction begins with a fresh ephemeral key, derived once, discarded after. To one service, you are point P₁; to another, point P₂. No common identifier exists across contexts, no universal username to correlate, no permanent beacon trailing behind. Identity is reduced to a transient cryptographic coordinate, unique per counterparty, extinguished at closure.
Minimal disclosure. Credentials are Merkle-structured: a binary tree of attributes, each signed as a leaf. To prove “age ≥ 18,” you expose only that leaf and its inclusion path, not the entire credential set. To show KYC compliance, you reveal the single node attesting it, not your address, employment history, or bank account. Disclosure becomes granular, atomic, and bounded—never an indiscriminate flood.
Audit without doxxing. Regulators and auditors can still demand proof, but the proofs themselves remain compartmentalised. You present a signed bundle: receipts from transactions, inclusion proofs from credential trees, time-stamped commitments from the chain. What you do not provide is the entirety of your identity graph splayed open to every observer. Compliance is satisfied, oversight is preserved, and yet personal detail remains sequestered.
Privacy ceases to be an adversarial demand; it emerges from the architecture. Every proof is scoped, every identifier ephemeral, every credential modular. In such a system, surveillance has no foothold, because there is nothing permanent to seize.
AIs and ephemeral principals
The mythology of permanent service identities belongs to the corporate directory, a relic of the client-server age. In a system built on first principles, there are no standing accounts, no eternal principals to compromise. Instead, everything reduces to a temporary capability, cryptographically bounded, living only long enough to complete its function and then disappearing.
Ephemeral service principals. A serverless function generates a transient keypair, requests a narrowly defined capability, and executes. The capability itself is codified in a UTXO: capped by value, constrained by time, restricted to enumerated methods. Once spent, it dies. No backdoors remain, no credentials linger to be stolen. The “principal” is the transaction-bound proof of possession, not a line in a database.
Composable delegation. Authority fragments as precisely as the policy allows. A human user may grant an agent a capability UTXO worth 0.01 BTC, valid for twenty-four hours, permitting only micropayment disbursements. That agent, in turn, may slice off a narrower capability—say, 0.001 BTC over an hour—to a sub-agent. Script conditions enforce the narrowing automatically. At no stage is there an administrator with godlike directory powers; the chain enforces all boundaries.
Proof-in-script. The ledger itself becomes the arbiter. When the agent acts, its claim is not validated by an external registry but by the satisfaction of the script attached to the UTXO. The rules are enforced in the only place that matters: settlement. If the proof holds, the state change executes; if not, the attempt is void.
Here, AIs and automation do not need trust anchors embedded in corporate bureaucracy. They live inside a lattice of disposable, cryptographically constrained capabilities. Their identities are not names; their rights are not permissions in a directory. They are nothing more—and nothing less—than the proofs they can carry into a transaction.
Interop with legacy issuers (without re-centralizing)
The trap of the old world is mistaking an issuer for the root of trust. The new model refuses this outright. Identity is not bestowed from above; it is proven at the edge, in the act of a transaction.
Bring your own issuers. If a bank, an employer, or a university wants to sign an attestation, let them. Their credential is nothing more than an optional witness bound into the transaction flow. You can attach it when useful, ignore it when not. They do not stand above the system. They cannot dictate who participates, nor revoke capability outside of the policy script that defines it. Their word is evidence, not command.
Resolvers as caches. Discovery APIs may exist, but they are nothing more than mirrors of proofs already circulating. They can accelerate lookups or compress verification costs, but they cannot veto action. If every resolver vanishes, your capabilities remain alive because they are carried within the spend itself—provable, self-contained, and final. The hot path does not depend on directories; it depends on mathematics.
This is how legacy institutions can coexist without re-centralising the architecture. They may bear witness, they may sell convenience, they may offer attestations. But they no longer hold the master key. The authority is inverted: the transaction settles if and only if the proof holds. Everything else is noise.
Failure and threat thinking (engineered, not hand-waved)
Security that matters is not declared—it is constructed. Hand-waving away risk has been the disease of the password era, and its cure is to engineer failure as a first-class outcome. Systems must expect to be attacked, expect to be broken, and still deny the adversary leverage.
Phishing. There is nothing to phish. No passwords, no static factors, no “secret questions.” Each interaction is bound to the transaction itself, negotiated with a one-time ECDH key that expires the moment it is used. A replay is indistinguishable from noise: useless to the attacker, discarded by the system.
SIM-swap and OTP theft. All the old tricks of hijacking SMS or app-based codes evaporate when there is no reusable token to steal. The architecture provides nothing durable for an attacker to intercept. Each proof is cryptographically pinned to a single spend, then destroyed.
Single-custodian failure. There is no root of trust to bribe, subpoena, or compromise. Recovery requires a threshold of independent shares, a delay enforced on-chain, and the looming
What to stop copying from Web2
The sickness of Web2 is structural. It begins with the presumption that there must always be a master switch, a privileged class, a hidden key that can override the individual. That sickness has metastasised into every crevice of digital identity. The supposed convenience of admin backdoors is in truth a naked central choke point, a lever by which states, corporations, or even rogue insiders may seize control. In the architecture aligned with Bitcoin, this practice is not merely avoided; it is mathematically impossible. There is no “super-tenant” whose flip of a bit seizes your identity. Authority is bound in the script, enforced by quorum and delay, and answerable to no one but the economic rules of the chain.
Static roles are another contagion inherited from corporate directories. The fiction of permanence—that once an account is marked “admin,” it remains so indefinitely—is precisely what creates systemic failure. In a capability-first model, there is no permanent blessing. Each authorisation is point-in-time, scoped, and cryptographically defined. A capability is either provably live in a transaction, or it is dead. The burden of history, of endless role creep, evaporates. Roles do not linger, metastasising into vulnerabilities; they expire by design, as ephemeral as the transaction they secure.
The final parasite of Web2 lies in the resolvers—the registries and directories treated as indispensable. They are gatekeepers, fragile single points of coercion. A resolver that must be queried to validate every action is not a helper; it is a shackle. In the model here, resolvers are reduced to caches, convenient when they exist, irrelevant when they fail. What matters lives with the spend itself. Proofs, attestations, and capabilities travel alongside the transaction, self-contained, uncensorable, immune to the politics of registries. If a resolver disappears, the system does not even blink.
This is the severance. No backdoors, no static roles, no chokepoint resolvers. Every one of those patterns is an artefact of Web2’s addiction to central authority. Every one must be cut out, cauterised, and left behind. What remains is the architecture of capability: engineered, cryptographic, and tied to economic reality on-chain. Identity becomes what it always should have been—not a directory entry, not an account, but a capacity to act, provable at the moment of transaction and vanishing thereafter. This is the end of borrowed metaphors from Web2. This is the construction of security on first principles.
The shape of the stack (concrete)
The architecture ceases to be an abstract sketch the moment it is reduced to keys, scripts, and proofs. At the base lies the key structure: every device is seeded independently, deriving a fresh ephemeral through per-session ECDH. Each key is used once, then discarded, leaving no artefacts to be stolen, replayed, or correlated. This is not redundancy masquerading as security; it is actual entropy, harnessed and spent like fuel.
Intents travel next. A human-readable declaration—“send 0.05 to X,” “add new device Y”—is signed by the device’s ephemeral key and fused into a PSBT. No ambiguity, no screen spoofing, no manipulation by prompts. The intent is the atomic unit of authorisation, visible to the user in language, binding in mathematics.
Policy is enforced where it matters: inside the script. A multibranch construct defines the entire lifecycle of control. The normal spend branch, the emergency revoke, the time-delayed recovery, the guardian-escalated override—every path is encoded as spend conditions in the UTXO itself. No appeal to a directory, no phone call to a help desk, no secret override key. The policy is cryptographic law, as immutable as the hash functions it rests upon.
Recovery follows the same principle: decentralised, deliberate, economically bounded. The recovery secret is Shamir-split, with at least one share held by you. Recovery requires your active participation plus a quorum of Key Recovery Custodians, all bound by an on-chain timelock and a staked bond subject to slashing for misconduct. The formula is simple:
Recovery = Your Share ⊕ Quorum(KRC Shares) ⊕ Timelock ⊕ Bond
Without all four factors, nothing moves. Collusion is punished with loss, and unilateral seizure is impossible.
Attestations exist at the edge: optional, metered, and economically honest. Exchanges or miners can sell timestamped signals—“we observed this announcement first”—but they are advisory, not mandatory. They provide rapid confidence without ever transforming into a choke point.
The user experience maps directly to these primitives. “Add device,” “Pause account,” “Recover key”—each corresponds to a pre-built PSBT template. Users do not tangle with scripts or raw signatures; they select operating modes: everyday, high-value, panic. The complexity remains in the mathematics; the control remains with the individual.
This is the stack, concrete and unyielding. Keys are ephemeral. Intents are explicit. Policies are scripted. Recovery is decentralised. Attestations are optional. UX is mapped to immutable logic rather than bureaucratic authority. The entire system is shaped not by metaphor but by the hard geometry of cryptography and the incentives of money on-chain.
Bottom line: stop hauling a Web2 directory into a Bitcoin world. Make identity a capability proven inside the transaction with one-shot ECDH, let people recover themselves with threshold policies that punish collusion, and anchor incentives to UTXOs so security isn’t just promises—it’s paid for. Control returns to the individual, scale returns to the network, and the “account” finally dies the quiet death it deserves.