SOMA: a protocol for distinguishing humans from machines when every external credential has fallen
A summary of the SOMA Research / OpenCrew whitepaper, Proof of Human (V1.0, April 2026). Read the full paper →
Abstract
AI can now clone a human voice from three seconds of audio, generate photorealistic deepfake video from a single photograph, and pass identity verification with higher accuracy than legitimate users. Every external authentication method (passwords, SMS 2FA, voice biometrics, CAPTCHA, facial recognition, fingerprint, liveness detection) has either been defeated or is actively failing. SOMA proposes that cryptographic identity derived from the continuous biological signals of a living human body is the only structurally undefeatable solution, and is building this as an open protocol layer for the internet.
The architectural failure
Every credential humans have built so far exists outside the body: stored, transmitted, photographable, or recordable. That externality is the failure mode AI now exploits at industrial scale.
| Method | Primary attack vector | Status |
|---|---|---|
| Passwords | Brute force, phishing, credential stuffing | Defeated |
| Security questions | Social engineering, public data mining | Defeated |
| SMS 2FA | SIM swap, SS7 protocol interception | Defeated |
| Voice biometrics | Real-time clone from 3-sec sample | Defeated |
| CAPTCHA | AI 99.8% accuracy vs humans 50–84% | Defeated |
| Facial recognition | AI faces, deepfake video injection | Compromised |
| Fingerprint | Synthetic prints from photographs | Compromised |
| Liveness detection | Adversarial ML, API-level injection | Failing |
| Behavioral biometrics | AI behavioral modeling from minimal data | At risk |
The CAPTCHA case is the cleanest illustration: a system designed to distinguish humans from machines now performs the task in reverse. It identifies humans by their inferiority at it.
The scale is not theoretical. US deepfake fraud losses hit $1.1B in 2025 (3× the prior year). Deepfake-enabled vishing surged over 1,600% in Q1 2025. Circulating deepfake files are projected at 8M by 2025: ~900% annual growth, doubling time under six months. In one Arup case in February 2024, a finance worker wired $25M after a video call where every participant other than him was an AI deepfake.
The three properties of biology
The continuous signals of a living human body have three properties no synthetic credential can match:
- Irreducible complexity. Signals emerge from billions of cells operating in concert. The full state of a living system cannot be modeled in real time.
- Continuous variability. Signals change moment to moment while preserving individual-specific invariants. A recorded sample is immediately stale.
- Physical inseparability. The signals cannot be removed from the body. No database to breach, no token to steal. If the body is not present, the key does not exist.
Architectural comparison
Protocol
SOMA transforms biological signals into cryptographic proof of identity in three stages. No biometric data is ever stored, transmitted, or accessible to any external party.
A miniaturized biosensor captures continuous cardiac (ECG) and vascular (PPG) signals. They are fed through a fuzzy extractor [Dodis–Reyzin–Smith, EUROCRYPT 2004], a cryptographic primitive that derives stable keys from noisy biometric input. The same person reliably produces the same 256-bit key. A different person produces a different one. The key exists only during generation and is destroyed immediately after use. Verification is broadcast as a zero-knowledge proof to a decentralized network. No central registry, no biometric database.
Cryptographic properties
| Property | Description |
|---|---|
| Deterministic | Same person, same key, across sessions |
| Unique | Different person, different key, negligible collision |
| Ephemeral | Key exists only during generation, never stored |
| Non-extractable | Biological signal cannot be reverse-engineered from public key |
| Liveness-bound | Generation requires continuous signal; body separates, it stops |
| Zero-knowledge | Proves humanness without revealing biology |
Applications
- Authentication. Replaces the entire stack with a single biological proof. Onboarding, KYC, age verification.
- Communication integrity. Every call, message, and video carries cryptographic proof a verified human created it. Deepfake calls become instantly identifiable as unsigned.
- Financial authorization. Transactions signed by a living-human key. No amount of stolen data can replicate the proof.
- Proof of personhood. Verified human status anchored to biology. Bots, farms, and synthetic identities become structurally impossible. Social, marketplaces, voting, reviews.
Why now
Three forces converge. Biosensor miniaturization, low-power cryptographic processing, and body-area networking have made biologically-derived cryptography technically feasible for the first time. Deepfake content is growing at 900% annually, and the window between AI can fool some systems and AI can fool all systems is closing. Meanwhile, institutions are responding to the crisis by mandating centralized digital identity: databases linking biometrics to government credentials, which create single points of failure and concentrate control over identity itself. Centralized identity creates centralized vulnerability.
Design principles
- Body-bound. If the body is not present, the key does not exist.
- Zero-knowledge. Proof of humanness without revealing biology.
- Decentralized. No single entity holds unilateral control over issuance, verification, or revocation.
- Minimalist. Proves exactly what needs to be proven, nothing more.
- Continuous. Body separates, authentication ceases.
- Open protocol. Global standard, not proprietary product.
Conclusion
The infrastructure for verified human identity does not exist yet. No system in operation today can provide cryptographic proof that a digital interaction originates from a living human being. SOMA is building that protocol layer, grounded in one insight: the living human body is the only source of identity that AI cannot forge.
Read the full whitepaper at proofofhuman.world/paper.