How POY Verify builds, calculates, and maintains trust scores using a multi-signal ceiling architecture that gives platforms granular risk control and gives users portable, privacy-preserving identity.
Most identity platforms treat verification as a boolean. You are either verified or you are not. A green checkmark or nothing. This binary approach fails in fundamental ways that become obvious at scale.
Consider the problem from a platform's perspective. A user who completed a one-time email verification six months ago and a user who just passed biometric liveness detection with a hardware-bound device fingerprint are both marked "verified" in a boolean system. But the trust warranted by each is dramatically different. The first could be a bot operator using a disposable inbox. The second is almost certainly a unique human being.
Binary verification creates a false sense of security. It tells platforms that everyone above the line is safe and everyone below the line is risky. The reality is that trust exists on a spectrum, and treating it as a switch leaves platforms blind to the difference between a low-confidence identity and a high-confidence one.
POY Verify solves this with a ceiling-based trust model. Instead of a boolean, every identity carries a numerical trust score from 0 to 100. The score is not arbitrary - it is calculated from verified signals, account behavior, and temporal consistency. More importantly, your score can never exceed your ceiling, and your ceiling is determined by how many verification signals you have completed.
When a user first enrolls through biometric liveness verification, they start at a trust score of 50.0 with a trust ceiling of 60. That ceiling means their score can grow through activity and account age, but it will never exceed 60 until they add more signals. This gives platforms something binary systems never could - granular risk stratification based on the actual depth of verification.
The trust ceiling is the maximum possible trust score a user can achieve based on their verified signals. Think of it as a cap. Your actual trust score is computed from multiple factors (account age, verification recency, content activity), but it can never exceed your ceiling.
Each of the 6 signals adds points to your ceiling. The total possible ceiling is 100, achieved when all 6 signals are verified. Here is how they stack:
| SIGNAL | CEILING POINTS | CUMULATIVE CEILING |
|---|---|---|
| Biometric Liveness | +60 | 60 |
| Email Verification | +10 | 70 |
| Phone Verification | +10 | 80 |
| Device Fingerprint | +10 | 90 |
| Voice Print | +5 | 95 |
| Social Account | +5 | 100 |
The math is straightforward. If you only have biometric liveness verified (ceiling = 60), and your computed score based on activity and age would be 73, your actual returned score is 60. The ceiling always wins. This is by design - it forces users who want higher trust access to actually verify more signals rather than gaming the score through activity alone.
Your trust score reflects what you have proven. Your trust ceiling reflects what you are capable of proving. The gap between them is your opportunity to build deeper trust.
Each signal in the POY trust system was selected for a specific reason, weighted based on its resistance to fraud, and designed to layer with the others. Here is a detailed look at every signal, how it works technically, what it defeats, and why it carries its specific weight.
This is the foundation signal. Every POY identity starts here. Without biometric liveness, no other signal can be added and no trust score is assigned. It is the single most important proof in the entire system because it answers the most fundamental question: is there a real, live human being on the other side of this screen?
Biometric liveness runs entirely on-device, leveraging hardware security modules like Apple Secure Enclave, Google Titan M2, or Samsung Knox. The system uses MediaPipe FaceLandmarker to perform 468-point facial landmark detection, mapping the precise geometry of a user's face in real time.
Three distinct liveness challenges are performed in sequence. First, blink detection - the system monitors the eyeBlinkLeft and eyeBlinkRight blendshapes and requires values exceeding a 0.4 threshold, confirming the presence of natural involuntary eye movement. Second, head nod detection - the nose tip Y-axis displacement must exceed 0.03, proving the subject can perform deliberate three-dimensional movement. Third, facial presence confirmation - continuous verification that a real face remains in frame throughout the entire challenge sequence.
Once all three challenges pass, a SHA-256 hash is computed from the landmark coordinates combined with the current timestamp. This produces a unique biometric fingerprint that is cryptographically tied to that specific moment and that specific face. The critical privacy guarantee: zero biometric data leaves the device. Only the hash is transmitted to POY servers.
Photos fail immediately because they cannot blink or nod. Video replays fail because the three-dimensional depth check detects flat screens. Deepfakes fail because current generation models cannot produce convincing real-time blendshape responses at the required thresholds. 3D printed masks fail because they lack the micro-movements of living tissue. Injection attacks fail because the processing runs inside the hardware security module, not in software that can be intercepted.
Physical human presence is the strongest possible proof of identity. Nothing else comes close. A person who passes biometric liveness is, with near certainty, a unique living human being. This is why biometric liveness alone grants 60% of the total ceiling - it is doing 60% of the trust work. Every other signal is supplementary validation layered on top of this foundation.
Proves you are a real, unique human being. This is the core of your proof of personhood. Verify once and carry this proof everywhere via the POY API.
Eliminates bot accounts at signup, blocks multi-accounting at the biometric level, and reduces fraud losses by 90% or more. Integrates via the POY API with a single endpoint call.
Email verification links a communication channel to your POY identity. It works through a standard but effective mechanism: a 6-digit verification code is sent to the provided inbox and must be entered within a defined time window. This is a public endpoint - no API key is required for users to verify their email.
Linking an email address enables badge notifications, account recovery communications, and serves as a secondary contact channel. It connects your verified human identity to a reachable communication endpoint, which platforms need to interact with you beyond the initial verification moment.
Email verification enables companies to contact users for account recovery, reduces the prevalence of disposable email fraud (services like Guerrilla Mail and TempMail), and provides a basic filter against throwaway accounts. When combined with biometric liveness, it creates a verified human with a reachable contact point - significantly more useful than either signal alone.
Email is easy to create. Gmail, Outlook, ProtonMail - all free, all available in unlimited quantities. Disposable email services let anyone spin up a temporary inbox in seconds. As a trust signal, email proves control of an inbox, not identity. It is a useful supplementary signal but weak in isolation, which is why it carries only 10 ceiling points.
Phone verification sends a 6-digit SMS code to the provided phone number, which must be entered to confirm control. It is mechanically similar to email verification but carries inherently different trust weight because of the economics of phone numbers.
SIM cards cost money. In most countries, obtaining a SIM requires some form of identification - a government ID, an address, or at minimum a payment method. This creates a financial and bureaucratic barrier that email lacks entirely. The cost of obtaining a phone number is not zero, which means the cost of abusing phone verification at scale is significantly higher than abusing email verification.
Adding phone verification provides a second communication channel, proves control of a phone number tied to a carrier account, and enables two-factor authentication flows on platforms that require them. It adds depth to your identity chain without requiring any additional biometric data.
Phone is one of the strongest identity anchors used by financial institutions, banks, and government services worldwide. One phone number typically equals one person in most real-world scenarios. It reduces multi-accounting significantly because users rarely have more than two or three phone numbers, and it enables standard 2FA flows that comply with most security frameworks.
While stronger than email due to the cost barrier, phone verification is not immune to abuse. SIM farms exist, VoIP numbers can bypass carrier requirements, and SIM swapping attacks remain a real threat. Phone verification is a strong supplementary signal, but it is not foundational - that role belongs to biometrics. Ten ceiling points reflect its position as a valuable but bypassable layer.
Device fingerprinting creates a hardware-bound identifier tied to the specific phone, tablet, or laptop used during verification. This is not a cookie or a software token - it is a composite identifier derived from hardware characteristics that persist across browser sessions, app reinstalls, and operating system updates.
The device fingerprint leverages device attestation APIs and hardware identifiers to create a stable, unique device ID. This ID is then bound to the POY identity, creating a link between the verified human and a specific physical device.
The real power of device fingerprinting is in anomaly detection. If multiple POY identities are being created from the same physical device, that is a clear fraud signal. Legitimate users verify from one or two devices. Account farming operations verify from the same device dozens or hundreds of times. The device fingerprint makes this pattern visible and actionable.
Your device becomes part of your identity chain, adding hardware-level trust to your profile. This means platforms can recognize your device as a trusted endpoint, reducing friction on subsequent visits and enabling faster authentication flows.
Device fingerprinting prevents one person from creating many accounts across a platform, detects account farming operations before they cause damage, and identifies device-sharing patterns that indicate coordinated abuse. For marketplaces, social platforms, and financial services, this signal is critical for preventing multi-accounting at scale.
Hardware fingerprints can be spoofed with sufficient effort - virtual machines, device ID reset tools, and factory resets can all generate new fingerprints. However, each of these approaches has a cost in time and complexity, which significantly raises the barrier for attackers. Ten points reflects the signal's value as a meaningful but not unbreakable defense layer.
Voice print verification analyzes the unique characteristics of a user's voice - pitch, cadence, formant frequencies, and spectral patterns - to create an audio-based biometric layer that is independent of visual biometrics. This adds a fundamentally different modality to the identity chain.
The user speaks a prompted phrase, and the system extracts vocal characteristics that are unique to their physiology - the shape of their vocal tract, their natural speaking rhythm, and the harmonic patterns in their voice. These characteristics are processed into a voice print hash, similar to the biometric liveness hash, ensuring no raw audio data is stored or transmitted.
Voice print adds an additional proof layer that is useful for audio and podcast creators who want to prove their content is genuinely produced by them. It also provides a liveness check that works even in poor lighting conditions where facial recognition might struggle.
Voice print adds depth to liveness checks by introducing a second biometric modality. Faking both visual and audio biometrics simultaneously is significantly harder than faking either one alone. For platforms that handle voice-based interactions (customer support, audio social, podcasting), this signal validates the identity of the speaker.
Voice print carries a lower weight for two reasons. First, the accuracy models for voice biometric matching are still being refined and are not yet at the same maturity level as facial landmark detection. Second, voice cloning technology is advancing rapidly - tools like ElevenLabs and similar services can produce convincing voice clones from short audio samples. Until anti-cloning defenses mature to reliably detect synthetic speech, voice print carries conservative weight in the trust ceiling.
Social account verification uses OAuth-based authentication to link existing social media accounts - Twitter/X, LinkedIn, or GitHub - to a POY identity. This connects a user's public online reputation and history to their verified credential.
The user authenticates with their social platform of choice through a standard OAuth flow. POY Verify confirms account ownership and records the connection. No passwords are stored - only the OAuth token confirmation and basic profile metadata (account age, connection count) are retained.
Social verification leverages the reputation you have already built online. A LinkedIn profile with years of professional history, a GitHub account with real contributions, or a Twitter account with genuine followers - these represent real-world identity depth that complements your biometric verification.
Social presence serves as a weak but useful signal for intent validation. It helps platforms filter out accounts with zero online footprint, which correlates with fraudulent or disposable identities. A user with a 3-year-old LinkedIn account and 500 genuine connections presents a fundamentally different risk profile than a user with no social presence at all.
Social accounts can be purchased, faked, or created in bulk. An aged Twitter account with followers can be bought on marketplaces for a few dollars. A fresh LinkedIn account with no connections means nothing. The trust value of this signal is highly contextual - a mature, active social presence is meaningful, but the signal itself is easy to fabricate. Five ceiling points reflect this reality: useful for adding identity depth, but unreliable as a primary trust indicator.
The trust ceiling determines the maximum possible score, but the actual score at any given moment is computed from four dynamic components. These components are recalculated on every API query, ensuring platforms always receive the most current trust assessment.
Based on recency of last verification. Returns 99 if verified within the last 7 days. After that, decays by 2 points per day. A verification that is 30 days old would yield a consistency score of approximately 53. This incentivizes periodic re-verification.
Percentage based on the number of days since account creation. New accounts start low and grow toward 100% over time. This rewards long-term, persistent identities and penalizes freshly created accounts, which are statistically more likely to be fraudulent.
Based on total content stamps created through the stamping system. Starts at a base of 50, increases by 0.5 per stamp, and caps at 100. A user with 100 stamps would have a content authenticity score of 100. This rewards active, legitimate use of the platform.
Tracks fraud reports and disputes filed against the identity. Currently not implemented in the MVP - reserved for future use. When active, high dispute rates will reduce the trust score, providing a community-driven fraud signal that complements automated checks.
The final trust score is a weighted composite of these components, clamped to the user's trust ceiling. The API returns both the computed score and the individual component values, giving platforms full transparency into the trust calculation. See the developer documentation for the complete API response schema.
For individual users, the trust score system provides benefits that binary verification systems cannot match.
Portability. Verify once, carry your score everywhere. Any platform that integrates with the POY Verify API can query your trust score instantly. No more re-uploading government IDs to every new service. No more solving CAPTCHAs on every visit. No more repeating verification steps that you already completed elsewhere. Your POY credential travels with you.
Premium access. Platforms that require higher trust levels for premium features become accessible as you build your score. A marketplace might require a score above 70 to list high-value items. A financial platform might require 80 for large transactions. By verifying more signals, you unlock access to these tiers without any additional friction.
Reduced friction. Platforms that use POY Verify can skip traditional friction points - CAPTCHAs, repeated ID uploads, manual review queues - for users with sufficient trust scores. A high trust score is a fast pass through security gates that slow everyone else down.
Reputation building over time. Your trust score is not static. Every content stamp you create (each stamp boosts your score by 0.1), every day your account ages, and every re-verification you complete contributes to a growing trust reputation. This is a long-term asset that becomes more valuable the longer you maintain it.
For companies and platforms, the trust ceiling system transforms identity from a checkbox into a risk management tool. Read the full technical whitepaper for implementation details.
Risk stratification. Set different trust thresholds for different actions. Require a score above 70 for financial transactions, above 50 for posting content, above 30 for viewing public content. Each action maps to a risk level, and each risk level maps to a trust threshold. This is not a one-size-fits-all approach - it is configurable risk management.
Fraud cost reduction. Every signal a fraudster must bypass increases their cost of attack exponentially. Bypassing biometric liveness alone is extremely difficult. Bypassing biometric liveness plus phone verification plus device fingerprinting is economically unfeasible for most attackers. The multi-signal approach makes fraud unprofitable at scale.
Compliance documentation. The trust score breakdown provides auditable evidence of verification depth. When regulators ask "how do you verify your users?", the answer is a specific, measurable set of signals with documented weights and decay functions, not a vague description of a verification flow.
Configurable thresholds. The API returns the raw score plus the complete breakdown. Your business logic decides what to do with it. A dating app and a banking platform have different risk tolerances - the same API serves both with different threshold configurations on the client side.
Real-time trust queries. The API response time is under 50 milliseconds. Trust queries can happen inline with user actions - at login, at checkout, at content submission - without adding perceptible latency. See the technical architecture for infrastructure details.
Trust scores are not permanent. They decay by 0.05 points per day after 30 days of inactivity. This is a deliberate design choice, not a limitation.
A trust score from six months ago with no subsequent activity is less trustworthy than a score from yesterday. The person behind the biometric check six months ago is still presumably the same person, but without ongoing proof of activity, the confidence that they still control the account diminishes over time. Accounts get compromised. Phones get lost. People change.
The decay rate of 0.05 per day is calibrated to be gentle but meaningful. A user who goes completely inactive for 60 days would lose only 1.5 points - not catastrophic, but enough to create a meaningful difference between active and dormant accounts. Over a full year of inactivity, the decay would total approximately 16.75 points, potentially dropping a user below key platform thresholds.
The decay function runs as a daily scheduled process at 6:00 AM UTC. It evaluates every active POY identity and applies the 0.05 deduction to any account that has been inactive for more than 30 consecutive days. This process is logged and auditable.
Complete biometric liveness verification and begin your trust journey. Add signals over time to raise your ceiling and unlock higher trust tiers across the internet.
VERIFY NOW