HUMΛN
HUMΛN
Community
Security
Security

Why Modified Code Can't Forge Identity

HUMΛN Team··12 min·Technical / Security

The Question People Always Ask

When we explain that HUMΛN Passports are self-hosted—that you can run the entire identity system on your own infrastructure—there's always a moment of pause. Then the question comes:

"But if someone forks your code and modifies it, couldn't they forge identities?"

It's a fair question. In traditional identity systems, the security model relies on a central authority that you must trust. If you control the code, you control the identity, right?

The answer is: No. Not in HUMΛN's architecture.

Here's why cryptographic enforcement, device attestation, and ledger anchoring create a security model where even modified code cannot forge identity.

The Four-Step Verification Chain

HUMΛN's identity verification isn't a single check. It's a chain of four independent verifications, each cryptographically enforced:

flowchart LR Req(["Identity Claim"]) K{"1. Key Possession<br/>Valid signature<br/>against DID?"} D{"2. Device Attestation<br/>Genuine hardware?<br/>Apple / Google / TPM"} L{"3. Ledger Anchoring<br/>DID found on<br/>distributed ledger?"} Del{"4. Delegation Chain<br/>Valid capability<br/>from trusted root?"} OK(["✓ Verified"]) Req --> K K -- valid --> D K -- invalid --> R1(["✗ Invalid signature"]) D -- genuine --> L D -- forged --> R2(["✗ No device proof"]) L -- found --> Del L -- missing --> R3(["✗ Not on ledger"]) Del -- valid --> OK Del -- broken --> R4(["✗ Broken chain"])

1. Key Possession

The foundation is cryptographic key possession. A Passport's identity is anchored to cryptographic keys stored on the user's device. These aren't just any keys—they're generated using secure hardware when available (TPM, Secure Enclave, hardware security modules).

When you create a Passport, the system generates:

  • Auth key: For authentication and session management
  • Attestation key: For signing capability claims and delegations
  • Recovery key: For account recovery (stored separately)

These keys never leave your device in plaintext. They're encrypted at rest using device-specific encryption keys. Even if someone modifies the code to skip validation, they still can't produce a valid signature without access to your private keys.

// Simplified: The signature verification happens cryptographically
const isValid = await crypto.verify(
  passportContainer.signature,
  passportContainer.publicKey,
  passportContainer.data
);

If the signature doesn't match, the identity claim is rejected. No amount of code modification can bypass cryptographic signature verification—it's math, not policy.

2. Device Attestation

The second layer is device attestation. HUMΛN doesn't just verify that you have the keys—it verifies that those keys are bound to a real, attested device.

Device attestation comes in three quality levels:

Self-attestation: The device claims its own properties. This is the baseline—better than nothing, but not cryptographically strong.

Device attestation: The device manufacturer (Apple, Google, Microsoft) provides cryptographic proof of device properties. This proves the device is genuine hardware, not an emulator or virtual machine.

Platform attestation: The operating system or platform provides additional guarantees about the device's security state, boot integrity, and whether it's been compromised.

When a Passport is created, the system captures device attestation data:

interface DeviceAttestation {
  deviceId: string;
  attestationType: 'self' | 'device' | 'platform';
  attestationProof: string; // Cryptographic proof from manufacturer/platform
  deviceProperties: {
    manufacturer: string;
    model: string;
    secureHardware: boolean;
    bootIntegrity: boolean;
  };
}

This attestation is signed by the device manufacturer or platform. Even if someone modifies HUMΛN's code, they can't forge Apple's or Google's attestation signatures. The verification happens against the manufacturer's public keys, not HUMΛN's.

3. Ledger Anchoring

The third layer is ledger anchoring. Every Passport creation, key rotation, and significant identity event is recorded on a distributed ledger (or multiple ledgers for redundancy).

The ledger entry includes:

  • The Passport DID (Decentralized Identifier)
  • The public key fingerprint
  • Device attestation hash
  • Timestamp
  • Cryptographic signature
interface LedgerEntry {
  eventType: 'passport_created' | 'key_rotated' | 'capability_granted';
  passportDid: string;
  publicKeyFingerprint: string;
  deviceAttestationHash: string;
  timestamp: number;
  signature: string; // Signed by the passport's attestation key
}

When someone verifies a Passport, they can check the ledger independently. Even if HUMΛN's servers are compromised or the code is modified, the ledger provides an independent source of truth.

If someone forks the code and tries to create fake Passport entries, those entries won't be on the ledger. Any verifier checking the ledger will see the discrepancy and reject the identity claim.

4. Delegation Chain Verification

The fourth layer is delegation chain verification. In HUMΛN, capabilities aren't granted arbitrarily—they flow through verified delegation chains.

When you request a capability (like "publish to marketplace"), the system verifies:

  1. Do you have a valid Passport? (Key possession check)
  2. Is your device attested? (Device attestation check)
  3. Is your Passport on the ledger? (Ledger anchoring check)
  4. Is there a valid delegation chain granting this capability? (Delegation chain check)

Each delegation in the chain is cryptographically signed. The chain must be unbroken from a trusted root (like HUMΛN's governance tier) down to your Passport.

interface Delegation {
  from: PassportId; // Who granted it
  to: PassportId; // Who received it
  capability: CapabilityId;
  scope: string[];
  signature: string; // Signed by 'from' passport's attestation key
  expiresAt?: number;
}

Even if someone modifies the code to skip delegation checks, they can't forge the signatures in the delegation chain. Each signature must be valid, and the chain must connect to a trusted root.

The Walled Garden Attack: What Happens When Someone Forks

Let's walk through what happens if someone forks HUMΛN's code and tries to create a "walled garden" with forged identities.

Scenario: Malicious Fork

An attacker forks the HUMΛN codebase, modifies it to skip validation, and sets up their own server. They try to create fake Passports and grant themselves capabilities.

What they can do:

  • Modify the code to skip local validation checks
  • Create Passport records in their own database
  • Issue fake capability grants in their system
  • Make their modified client accept these fake identities

What they cannot do:

  • Generate valid cryptographic signatures without the private keys
  • Forge device attestation from Apple, Google, or Microsoft
  • Write entries to the distributed ledger (without valid signatures)
  • Create valid delegation chains from trusted roots

The Isolation Problem

The fork creates an isolated system. Passports created in the fork:

  • Won't have valid signatures (can't access real private keys)
  • Won't have real device attestation (can't forge manufacturer signatures)
  • Won't be on the ledger (can't write without valid signatures)
  • Won't have valid delegation chains (can't forge trusted root signatures)

Anyone verifying these Passports will see:

  • Invalid signatures → Reject
  • Missing or invalid device attestation → Reject
  • Not found on ledger → Reject
  • Invalid delegation chain → Reject

The fork becomes a walled garden that only works within itself. It can't interoperate with the real HUMΛN ecosystem because it can't produce cryptographically valid identity claims.

The Verification Endpoint

HUMΛN provides a compliance endpoint that allows third parties to verify Passport validity:

POST /v1/passports/verify
{
  "passportDid": "did:human:...",
  "publicKey": "...",
  "signature": "...",
  "deviceAttestation": "..."
}

Response:
{
  "valid": boolean,
  "checks": {
    "keyPossession": boolean,
    "deviceAttestation": "self" | "device" | "platform" | "invalid",
    "ledgerAnchored": boolean,
    "delegationChain": boolean
  },
  "warnings": string[]
}

This endpoint performs all four verification steps independently. Even if someone forks the code, they can't make this endpoint return valid: true for forged identities—the cryptographic checks are enforced server-side.

Blast Radius Comparison: Traditional vs HUMΛN

Let's compare what happens when a system is compromised:

Traditional Centralized Identity

Compromise scenario: Attacker gains access to the identity provider's database.

What they can do:

  • Create fake user accounts
  • Grant themselves any permissions
  • Modify existing user permissions
  • Delete audit trails
  • Impersonate any user

Blast radius: Entire system. Every user is at risk. Every capability can be forged. The compromise is total.

HUMΛN Self-Hosted Identity

Compromise scenario: Attacker gains access to a self-hosted HUMΛN instance.

What they can do:

  • Modify local validation logic (but signatures still verified cryptographically)
  • Create fake Passport records in local database (but ledger check will fail)
  • Issue fake capability grants (but delegation chain check will fail)

What they cannot do:

  • Forge cryptographic signatures (requires private keys on user devices)
  • Forge device attestation (requires manufacturer signatures)
  • Write to distributed ledger (requires valid signatures)
  • Create valid delegation chains (requires trusted root signatures)

Blast radius: Isolated to that instance. The compromise doesn't affect:

  • Other self-hosted instances
  • The distributed ledger
  • Device attestation providers
  • Delegation chains from trusted roots

Even if one instance is compromised, verification against the ledger and delegation chains will catch forged identities.

Attestation Quality Levels

Not all device attestation is created equal. HUMΛN recognizes three levels:

Self-Attestation

The device claims its own properties. This is the baseline level—it proves the device exists, but not that it's genuine hardware.

Use case: Development, testing, low-security scenarios.

Limitations: Can be spoofed by emulators or virtual machines.

Device Attestation

The device manufacturer provides cryptographic proof of device properties. This proves the device is genuine hardware from a trusted manufacturer.

Use case: Production deployments, medium-security scenarios.

Limitations: Proves hardware authenticity, but not necessarily that the device hasn't been compromised.

Platform Attestation

The operating system or platform provides additional guarantees about security state, boot integrity, and compromise status.

Use case: High-security scenarios, sensitive capabilities.

Limitations: Requires platform support (iOS, Android, Windows with TPM, etc.).

The verification endpoint returns the attestation quality level, allowing verifiers to make risk-based decisions. A self-attested Passport might be fine for reading public content, but platform attestation might be required for publishing or financial transactions.

Why Open Source Makes This More Secure

This is counterintuitive for many people. "If the code is open source, attackers can find vulnerabilities, right?"

Yes, but they can find vulnerabilities in closed-source code too—they just do it through reverse engineering and black-box testing. The difference is that with open source, everyone can audit the code, not just attackers.

Transparency Builds Trust

When HUMΛN's code is open source:

  • Security researchers can audit it
  • Users can verify what the code actually does
  • Organizations can review it before deployment
  • The community can find and fix vulnerabilities

With closed-source identity systems, you have to trust that:

  • The vendor is honest about what the code does
  • The vendor has done proper security audits
  • The vendor will disclose vulnerabilities promptly
  • The vendor hasn't been compromised

Cryptographic Enforcement vs Policy Enforcement

The key insight is that HUMΛN's security model relies on cryptographic enforcement, not policy enforcement.

Policy enforcement (traditional model):

  • "Trust us, we check identities properly"
  • Code can be modified to skip checks
  • Security depends on correct implementation
  • Vulnerabilities can bypass all security

Cryptographic enforcement (HUMΛN model):

  • "Math checks identities, not code"
  • Code modification can't bypass cryptographic verification
  • Security depends on cryptographic primitives
  • Vulnerabilities are limited to implementation bugs, not fundamental bypasses

Even if someone modifies the code to skip a check, the cryptographic verification still happens:

  • Signatures are verified using standard cryptographic libraries
  • Device attestation is verified against manufacturer public keys
  • Ledger entries are verified against distributed ledger consensus
  • Delegation chains are verified using cryptographic signatures

The security is in the cryptography, not the code.

The Fork Test

Here's a thought experiment: What if HUMΛN itself went rogue? What if we modified our own code to create fake identities?

We couldn't do it either.

Even with full control over our own codebase, we can't:

  • Generate valid signatures without users' private keys
  • Forge device attestation from Apple or Google
  • Write invalid entries to the distributed ledger (other nodes would reject them)
  • Create delegation chains without valid signatures from trusted roots

The security model protects users from HUMΛN itself. Self-hosted doesn't mean "trust HUMΛN"—it means "trust cryptography."

Conclusion: Security Through Cryptography, Not Code

The question "Can modified code forge identity?" reveals a fundamental misunderstanding of HUMΛN's security model.

Traditional identity systems rely on trust in code and policy. HUMΛN relies on trust in cryptography and mathematics.

Even if someone:

  • Forks the codebase
  • Modifies all validation logic
  • Sets up their own servers
  • Creates fake Passport records

They still cannot:

  • Forge cryptographic signatures (requires private keys)
  • Forge device attestation (requires manufacturer signatures)
  • Write to the ledger (requires valid signatures)
  • Create valid delegation chains (requires trusted root signatures)

The security is enforced by cryptography, not by code. Code can be modified, but math cannot be bypassed.

This is why open source makes HUMΛN more secure, not less. Transparency allows everyone to verify that the cryptographic enforcement is correct, while the cryptography itself ensures that even malicious code cannot forge identity.

Self-hosted doesn't mean "trust the code." It means "trust the math."

Code & Docs

ctx.provenance

Agent SDK reference

compliance-auditor

Reference implementation