Proof of Humanity, anti Sybil solutions?

[linenoise]

Anyone have good advice on proof of humanity, anti sybil solution that doesn't require costs to the end user, and is inexpensive for the dev?

I'm developing a web3 service and want unique humans and not lots of bots. The service has airdrop like qualities of getting things for free which means it's a prime target for attackers. Heck, I've done crypto faucets and even captcha wasn't enough for stop bots from going after no value crypto.
Hence I'm seeking good, cheap or free, methods for keeping bots out of a web3 service.

Gitcoin passport is good in theory, in practice having users pay $ as part of verifying ID is a blocker.

I'm leaning towards faceio for the digital fingerprinting of a face, but I'd prefer a full crypto solution

[noorman0]

-snip-
Gitcoin passport is good in theory, in practice having users pay $ as part of verifying ID is a blocker.

A blocker for whom?
I don't know how the platform works. If your conclusion says it's good, then apply it. I think it's just the way it actually works.
The hard truth is that the Web3 community isn't as big as you think without Sybil accounts. Cheating airdrop is a practice that has been going on since the Ethereum ecosystem was developed, creating false hype, and it's what keeps many new projects from lasting long.

[linenoise]

-snip-
Gitcoin passport is good in theory, in practice having users pay $ as part of verifying ID is a blocker.

A blocker for whom?

With gitcoin there are a number of potential ways to add to your score to qualify as a person, some methods have fees of $5. As most people would need multiple fees this would stop many crypto and non crypto people from trying a random web3 service.

I agree with you that web3 is still a growing userbase.

[ABCbits]

The service has airdrop like qualities of getting things for free which means it's a prime target for attackers. Heck, I've done crypto faucets and even captcha wasn't enough for stop bots from going after no value crypto.

Out of curiosity, does that happen when you set the captcha to maximum security/difficulty? In past, i visited a website with high/maximum difficulty hCAPTCHA where it took few minutes to solve it.

[noorman0]

With gitcoin there are a number of potential ways to add to your score to qualify as a person, some methods have fees of $5. As most people would need multiple fees this would stop many crypto and non crypto people from trying a random web3 service.

It sounds like it's even effective in suppressing the number of Sybil accounts, which is great if you're hoping for as much organic community engagement as possible; or if you're actually willing to tolerate a certain amount of cheating, I don't know. In any case, you should be providing more convincing reports on your project's progress to your community.

-snip-
I agree with you that web3 is still a growing userbase.

I think you're misunderstanding. My point is that without Sybil accounts, community engagement on Web3 projects wouldn't be as spectacular as the statistics suggest.

[d5000]

I fear there is no perfect "full crypto" system for that, so your easiest bet may be to just go with faceio or similar methods. But I just read this thread having previously discussed a related problem in this thread about a Universal Basic Income on blockchain (basically a continuous airdrop each month or so), and maybe some of the following "proof of humanity" methods which were mentioned there may be interesting.

- Bitpeople - that would be a "full crypto solution" where users verify each other via videochat without a central party/verifier, but it seems to be in a very early state of development, so the dev costs would be very high. And the users would have to verify each other each month, so while there is no "cost" for them, they need to take 15 min of time. In addition, I have some doubts about the implications of AI video technology.
- Resilience, a protocol based on similar ideas than the original Ripple, where users to get airdrops need trust from other users. However, it seems to be only sybil proof at very high transaction rates and is also only a prototype.
- explore existing "UBI coin" systems like Circles UBI, which also is based on the Ripple method; according to one user in the above thread it is inferior to Resilience but it actually already exists.
- perhaps explore early Ripple too.

One idea I also find interesting, but is very different, is let users verify each other sending a very small amount to a bank account on their name, and let them hash the bank data (Bisq does this). Do that two times with 2-week or 4-week distance to prevent someone using stolen accounts. Perhaps you can even use Bisq accounts as PoH, i.e. you have to trade twice on Bisq for full PoH? However it would not be really PoH but "proof of unique bank account".

[Dimitri.V.PSN]

Anyone have good advice on proof of humanity, anti sybil solution that doesn't require costs to the end user, and is inexpensive for the dev?

I'm developing a web3 service and want unique humans and not lots of bots. The service has airdrop like qualities of getting things for free which means it's a prime target for attackers. Heck, I've done crypto faucets and even captcha wasn't enough for stop bots from going after no value crypto.
Hence I'm seeking good, cheap or free, methods for keeping bots out of a web3 service.

Gitcoin passport is good in theory, in practice having users pay $ as part of verifying ID is a blocker.

I'm leaning towards faceio for the digital fingerprinting of a face, but I'd prefer a full crypto solution

You've hit on one of the hardest problems in web3 — Sybil resistance without user friction or dev expense.
Captcha? Useless.
Email/phone? Trivial to farm.
Paid attestations (e.g., Gitcoin Passport tiers)? Kill conversion.

🔍 Reality check:
There’s no perfect free+zero-friction+100%-secure solution — it’s always a trade-off triangle:
🔹 Security (anti-bot strength)
🔹 UX (user effort/cost)
🔹 Cost (to dev & infra)

That said — here are 3 practical, low-cost strategies (ranked by effort vs. effectiveness):

✅ 1. Progressive Friction + Behavioral ZK Proofs (Best balance)
→ Ask for minimal effort only when suspicious:

Passive biometrics (mouse/typing rhythm, device entropy) → generate a ZK proof of human-like interaction
Optional face liveness only if anomaly detected (e.g., 5 rapid sign-ups from same IP subnet)
→ No gas, no $ for users — just client-side proofs.
We built exactly this for open-source projects: HumanID.dev —

🔒 ZK-SNARKs verify “human-like behavior” without exposing PII
🌐 Fully client-side (runs in-browser, no camera unless triggered)
💸 Free for ≤10k verifications/mo (scales to $0.001/verify after)
🧪 Integrates in <15 lines of JS — https://cutt.ly/QtdlHjOW
✅ 2. Social Graph + Light Staking
→ Require a reputation-bound action:

Follow + retweet from a moderately aged Twitter/X account (≥30 days, ≥10 followers)
Or sign a message from a wallet with ≥30-day history + non-dust balance
→ Not perfect — but raises bot cost dramatically.
→ Bonus: Use Farcaster frames for in-app opt-in (low friction, high signal).
⚠️ 3. FaceIO / Liveness APIs (High UX cost, medium security)
They work, but:

❌ Privacy concerns (face = PII, GDPR/CCPA risk)
❌ ~$0.10–$0.50/verify → adds up fast
❌ Mobile web support is spotty
→ Only recommend if KYC-like compliance is required.
🔑 Pro tip:
Combine layers:
1️⃣ Passive behavioral ZK check (free, invisible)
2️⃣ If score < threshold → optional Twitter/Farcaster attestation
3️⃣ If still suspicious → optional face liveness (user chooses)

This keeps >90% of legit users in the “zero friction” path — while making bot farming economically irrational.

We open-sourced our detection model weights & threat intel feed → happy to share if you’re building in public 🙌
👉 Try the no-signup sandbox: https://cutt.ly/QtdlHjOW

Let me know your threat model — I’ll suggest a tailored stack!