Verification across the expansive web

A little over a decade ago, everyone was getting used to the idea of having important identities online. Facebook was the main game in town, and friends were suggested based on who you were already friends with. Seeing someone that had the same “mutuals” as you could be used as a decent marker of trust. Those days are gone. Globally, individuals use, on average, 6.8 social platforms on a monthly basis. Greater flexibility in what platforms to use is a good thing, however, it is also important to be confident in who we are communicating with. Verification helps address these challenges, but looks different depending on which platform you are on. This post explains what verification options exist on various platforms and how to set them up for your own profiles.

A note right off the bat, all of these options (with the exception of the Meta options) get better if you have your own domain. Nora Reed has a great post about why having a personal website is a great thing.

Mastodon

On Mastodon, an account can verify that it has control over other websites on the profile page. Once verified, the URL will be displayed with a green checkbox^[1]. You can verify more than one web address.

To verify a website, it just needs to contain a link with a rel=me attribute, and then point back to the account. The link on this website for instance, looks like this:

<link rel="me" href="https://fosstodon.org/@markpitblado" title="@[email protected]">

This approaches verification in a different way. Instead of a server administrator manually checking that you are who you say you are, you prove that the account owner is run by the same people that have control over a website or other popular profile. The most effective thing to link to would be a well-known domain. The Mastodon verification explainer containers real-world examples that you can explore.

Bluesky

Bluesky uses a domain-based verification system. By putting a TXT record on a domain record, you can use your domain as the second part of your handle (after the @). Similar to the Mastodon verification, this works best if you have a domain name that people recognize. While it may seem technically complex, I believe that most users should be able to implement it themselves if they have made any DNS based changes before.

A side effect is that with many users migrating to Bluesky, including some higher profile users migrating from Twitter, they may not have registered a domain previously. If someone is able to register someone’s namesake .com domain (firstnamelastname.com for example), many users may treat it as authoritative^[2]. While Bluesky may act, there is no mechanism for individuals to get a domain just because it contains their name. In some cases, this has even lead to extortion attempts as individuals try to sell domains back to those who didn’t transition fast enough.

Meta platforms (Facebook, Instagram, Threads)

Meta offers a verification program for a “Personal Brand” on Instagram (including Threads) or Facebook. This involves sending a piece of government identification to the company^[3]. There are two ways to go about getting verified:

Meta Verified

This is a paid subscription, currently priced at $14.99 USD per month, however offers a quicker path to verification (Shopify reports a time window of hours to days). The specific requirements can be found in Instagram’s help center; the gist, real name and matching profile picture with MFA enabled. Note that getting verified on Instagram does not verify your Facebook profile (and vice versa).

Be famous

This path isn’t new, if you have a very large following, you don’t need to pay, but can get verified in a similar fashion. If anything, the company will have probably already have been in contact with you for various other things.

X

A hodgepodge of blue, gold, and gray. Verification is meaningless for individuals because there are next to no checks. Waste money, and you get the blue badge.

Chat apps

Both Signal and WhatsApp offer safety number systems that can be used to verify that you are communicating with the person you intend to. A good overview of Signal’s safety number system is contained in the EFF’s Signal Use Guide. For WhatsApp, the protocol is practically identical. These numbers can be verified either in person (easiest) or through a third channel.

Platform agnostic options

A link tree

Linktree is quite well known as a company. Here I am referring to the broader concept of having a single page that lists out various platforms that you are on. With this route, the tree is meant to be authoritative and included in biography sections across platforms. For a great open-source option, consider littlelink.

You can even get a domain with the .link top level domain if you wanted to go this route.

/verify

Another option that is independent of any particular platform is to have a /verify slashpage on your primary domain. Originally implemented by Molly White^[4], this is a page that lists all of the accounts that you currently have. This a great option if you have a lot of presence around the internet, or prefer a lower tech option.

Keyoxide

Keyoxide is a more technical implementation of the above concept, using cryptography. Claims are uploaded to various sites, and then Keyoxide verifies that all of those claims are valid.

For example, in my ORCIDiD biography I have a fingerprint string. This corresponds to a keypair that I have set up, and results in the claim being verified on my Keyoxide profile. As this is geared for more technical readers I won’t ramble too much, but the following may be helpful for anyone interested.

1. You can self-host it. Debatable if this is a worthwhile thing for verifying your own accounts, but can be helpful to serve as a trusted verifier for others.
2. The documentation to get set up is quite good, and can be found here

Conclusion

The web becoming more decentralized is a good thing. Having the ability to migrate more easily between platforms enables users to choose where they would like their digital lives to be. With the exception of the Meta options above, all of the options listed would work just as well with an identity that doesn’t match your “in real life” identity. Be yourself, whoever that may be, while providing trust that it is really you on the other end of an interaction.