Inside OpenAI CEO's eye-scanning plan to replace passwords

OpenAI CEO Sam Altman's plan for identity verification is raising serious questions about biometric privacy and the options companies pursue to replace easy-to-guess passwords.

Driving the news: Worldcoin, a crypto project co-founded by Altman, debuted its highly anticipated, years-in-the-making World ID verification program last week. It heavily relies on iris scans as proof of identity.

• Worldcoin also opened up the waitlist for developers interested in incorporating World ID into their own apps.

Why it matters: As companies increasingly incorporate generative AI into their products, developers are seeking ways to get ahead of the identity theft and online scams the emerging technology is already proliferating.

• Technology companies have also spent years looking for ways to replace easy-to-guess, phrase-based passwords.

Zoom out: Founded in 2020, Worldcoin consists of three parts: the ID verification protocol, a soon-to-be released worldcoin token and a crypto wallet app.

• Altman and co-founder Alex Blania have set the lofty goal of making worldcoin a universally used cryptocurrency in the developing world — and the pair have long hinted at using the token's infrastructure to distribute future universal basic income programs.
• While the startup has received polarizing reviews, the company has still caught the eye of big-name investors like Andreessen Horowitz and LinkedIn co-founder Reid Hoffman.

How it works: World ID takes the idea of collecting a user's biometric data to a new — and possibly extreme — level.

• World ID helps verify someone's identity in one of two ways: By phone number verification or via "the Orb," a battery-powered iris-scanning device available at Worldcoin operator locations.
• From there, World ID users can choose to add either phone number or Orb verification to their private key identifiers (which are separate from worldcoin crypto wallet key numbers). But app developers who let their users log in via World ID will choose what level of verification they require for their services.
• Availability of the Orb is "mostly limited" to Argentina, Chile, India, Kenya, Portugal and Spain right now, according to a press release.
• Users who get their iris scans will receive 25 worldcoin — although it's unclear what value those coins have.

The big picture: Biometrics has become one of developers' go-to replacements for insecure passwords since it's difficult for malicious actors to replicate someone's fingerprint or face.

• The FIDO Alliance, which sets industry standards for passwordless login tools, even has a certification program to help developers incorporate biometrics safely and securely.

Between the lines: World ID doesn't require any additional personal information, such as someone's name or email address, Tiago Sada, head of product at Worldcoin parent company Tools for Humanity, told Axios.

• Iris scans are processed in-memory locally on the Orb and then immediately deleted, Worldcoin says. The Orb only outputs a so-called iris code to "numerically represent the texture of an iris."
• If a user chooses to verify through the Orb, they'll show a QR code containing a "hashed version" of their World ID private key number, Sada said. The Orb then takes that hashed ID code and "puts it together with your verification, and it signs it," he added.

Yes, but: Collecting biometric data, even if it isn't saved, is still a risky business, privacy and surveillance experts warn.

• Edward Snowden, an NSA whistleblower and privacy advocate, raised concerns about Worldcoin's ID plans back in October 2021.

Sign up for Axios’ cybersecurity newsletter Codebook here