Fraud is an economic
problem, not a tech one.

The problem

Detection is solved. Enforcement isn't.

Fraud and abuse are economic problems, not detection problems. Trust & safety teams have had good signal for years — device fingerprints, velocity, behavior. What they lack is a durable consequence. A ban is only as strong as the cost of the next account, and that cost is close to zero: a fresh email, a new SIM, a residential proxy. Detection without enforcement is theater.

The most expensive thing for an attacker to rotate is a real, verified identity. Lemma roots an account-level identifier in a person, so a blocked user can't mint a clean new identity by swapping cheap infrastructure. We don't try to make a new identity impossible — we make it cost real money, which is enough to break the economics of most abuse.

And it does this without the centralized surveillance trade-off. Government digital ID, federated SSO, and on-chain identity all create a new correlation point — who you are, when you presented your ID, and where you used it. Lemma keeps sites seeing only site-private pseudonymous IDs, never one global identifier. The web has been stuck between "no real accountability" and "centralized identity surveillance" — Lemma is the enforcement layer that needs neither.

The thesis

Make digital ID work the way
physical ID works

A driver's license works because it's verified locally. When you show your license at a bar, the bar checks the holograms, photo, and signature on the spot. The DMV doesn't get a notification. The license sits in your wallet — you carry it, you decide when and where to present it.

Lemma applies that model to the web. A user verifies once with an IDV provider. Lemma issues a signed verified-human credential. The credential lives in the user's browser wallet, and sites can validate site-bound proofs locally with Ed25519 signatures, site-private PPIDs, and cached revocation data. Because that proof is rooted in a verified person, a site can block an abuser and require fresh verification to return — and the same human can't rotate around it with a new email or device.

Lemma is not pretending the control plane disappears. Issuance, revocation, recovery, and first-time site proof setup still need infrastructure. The privacy win is narrower and practical: routine access decisions do not need a live callback to the original IDV provider, and credentials do not carry one stable cross-site identifier.

Founder

Why we're building this

Jed McKenna

Founder & CEO

Lemma started from a simple observation on the attacker side: modern scalping bots treat CAPTCHA as a cost of doing business — commercial solving services often price well under a cent per challenge.¹ The puzzles slow down humans, while determined attackers route around them with automation, cheap solving labor, and account farms. Humanness cannot depend on puzzle-solving alone.

The other thing that became obvious in parallel: many proposed solutions create a new place to watch identity use across the web. Centralized digital ID, federated SSO with broad visibility, on-chain identity that broadcasts interactions — none of these are the right default for ordinary websites. The better direction is closer to a driver's license: issued by a trusted party, carried by the user, checked at the point of use.

Lemma is what I wished existed back then — a verification layer that works for sites without forcing them to become identity stores, and works for users without forcing them into a centralized identity database.

Where we're headed

Identity rails for the open web

The next decade of the web needs identity infrastructure that is harder for AI-driven abuse to farm, more private than centralized account-provider callbacks, and lighter-weight than asking every website to become a regulated KYC operator. None of the existing defaults check all three boxes.

Lemma is building those rails. The goal is for "verified human" to mean the same thing across the web, the way "EMV chip card" means the same thing across payment processors — a neutral, multi-issuer, locally-verified standard.

Didit is the production IDV rail. Lemma issues the reusable verified-human credential and provides the wallet, SDK, and revocation infrastructure around it. Sites that need human-grade signal can add the SDK without storing identity documents themselves. Users carry one verification across the web, while relying sites see site-private proofs instead of a reusable global identity.

Verify yourself

Get a verified-human credential and present site-private proofs across lemma.id-enabled sites.

Get verified

Add lemma.id to your site

Hosted SDK integration. Add a stronger human signal without running your own KYC stack.

View docs

Become an issuer

IDV providers: distribute your product across consumer-web verticals your enterprise sales motion can't reach.

For IDV issuers