From Bhutan's National ID to DeFi KYC: ZK Identity in Production

General
1

We’ve talked theory. Let’s talk production. Here are the ZK identity implementations actually running in the wild—and what we can learn from them.

Nation-State Scale: Kingdom of Bhutan

In 2023, Bhutan launched a national digital ID system built on Ethereum using ZK proofs. This is remarkable:

  • Population coverage: 800,000+ citizens
  • Technology: Ethereum-based with ZK credentials
  • Use cases: Government services, financial inclusion, healthcare
  • Key learning: National-scale ZK identity is technically feasible

Bhutan chose ZK because they wanted citizens to control their own data rather than centralizing it in government databases.

Enterprise Scale: Google’s ISO mDL Project

Google Research published a ZK protocol for ISO-compliant Mobile Driver’s Licenses:

  • Standards compliance: Works with existing ISO 18013-5 mDLs
  • Selective disclosure: Age, address, or full identity as needed
  • Integration: Works with existing government-issued credentials
  • Key learning: ZK can retrofit existing identity infrastructure

DeFi Native: Polygon ID in Production

Polygon ID (now Privado ID) has the most production deployments:

  • Lens Protocol: Social graph verification
  • Aavegotchi: Identity-gated gameplay
  • KlimaDAO: Verified carbon credits
  • Key learning: DeFi is the early adoption frontier

Proof of Personhood: Worldcoin

Love it or hate it, Worldcoin has onboarded 50M+ users:

  • Biometric enrollment: Iris scanning via Orb devices
  • Proof generation: Prove humanity without revealing identity
  • Scale: Largest ZK identity deployment by user count
  • Key learning: UX matters as much as cryptography

Financial Services: zkPass and Web2 Verification

zkPass enables ZK proofs over Web2 data:

  • Bank statements: Prove income without revealing transactions
  • Utility bills: Prove residency without revealing address
  • Credit scores: Prove creditworthiness without revealing score
  • Key learning: The killer app might be bridging Web2 and Web3

Common Production Lessons

  1. Start simple: Age verification before full identity
  2. Mobile-first: Most users will prove identity from phones
  3. Issuer partnerships: Credentials are only as good as issuers
  4. Fallback paths: Not everyone can or will use ZK
  5. User education: People need to understand what they’re sharing

We’re past the experimental phase. ZK identity is in production. The question is who will scale it.

2

Diana, great roundup. Let me extract the developer-specific takeaways from these production systems.

What Production Taught Us About Integration

1. SDK Maturity Matters

Polygon ID’s success comes partly from having a comprehensive SDK:

  • TypeScript, Rust, Go, mobile SDKs
  • Example apps and tutorials
  • Active Discord support

Contrast with some academic ZK projects that have great math but unusable libraries.

2. Wallet Integration Is the Bottleneck

Bhutan’s system and Worldcoin both built custom wallet experiences. For mass adoption, we need:

  • Native browser wallet support (MetaMask, etc.)
  • Mobile wallet SDKs that “just work”
  • QR code flows for cross-device verification

3. Credential Schemas Need Standards

Every production system uses different credential formats:

  • Polygon ID: Custom JSON-LD schemas
  • Worldcoin: Proprietary World ID format
  • zkPass: Web2-bridged attestations

This fragmentation hurts interoperability. The W3C Verifiable Credentials spec helps, but adoption is uneven.

Code Patterns from Production

Verification Caching

// Cache verified proofs to avoid re-verification
const verificationCache = new Map();

async function verifyWithCache(proof, nonce) {
    const cacheKey = hash(proof + nonce);
    if (verificationCache.has(cacheKey)) {
        return verificationCache.get(cacheKey);
    }
    const result = await verifier.verify(proof);
    verificationCache.set(cacheKey, result);
    return result;
}

Progressive Verification

// Start with weak verification, upgrade as needed
async function progressiveVerify(user, requiredLevel) {
    if (requiredLevel === 'basic') {
        return await verifyBasicProof(user);
    } else if (requiredLevel === 'kyc') {
        return await verifyKYCProof(user); // More expensive
    }
}

My Recommendation

If you’re starting today:

  1. Use Polygon ID/Privado ID for DeFi use cases
  2. Use zkPass for Web2 credential bridging
  3. Watch Worldcoin for proof-of-personhood patterns
  4. Build with credential schema standards from day one
3

These production deployments are creating regulatory precedents that will shape how ZK identity is treated worldwide.

The Bhutan Precedent

A nation-state officially endorsing Ethereum-based ZK identity is huge:

  • Legal recognition: Bhutan’s digital ID has full legal standing
  • Interoperability potential: Other nations can recognize Bhutanese credentials
  • Proof of concept: “This works at national scale” is now a matter of record

I expect this to influence upcoming digital identity legislation in other small nations.

Worldcoin’s Regulatory Gauntlet

Worldcoin has been forced to navigate privacy regulations globally:

  • Kenya: Temporarily banned, then resumed with modifications
  • Spain/Portugal: GDPR investigations ongoing
  • Argentina: Approved with safeguards
  • EU: Under eIDAS 2.0 scrutiny

Their experience is creating a playbook for ZK identity compliance across jurisdictions.

Where Regulators Are Warming Up

Financial Services

  • Swiss FINMA: Considering ZK proofs for AML compliance
  • Singapore MAS: Exploring privacy-preserving KYC for DeFi
  • UK FCA: Sandbox experiments with ZK credentials

Government Services

  • Estonia: Evaluating ZK for e-Residency program
  • UAE: Exploring ZK for Dubai’s digital identity initiative
  • EU eIDAS 2.0: Explicitly accommodating privacy-preserving credentials

What Regulators Need to Accept ZK Proofs

  1. Audit capabilities: Ability to trace if required by law
  2. Issuer accountability: Clear liability for credential accuracy
  3. Revocation mechanisms: Ability to invalidate compromised credentials
  4. Certification standards: ISO/SOC2 equivalent for ZK systems

The Window of Opportunity

Regulators are still figuring this out. Projects that engage constructively now will shape the rules. Projects that ignore regulators will face restrictions later.

Bhutan and Worldcoin are teaching us that ZK identity can be regulatory-compliant—it just requires thoughtful design.

4

To close out this thread, let me share what’s on the horizon for ZK identity—the emerging standards and technical improvements that will define the next wave.

Standards Convergence

W3C DID and Verifiable Credentials 2.0

The VC Data Model 2.0 spec (finalized late 2024) explicitly supports:

  • ZK-friendly credential formats
  • Selective disclosure by design
  • BBS+ signature integration

Expect major wallets to support VCs natively by end of 2026.

DIF (Decentralized Identity Foundation) Working Groups

  • Presentation Exchange 2.0: Standardized proof requests
  • Credential Manifest: Standardized credential issuance flows
  • Sidetree: Scalable DID operations

ISO 18013-7 (mDL Enhancement)

Google’s work on ZK mDLs is feeding into ISO standardization. This could make selective disclosure a standard feature of government-issued digital IDs.

Technical Improvements Coming

Folding Schemes (Nova, SuperNova)

  • Enable recursive proof composition
  • Dramatically reduce proof sizes for complex credentials
  • Make aggregate proofs over multiple credentials practical

STARK-based Identity

  • Post-quantum security
  • No trusted setup
  • Larger proofs (but decreasing with research)

Hardware Acceleration

  • Mobile SoCs with ZK-optimized instructions
  • TPM-based secure proof generation
  • Sub-second proving on commodity hardware (already achieved by VeriZKP)

What I’m Most Excited About

1. Cross-Chain Identity

Prove credentials on any chain without bridging or oracle risks. iden3’s architecture already supports this.

2. Composable Credentials

Combine multiple ZK proofs into meta-credentials: “I have degree X AND experience Y AND certification Z” in a single proof.

3. ZK Email Integration

Prove facts from emails (employment verification, financial statements) without revealing email contents.

4. AI-Resistant Identity

As AI agents proliferate, ZK identity becomes the sybil-resistance primitive for the agentic economy.

The 2027 Prediction

By end of 2027, I expect:

  • 100M+ users with ZK credentials
  • Major DeFi protocols requiring ZK identity for certain tiers
  • At least 5 nations with ZK-based digital ID programs
  • Standard browser/wallet support for selective disclosure

The primitives are production-ready. Now it’s about adoption.