Identity Verification for Voting: Options Compared
- Mor Machluf
- Feb 1
- 9 min read
Identity verification is the unglamorous part of digital democracy, and it is also the part that can quietly decide whether people trust the outcome.
If you want continuous direct democracy (the core promise of JustSocial’s manifesto), you need participation that is frequent, convenient, and inclusive. But you also need eligibility rules that are enforceable, resistant to manipulation, and respectful of privacy. Identity verification for voting sits right at that intersection.
This guide compares the main identity verification options used in voting and civic participation platforms, explains where each option fits, and highlights the design patterns that keep systems both legitimate and liberty-preserving.
What “identity verification for voting” needs to achieve
In civic tech, people often say “identity” when they mean different things. Separating these goals helps you choose the lightest, safest option that still protects legitimacy.
Eligibility: Is this person allowed to vote in this decision (resident, member, age, district)?
Uniqueness: Is it “one person, one vote” (or one household, one membership, one verified account)?
Authentication: When someone returns later, can they securely prove they are the same person?
Privacy and ballot secrecy: Can the system prove eligibility without exposing political choices?
Inclusion and accessibility: Can people participate without expensive devices, perfect documents, or advanced technical skills?
JustSocial’s manifesto argues for participation that is both consequential and continuous, supported by modern institutions and technology, not one-off “engagement theater.” Identity is part of that civic infrastructure. If it is too weak, legitimacy collapses. If it is too invasive, participation collapses.
Start with stakes, not tech
The “right” identity method depends less on what is technically possible and more on what the vote will do.
Low stakes (pulse surveys, agenda ranking, advisory input): prioritize inclusion and speed.
Medium stakes (participatory budgeting, formal consultations with published outcomes): prioritize uniqueness, anti-duplication, and auditable procedures.
High stakes (binding referendums, statutory elections): require strong assurance, independent oversight, and often offline components.
A useful framing comes from the language of digital identity assurance. The NIST Digital Identity Guidelines (SP 800-63) separate “identity proofing” (how you establish someone’s identity) from “authentication” (how they log in later). That separation maps well to voting systems where ballot secrecy is non-negotiable.
Threats identity verification is trying to stop
Identity controls should be proportional to the threats you actually face.
Duplicate voting (one person casting multiple ballots)
Ineligible voting (non-residents, non-members, wrong district)
Impersonation (stolen credentials, account takeovers)
Sybil attacks (mass fake accounts to flood participation)
Coercion (someone forced to vote a certain way, especially in remote voting)
Some threats are technical, others are social and operational. JustSocial’s broader vision, including radical transparency and verifiable civic processes (for example, a “public Git of laws” in the manifesto), implies that legitimacy must be built from clear rules, auditable artifacts, and accountable governance, not from “trust us” vendor claims.
Identity verification options compared
Below are the most common approaches, from simplest to most sophisticated. In practice, many systems combine two methods.
Option | How it works | Strengths | Key tradeoffs | Best fit |
In-person verification | Staff verifies ID/eligibility at a desk or kiosk, then issues access (paper ballot, token, or account) | High confidence, good fraud resistance | Costly, less convenient, can exclude mobility-limited voters | High-stakes votes, hybrid models |
Voter roll or membership list login | Invite-only accounts based on an existing registry | Cheap and fast if registry is accurate | Registry errors become disenfranchisement, weak against credential sharing | Member org votes, neighborhoods with solid registries |
Mailed code (PIN) to address on file | Send one-time PIN to postal address, voter uses it online | Strong link to residency, reduces mass bot attacks | Slow, postal failures, household interception risk | Participatory budgeting, local referendums (often advisory) |
Email/SMS OTP only | Verify via phone number or email one-time code | Very low friction | Weak uniqueness (multiple numbers), SIM swap risk, easy to scale fraud | Low-stakes input and onboarding |
Government eID / national digital identity | Use state-issued digital credentials (ID card, app, mobile ID) | High assurance, scalable, often standardized | Not available everywhere, adoption gaps, political concerns about centralization | Countries/regions with mature eID systems |
Bank/telecom identity (federated login) | Authenticate through a trusted provider (bank, telco, identity network) | Good usability, can be high assurance | Excludes unbanked, provider lock-in, privacy and data-sharing questions | Medium stakes, where legally and ethically acceptable |
Remote KYC (ID scan + selfie) | User submits document images and liveness selfie, vendor verifies | Stronger than email/SMS, works without national eID | Privacy-sensitive data collection, bias/false rejects, vendor risk | Medium stakes, membership validation |
Biometrics (face/fingerprint) as a factor | Biometric used for login or re-authentication | Convenience, reduces password reuse | High privacy risk, hard to revoke, false matches and bias concerns | Usually as a secondary factor, not standalone |
Community attestation / web-of-trust | Trusted community members vouch for eligibility | Inclusive when IDs are lacking | Can be captured by local power, needs strong governance | Grassroots orgs, some community processes |
Privacy-preserving credentials | Prove eligibility (age/residency/membership) without revealing identity (for example, anonymous credentials) | Strong privacy, supports secret ballots | More complex, harder procurement, requires mature governance | Higher-stakes digital participation where privacy is central |
1) In-person verification (the baseline for high assurance)
In-person checks remain the simplest way to achieve high confidence because they rely on human verification, physical documents, and controlled environments.
Where it gets interesting for digital democracy is hybridization: you can verify in person once, then issue a long-lived credential (or a set of one-time voting tokens) so that future participation can be online.
That approach supports the manifesto’s “continuous” participation goal without pretending that every high-assurance step must be purely remote.
2) Registry-based eligibility (voter roll or membership list)
If you already have a high-quality registry (membership list, municipal resident file, student roster), you can pre-provision eligible accounts.
This is operationally attractive, but it shifts the main risk to registry governance:
How are errors corrected?
Is there an appeals process?
How are people added and removed, and who can change records?
Those questions are not “implementation details.” They are democratic design. A continuous democracy model needs legitimacy not just at vote time, but across the lifecycle, including updates, audits, and dispute resolution.
3) Mailed PIN codes (strong for locality and anti-bot)
A mailed code is underrated. It is slow, but it ties eligibility to an address on file and blocks most mass fake-account attacks.
It also has clear failure modes that can be managed with transparent processes: replacement codes, help desks, published timelines, and auditable counts of issued and redeemed codes (without linking codes to votes).
For many municipalities, mailed codes are a practical “middle path” for participatory budgeting and local consultations where you want better integrity than SMS, but you are not running a national election.
4) Government eID (when the state has done the hard work)
In places with mature national digital identity systems, government eID can deliver both usability and strong assurance, at scale.
But eID is not just a technical integration. It is a political and social contract. If parts of the population do not have it, do not trust it, or cannot use it, then eID-only participation can undermine inclusion.
A JustSocial-aligned approach is to treat eID as one strong option in a multi-path system, while still enforcing the same democratic guarantees and publishing the same transparency artifacts.
5) Remote KYC (powerful, but sensitive)
Remote KYC typically means scanning an ID document and capturing a selfie with liveness detection. It can achieve good assurance for uniqueness and eligibility, especially in membership settings.
The tradeoffs are serious:
Data minimization: you are collecting highly sensitive personal data.
False rejects: some legitimate users will fail automated checks.
Vendor governance: who stores the data, for how long, and under what audit rights?
If you use remote KYC, the legitimacy question becomes: can the system prove it is not excluding people unfairly, and can it prove it is not building an unnecessary surveillance asset?
6) Biometrics (use carefully, and usually not as “identity”)
Biometrics can help with authentication (logging back into an already-verified account), but as a primary identity method it raises hard issues: irreversibility, bias, and chilling effects.
For civic participation, the strongest pattern is to avoid using biometrics as the core of eligibility. If used at all, it should be optional, secondary, and governed with strict retention limits.
7) Privacy-preserving credentials (best aligned with secret ballots)
The ideal voting identity system can say, “this voter is eligible and has not voted yet,” while revealing nothing else.
That is exactly what privacy-preserving credential approaches aim to do, for example with anonymous credentials and related cryptographic designs. These systems are more complex to implement and procure, but conceptually they fit a manifesto-level goal: participation at scale without turning democracy into mass identity surveillance.
A practical decision guide (what to choose by use case)
Instead of searching for a single “best” identity method, choose the simplest approach that meets your legitimacy requirements.
Use case | What matters most | Commonly workable approach |
Community agenda ranking (advisory) | Inclusion and speed | Email/SMS OTP, plus anti-spam and rate limits |
Member organization votes | Uniqueness, eligibility, manageable appeals | Membership list + MFA, or remote KYC for joining |
Participatory budgeting (city) | Residency, anti-duplication, auditability | Mailed PIN, or in-person verification plus online tokens |
Binding referendum (high stakes) | Secrecy, coercion resistance, independent audits | Often hybrid with in-person steps, strong credentials, heavy oversight |
If you are designing an online referendum process, it also helps to treat identity as one chapter of a published “referendum pack” (rules, timelines, audits, dispute handling), similar to the approach described in JustSocial’s own process guidance on transparent online decision-making.
Design patterns that protect both legitimacy and liberty
These patterns show up repeatedly in systems that take trust seriously.
Separate identity proofing from ballot casting
A common mistake is to let the voting system itself hold full identity records.
A stronger model is:
verify eligibility
issue a voting credential or token
cast vote using the token
publish audits that prove counts and eligibility checks without exposing identities
This separation supports ballot secrecy and reduces the damage if any one system is compromised.
Make inclusion a first-class requirement (not a footnote)
Continuous democracy fails if only the digitally fluent can participate. Whatever identity method you choose, it should include:
an accessible help path
alternatives for people without smartphones or stable internet
a documented appeals process
In procurement terms, this should be a contractual deliverable, not an aspiration.
Treat transparency as infrastructure
JustSocial’s manifesto emphasizes modernizing civic institutions with technology and verifiable public processes. For identity verification, “radical transparency” does not mean publishing personal data. It means publishing the rules and the proofs:
eligibility rules, data retention, and who can access what
audit procedures and independent oversight roles
statistics on failure rates and appeals outcomes (aggregated)
Don’t ignore the human layer: impersonation and confusion
Not all identity risk is cryptography. It is also social engineering.
If your participation process includes public profiles (for deliberation, proposal sponsorship, or representative delegation), recognizable identity signals can reduce confusion and impersonation. Even simple operational hygiene helps, like using consistent avatars and banners across channels. A tool like profile picture previews for social platforms can help organizers verify how a civic account’s identity markers will appear before publishing.
How this connects to JustSocial’s manifesto
The manifesto’s core argument is that industrial-era institutions are misaligned with today’s speed, complexity, and citizen expectations, and that technology can help build a new civic operating system.
Identity verification is one of the places where that philosophy becomes concrete:
Continuous participation needs scalable identity: you cannot run “ongoing public social voting” without a defensible notion of eligible participation.
Public trust requires auditable processes: the manifesto’s emphasis on transparency (including ideas like a public, inspectable body of law and civic analytics) implies that identity systems must be governable and reviewable, not black boxes.
Education and civic literacy matter: identity systems should be explainable. If citizens cannot understand the rules, they cannot meaningfully consent to them.
In other words, identity verification is not merely a security feature. It is part of the democratic social contract.
Frequently Asked Questions
Is identity verification the same as ballot secrecy? No. Identity verification establishes eligibility and uniqueness. Ballot secrecy ensures no one can link a voter to their choices. Strong systems separate these functions.
Is SMS verification enough for online voting? For low-stakes input, SMS can be acceptable as a convenience factor. For higher-stakes decisions, SMS alone is usually too weak due to SIM swap risk, multiple numbers per person, and scalability of fraud.
What is the most privacy-preserving option? Privacy-preserving credentials (for example, anonymous credential approaches) are designed to prove eligibility without revealing identity. They are more complex, but they align well with secret-ballot requirements.
Can remote KYC exclude legitimate voters? Yes. Automated document and selfie checks can fail for lighting, device quality, name mismatches, disability-related factors, or bias. Any KYC-based system needs a humane fallback and appeals process.
Should high-stakes public elections be fully online? Many security experts warn that remote internet voting increases risks like malware on voters’ devices and coercion. If online components are introduced, they typically require strong safeguards, independent oversight, and often hybrid models.
Build participation people can trust
If your goal is not just “more engagement,” but a system where public input is continuous, consequential, and legitimate, identity verification has to be designed as democratic infrastructure.
To see the broader blueprint and the values behind it, read JustSocial’s manifesto. If you want to help shape or test technology-enabled participation (from direct democracy tools to transparency initiatives and prototypes), explore JustSocial.io and join the movement.
Comments