Show HN: Humanmark verifies your users are human using hardware attestation

We built Humanmark to provide cryptographic proof that a request came from a human. It uses the secure hardware in smartphones to create attestations of user presence.

Note on trying it: The demo requires installing our free app from the App Store or Play Store.

Backstory: We were toying around with building an online service that was human-only and saw that existing off-the-shelf verification methods can't enforce this to any reasonable degree. CAPTCHAs are easily solved by automation, AI can trick behavioral analysis, and agents self-identify as human. The existing tools are OK at preventing bad bots from bringing down your service, but not so much at differentiating between good bots and humans. We prototyped a hardware-based approach and thought it could be widely useful, especially now that the required hardware is ubiquitous.

How the flow works:

1. Your backend creates a challenge with our API

2. Your frontend loads our SDK with that challenge

3. SDK shows a QR code on desktop or button on mobile

4. User scans the QR or taps the button to open our app

5. User authenticates with fingerprint/face/passcode

6. App generates hardware-attested proof of user presence

7. Our backend processes and verifies the proof, forwards a verification receipt to the SDK

8. SDK returns the receipt to your frontend

9. Your frontend uses the receipt to authorize the action however makes sense

There are no user accounts and zero persistence of user data (sensitive or not) across verifications.

So far we've built our rust backend, native iOS/Android apps, TypeScript/JavaScript SDK, user- and dev-facing websites, and a Discourse plugin for quick integration.

Limitations:

- Requires a smartphone

- Users must install our app to verify (the main friction point)

- Robots that can physically operate smartphones could pass

- Not an authN/identity product; focused on what users are, not who they are

We see this complementing existing verification methods. Services might use CAPTCHA or Turnstile broadly and add Humanmark for specific high-value actions. Or they could use it everywhere if their users accept the app installation requirement.

Looking for feedback on security considerations we haven't accounted for, integration patterns that would work better for your stack, use cases or industries where this could make an impact today. Happy to discuss and receive any feedback.