The rise of AI-driven agents is reshaping the digital economy, but it has also created unprecedented opportunities for fraud. Bots and automated scripts can now mimic the human behavior or filling out forms or solving CAPTCHAs with near-perfect fidelity. This capability blurs the line between legitimate and illegitimate users. For businesses, it means marketing spend is increasingly siphoned off by fake traffic and loyalty programs are drained by synthetic accounts. As AI tools become cheaper and more widely available, the barrier to running large-scale fraud operations has disappeared. Without reliable ways to prove that a digital interaction originates from a real, present human being, the AI economy risks devolving into an environment where fraud outpaces genuine engagement. Today, human activity accounts for less than half of all online traffic [Imperva, 2025].
Many businesses rely on Single Sign-On (SSO) systems such as Gmail or enterprise identity providers like Microsoft Entra to verify users. These systems validate who you are but not your physical presence. An employee can access enterprise resources without ever visiting the office. A student can sign in from home and appear to have attended class. Fans at a stadium can forward a link to friends who aren’t there in order to redeem ‘in-person’ promotions. Combining SSO with a QR code does not solve the problem. QR codes can be cloned and replayed, and they offer no guarantee of human presence. Scammers can also replace legitimate QR codes with malicious ones and then redirect users to phishing sites or counterfeit payment portals [FBI IC3, 2024]. The problem is amplified in loyalty programs. U.S. consumers hold an estimated $140 billion in unspent loyalty points [Agilence, 2024], and roughly $3.1 billion worth of loyalty points are stolen or fraudulently redeemed every year [Loyalty Security Association, 2023]. As a result, 69% of loyalty program executives report that fraud directly erodes customer trust [Agilence, 2024].
A TapPoint is TapIn’s secure, portable device that verifies physical presence without using an app or power. Unlike QR codes or static links, a TapPoint generates a one-time, cryptographically signed URL every time it is tapped. This ensures that the action was performed by a real human at a specific physical location. Each TapPoint contains a secure NFC chip that performs cryptographic operations when tapped by a smartphone. The result is a new standard for trustworthy interactions that answers the question - “Who is on the other side of this interaction?” [Personhood credentials 2024]. TapIn works in the following way -
While TapPoints confirm that a real human was present, they do not identify who that person is. By linking a TapPoint interaction to an SSO login (e.g., Gmail, Microsoft, or other enterprise provider), TapIn binds physical presence to a verified identity. This process forms the basis of a personhood credential.
Even though TapPoints prove that a real human was physically present at a particular time and place, a tap on its own is ephemeral. An audit trail requires a way to securely record those taps. For businesses or communities to rely on TapIn, they must trust that the history of taps is accurate, and not only that each tap was valid in the moment. If TapIn is to be successful in creating a new standard for personhood credentials, then trustworthy interactions need to be recorded on a blockchain or time-stamped digital ledger. A blockchain ensures that every interaction is recorded in a transparent, append-only sequence, and attested by cryptographic consensus. Each tap at a TapPoint becomes a ledger entry on a permanent, tamper-resistant chain of trust.
TapIn’s pending patent, Physical Interface for Digital Assets, Intl. Patent Application No. PCT/US2024/04333, is the process by which each real-world tap generates a cryptographically signed digital token. These tokens are committed to a ledger as a verifiable receipt, or proof, that a person participated in a trustworthy interaction. Under this patent, TapPoints can record a receipt of the trustworthy interaction on a blockchain so that the tap history remains secure and auditable over time.
After a TapPoint verifies a trustworthy interaction on a blockchain, the remaining question is not whether the event happened, but who it truly represents. In nearly all cases, confidence in identity requires more than just one credential or a single verified moment. To trust that people genuinely are who they say they are, identity must be over-determined through multiple, independent signals [Verifying Identity 2019]. TapPoints create this confidence through a pattern of many taps, across various contexts, at different places and times. A student checking into a lecture hall, logging study time at the tutoring lab, grabbing lunch at the cafeteria, or tapping into a student club meeting - each creates an independent proof of presence. Together, these overlapping signals reinforce one another and make it harder for impersonators to convincingly fabricate identity. TapPoints do more than confirm that one person was there; they can also confirm that others were there too. When multiple individuals tap into the same TapPoint around the same time, each person’s presence is implicitly vouched for by the group. This collective verification increases confidence that the identity being asserted is technically valid and socially credible.
The TapIn platform creates redundancy in identity by enabling a network of TapPoints to be deployed anywhere that people gather. Unlike traditional infrastructure that often requires heavy subsidies or centralized funding, TapPoints are low-cost in production and high-value in function. Each device is portable, power-independent, and simple to deploy. In fact, TapPoints can be deployed as self-sustaining or even revenue-generating infrastructure. Because every tap generates a trustworthy interaction, TapPoints create data that is valuable for multiple stakeholders: universities tracking student engagement, venues measuring attendance, businesses preventing loyalty fraud, or sponsors seeking proof of in-person impact. This high-value output more than offsets the low cost of deployment.
TapPoints exemplify the logic of DePIN (Decentralized Physical Infrastructure Networks). A decentralized ecosystem of independently deployed TapPoints can flourish because the infrastructure pays for itself. Each TapPoint contributes to a resilient web of identity and also provides direct utility to the operator. Presence at scale, then, is both a technical achievement and an economic one. TapPoints allow identity infrastructure to grow organically because of the economic incentives of those who deploy them .
Universities are the ideal proving ground for TapIn. They function as miniature cities that are complete with all the essential infrastructure of a broader society. Within a single campus, thousands of daily interactions create a closed-loop economy where students live, learn, work, shop, dine, and socialize in the same environment. This density and diversity of activities make universities uniquely suited to research and test the TapIn platform across many different contexts.
At the same time, universities face a growing trust deficit. Public confidence in higher education has fallen sharply. Gallup reported a decline in trust from 57% in 2015 to just 36% in 2023. This fall in trust is one of the steepest drops among major institutions [Gallup 2023]. TapIn helps to solve this trust problem by deploying TapPoints across the full spectrum of university life, including: classrooms, tutoring labs, cafeterias, residence halls, stadiums, and student clubs. Unlike paper sign-ins or shareable QR codes, each tap is a secure signal of real human presence. Over time, these overlapping proofs form a redundant web of trust that ensures students are who they claim to be, while also giving institutions reliable, tamper-resistant records of engagement. This makes TapIn especially valuable in higher education, where:
Michael Jones is a co-founder of TapIn and the Kautz-Uible Assistant Professor of Economics. He earned his PhD in Economics from the University of Notre Dame and his MBA from the University of Cincinnati. As a thought leader in blockchain technology, Michael also serves as the Director of the Kautz-Uible Cryptoeconomics Lab, located in the university’s interdisciplinary research facility Digital Futures. Michael takes an active role in the community by providing economic insights for news media, serving on nonprofit boards, and engaging with the startup ecosystem. Michael has also won several teaching awards from the Lindner College of Business and has published his research in several leading academic journals in the areas of labor economics, public economics, financial literacy, and the economics of education.
Q: What if someone manually types the UID and counter?
A: Without the AES key, the correct CMAC cannot be generated. TapIn’s server will reject the attempt.
Q: Can someone replay a copied URL?
A: No. Each counter value is valid only once. Any reused link will be rejected.
Q: How does TapIn manage and protect its encryption keys?
A: Each TapPoint has its own unique AES secret key encoded into secure hardware. This key cannot be extracted from the chip, but it is required by the TapPoint to generate CMAC signatures that prove the authenticity of every tap. On the server side, TapIn stores the key encrypted, at rest, as a field in the device record in the database. When a tap occurs, the server retrieves the device record, including the encrypted key, and recalculates the CMAC. This design minimizes latency because the key is always retrieved with the device record, so there is no additional lookup or network round-trip to an external service. For customers requiring maximum security, TapIn can support enterprise-grade storage via Azure Key Vault (AKV) or other Hardware Security Module (HSM)-backed solutions. A managed HSM can also provide enhanced security with a dedicated, single-tenant HSM, to meet stringent compliance needs.
Q: What does the CMAC actually do?
A: CMAC is an AES-based algorithm that produces a ciphertext verifying data authenticity. Without the AES key, forging a valid CMAC is computationally infeasible. CMAC is like a wax seal. Only the real chip with the secret key can make the correct imprint. The server checks the imprint before trusting the tap.
Imperva (2025). 2025 Bad Bot Report.
https://www.imperva.com/resources/resource-library/reports/2025-bad-bot-report/
FBI IC3 (2024). 'Internet Crime Report 2024.' Federal Bureau of Investigation. https://www.ic3.gov
Agilence (2024). 'Loyalty Program Fraud Statistics and Trends.' https://blog.agilenceinc.com/loyalty-program-fraud
Loyalty Security Association (2023). Annual Fraud Report. https://loyaltyfraudassociation.org
Personhood credentials: Artificial intelligence and the value of privacy-preserving tools to distinguish who is real online (2024). Adler et al.
https://arxiv.org/abs/2408.07892
Verifying Identity as a Social Intersection (2019). Immorlica et al. https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3375436
U.S. Confidence in Higher Education Now Closely Divided (2023). https://news.gallup.com/poll/646880/confidence-higher-education-closely-divided.aspx
Here at TapIn, our mission is to effortlessly connect people. Contact us to learn more or share your thoughts.
© 2025 Tapin, Inc. All Rights Reserved
