The three-moment problem
Open your crypto exchange. Navigate to withdrawals. Enter $50,000 and a destination address. Before you hit confirm, ask one question:
What is this platform doing, right now, to prove you’re the one sitting here?
Not what it did when you signed up six months ago. Not what it did when you logged in this morning. Right now. At the exact moment your finger hovers over the button that moves fifty thousand irreversible dollars.
The answer, for virtually every financial platform on earth, is nothing.
Every financial product has three moments that matter:
- Signup — Identity verified. Jumio, Onfido, Persona.
- Login — Device verified. Okta, Auth0, Duo.
- Action — Human verified. ???
The first two moments have billion-dollar industries built around them. Hundreds of companies, decades of engineering, regulatory frameworks that mandate their existence. The third moment — the one where the money actually moves — has a question mark.
That question mark is not a small problem. It’s the single point of failure behind every account takeover, every SIM swap, every stolen API key, and every compromised session that results in unauthorized movement of funds.
A $12 resistor going into a satellite gets more verification at installation than a $50,000 wire transfer gets at execution. That’s not a technology gap. It’s a priorities gap.
. 60-second JWT TTL. Cryptographic proof a specific human authorized a specific action.
Five angles on the same hole
I’ve been writing about this gap all week. Each post exposed a different face of the same problem.
Wallet signatures showed me that cryptographic proof of key usage is not proof of human presence. The math is perfect. The assumption underneath it — that the right person is holding the key — is completely unverified. Every institutional trading desk operates on this assumption every day.
Authentication vs. authorization showed me the industry conflates two different problems. Proving identity at the boundary (login) and proving human presence at the moment of action are structurally different challenges. Okta solves one. The other is wide open.
Reactive fraud detection showed me the cost math. The entire fraud industry analyzes transactions after they happen. Prevention at the point of action is one synchronous API call. Recovery after the fact costs five to six figures when it works at all. For crypto, it doesn’t work at all.
NASA reliability engineering showed me this isn’t a new problem. You verify at the point of maximum consequence, not at the point of minimum risk. A $12 resistor going into a satellite gets more verification at installation than a $50,000 wire transfer gets at execution. That’s not a technology gap. It’s a priorities gap.
The verification pipeline showed me that building the solution is the easy part. Making it fast enough and invisible enough that nobody resists adding it — that’s the actual engineering challenge.
The numbers that made me build this
- $14B — Crypto stolen in hacks and fraud (2023-2025)
- 0% — Crypto transactions that are reversible
- **** — Cost of one Lorica verification
- <2s — Time to verify the human
Fourteen billion dollars in crypto losses over two years. Zero reversibility. And the gap that enabled most of it can be filled with a single API call that costs a nickel and takes less time than reading this sentence.
What Lorica is
Three endpoints. Enroll a face. Verify the human before an action. Validate the proof independently.
Before any high-risk action — withdrawal, wire, trade, disbursement — the platform calls one endpoint. Lorica verifies a live human is present via biometrics and returns a signed JWT carrying exactly what happened: who was verified, what they authorized, when, and with what confidence. The token is cryptographic proof, independently verifiable via a shared signing secret. No callback to us required.
The face image is processed in memory and discarded. We store a high-dimensional embedding, encrypted at rest with authenticated encryption (AES-based, with rotation support). No photos. No video. Nothing to breach.
One API call. Under two seconds. A signed JWT proving a specific human authorized a specific action at a specific time. That’s the entire product.
Where this goes
Each of these posts tackled a different dimension of the same structural failure. Wallet cryptography. Session trust. Fraud economics. Reliability engineering. Adversarial security. They all converge on the same point: the moment of action is unverified, and the tools to fix it didn’t exist.
Now they do. The API is live. It passes 90 security tests with zero failures. Verifications complete in ~500 milliseconds (warm path). The SDKs are on PyPI and npm. The documentation, the demo, the security policies — all public, all auditable.
If you’re building a financial product, your version of this gap has a specific shape. Maybe it’s a compliance review that can’t produce per-action proof. Maybe it’s a customer who lost six figures through a compromised session. Maybe it’s a risk model that scores transactions after they’ve already cleared. The shape is different. The hole is the same.
The $50K question is simple: who’s sitting there when the money moves?
Lorica is the answer.