What a wallet signature actually proves
Every crypto custody product, every institutional trading desk, and every DeFi protocol shares one assumption: if the wallet signed it, the right person approved it.
That assumption is wrong.
A wallet signature is cryptographic proof that a private key was used.
It says nothing about the human being who used it.
It can’t tell you if the trader was sitting at their desk, or if a compromised laptop executed the call at 3 AM. It can’t tell you if the risk manager physically reviewed the trade, or if their session token was replayed from a phishing attack.
The signature is valid either way.
A wallet signature proves a key was used. It says nothing about the human who used it. The math is perfect. The assumption underneath it isn’t.
When a wallet signs a transaction, the mathematics are airtight. The private key corresponding to a known public key produced a valid signature over a specific payload. The blockchain can verify this independently. Nobody disputes the cryptography.
But the cryptography answers a narrow question: was this key used?
It does not answer: was the authorized human present when it was used?
These are fundamentally different questions, and the gap between them is where institutional crypto loses money.
The gap in practice
Consider an institutional OTC desk. A trader needs to execute a $2M block trade. The workflow looks like this: trader authenticates at login, opens the platform, sets up the trade, and the wallet signs. Between login and signing, there’s a window — minutes, sometimes hours — where anything can happen. A session gets hijacked. A device gets compromised. The trader walks away and someone else sits down.
The wallet doesn’t care. It signs.
Now add multi-party authorization. Two signatures required: trader and risk manager. Both wallets sign. Both signatures are valid. But were both humans actually present at the moment of execution? The blockchain can’t answer that. The custody platform can’t answer that. Nobody can answer that, because nobody checked.
Authentication happened at login. The action happened hours later. In between, you’re trusting the session — not the human.
Why this matters for compliance
Regulators are paying attention. As institutional crypto matures, the question isn’t whether you can prove a key signed a transaction. That’s table stakes. The question is whether you can prove a specific person authorized a specific action at a specific time.
A wallet signature can’t give you that. It gives you key-level attribution, not human-level attribution. When an auditor asks “who approved this $5M transfer and when did they approve it,” a valid ECDSA signature is not a satisfying answer.
What human-level proof looks like
The verification has to happen at the moment of the action — not at login, not at onboarding, not retroactively. Right before the wallet signs, you confirm the human.
That’s what we built at Lorica. One API call before any high-risk action. A biometric check confirms a live human is present, and returns a signed JWT that carries exactly what compliance needs:
{
"user_id": "trader_jane",
"action_verified": "otc_block_trade_2m",
"confidence": 0.97,
"liveness_method": "motion",
"verified_at": "2026-03-22T14:32:01Z",
"session_duration_ms": 1847
}The JWT is cryptographic proof — independently verifiable — that a specific person authorized a specific action at a specific time. Not that a key was used. That a human was present.
Before the wallet signs
This isn’t about replacing wallet signatures. The cryptography is sound. This is about filling the gap between authentication and action.
Your login session proves the user authenticated hours ago. The wallet signature proves a key was used. Neither proves a human is present right now, at the moment the money moves.
Lorica sits in that gap. Before the wallet signs, we verify the human. The JWT becomes an immutable record that travels with the transaction — auditable, portable, and independent of any single platform.
Your wallet signature proves the key was used. Lorica proves a human was holding it.