Further Reading

World ID Reset

World ID 2.0 allows a user to reset their World ID in case their World ID has been lost or stolen. The user reverifies at the Orb, and their old World ID is invalidated. The user is then issued a new World ID and this new identity is verified at the Orb. A user will not be able to perform a World ID Reset more than once every 14 days.

Impact on Sign-In with World ID

When a user signs in with World ID, their Nullifier Hash is returned as the sub claim in the ID Token. Recall that the Nullifier Hash is the unique identifier of a user in the context of a specific action -- a different identity will return a different Nullifier Hash.

Suggested Action

A second sign-in method, such as an email address or phone number, is highly recommended to ensure that the user can continue to use their account in the event of a World ID Reset. The user should be able to verify that second factor after a World ID Reset and link their new World ID to their existing account.

Impact on Anonymous Actions

When a user performs a World ID Reset, they are issued a new World ID and their old World ID is invalidated. This means that any anonymous actions performed by the user will no longer be associated with their new World ID.

Suggested action

We recommend rotating the action used in your application regularly and limiting the time an action is valid.

For example, a social media application may use Anonymous Actions to mark a user's account as "verified". To mitigate the impact of a World ID Reset, the application could require the user to perform a new action every 30 days to maintain their "verified" status. In this situation, a user who performs a World ID Reset would be able to mark a second account as "verified" immediately after performing the reset, but at the end of the 30-day period, the user would then only be able to verify with World ID for a single account. The user would only be able to maintain the "verified" status for a single account at the end of the 30-day period.