LastID
identityphilosophyenterpriseconsumerproduct

Identity Has No Silos

Bottom Line Up Front

The consumer vs. enterprise divide is a product category, not an identity truth. Impersonation doesn't care which directory you're in. We built LastID for humans because the gaps between systems are exactly where attacks land.

MJ

Matt Jezorek

March 28, 2026 · 6 min read

Share

The question we keep getting

Are you consumer or enterprise?

Every investor, every analyst, every enterprise buyer asks this. It's the first box they want to put you in. It determines your pricing model, your go-to-market, your competitive set, your slide deck. Pick one.

We built LastID for humans. Here's why.

Identity starts way before onboarding

Think about when your identity actually begins. You exist before your first job. You exist between jobs. You exist outside of any organization's directory. Your name, your face, your voice, your biometrics, your relationships, your reputation. None of that is issued by an enterprise. None of it expires when you leave.

Enterprise identity systems borrow identity. They take a person who already exists and assign them a username, an email, a badge, a seat in Okta. When that person leaves, the enterprise revokes access. The person keeps existing. Their identity keeps existing.

The entire industry built identity systems as if enterprises are the source of truth. They aren't. They're tenants of something that was already there.

The gaps between systems are the actual attack surface

In the real world, you have a work identity in your company's IdP. A personal identity on your phone. A banking identity with your financial institution. A government identity on a card in your wallet. A social identity across platforms.

None of these talk to each other. None of them can verify each other. None of them can prove that the person behind all of them is the same human being.

Attackers figured this out a long time ago.

Callback fraud works because there's no link between a bank's identity system and the phone's caller ID. Deepfake CEO attacks work because there's no bridge between a company's directory and the voice on the call. Service desk social engineering works because the caller's "identity" is whatever they claim it is.

Every impersonation attack we've studied exploits the space between identity silos. The silos themselves are fine internally. Identity falls apart the moment it crosses a boundary. That's where attackers live, in the handoff, in the gap, in the moment where one system ends and another hasn't started.

Impersonation crosses every boundary we've built

Someone impersonating a CEO on a phone call doesn't care that the company uses Entra ID. Someone cloning a kid's voice doesn't care about a bank's password policy. Someone sending a deepfake video to a board doesn't care about SSO configuration.

These attacks cross the enterprise boundary, the consumer boundary, the work-life boundary. They exploit the fact that identity was built in silos with no connective tissue between them.

The consumer-vs-enterprise question misses the point. The attack surface is in the gap between those categories.

One person, every context

Your CFO is also a parent. Your board member is also a customer at their bank. Your IT admin is also a person who gets phone calls from unknown numbers. The identity they need to stop impersonation is the same identity in every context.

A verifiable credential that proves who you are should work when you walk out of the office. It should work across every relationship you have. It should be yours, not owned by any single organization.

So that's what we built.

A portable, recoverable cryptographic identity

LastID gives you a W3C Decentralized Identifier, a cryptographic identity that's yours. It lives on your device, protected by the secure enclave, and it issues verifiable credentials that prove who you are. It's bound to you. Not to an email address, a phone number, or an employee ID.

From there you choose what to layer on. Add biometrics for stronger assurance. Add government identity checks to create a fully verified persona. Or keep it simple and build trust manually, person by person. The identity works either way because the cryptographic foundation is the same.

Enterprises get to pick the level of assurance they need. Some will require biometrics and government ID verification. Others just need to know their people have a credential they control. LastID supports the full spectrum without forcing everyone into the same box.

And it's recoverable. If you lose your device, your identity isn't gone. We provide protected recovery material, social recovery through people you trust, and recovery policies you define yourself. You decide how your identity can be recovered, in life and in death. Your identity, your rules for what happens to it.

That identity works everywhere. When your company needs to verify you, it works. When your bank needs to verify you, it works. When your family needs to know it's really you on the phone, it works. Same credential, same proof, same person.

Enterprises layer on top of the DID. Because the identity foundation is the same, they get the same base properties: recoverable identity even if someone loses their phone, risky recovery actions handled at the org level. On top of that they add employment credentials, roles, permissions, and soon custom credentials for whatever their business needs.

There's no gap left to exploit. An attacker can't live in the space between your work identity and your personal identity because there is no space. It's one identity.

The whole security industry is patching around this

Think about how many products exist because identity is siloed.

Email security exists because a From header can be faked. Phone verification exists because caller ID can be spoofed. MFA exists because usernames and passwords can be stolen. Identity verification exists because documents can be forged. Background checks exist because people can lie about who they are.

Every one of these products patches a hole created by the same root problem: there's no universal, portable, cryptographic proof of human identity.

We built one.

Human identity, everywhere

When someone asks if we're consumer or enterprise, they're really asking who pays. That's a business model question, not an identity question.

The identity question is simpler: can you prove who you are, to anyone who needs to know, in any context, without relying on systems that can be spoofed?

That's what LastID does. For humans. The fact that humans happen to work at enterprises, have bank accounts, make phone calls, and send messages is why it matters everywhere.

Identity has no silos. Neither do we.

Get started

Your identity should be yours. Download today and set up your LastID in about two minutes. It's free, it's personal, and it works everywhere you need to prove you're you.

Download for iPhone | Download for Android

If you're an enterprise looking to verify your people across every channel, reach out. We'd love to show you what identity looks like without silos.

identityphilosophyenterpriseconsumerproduct
Related Posts
productidentity

Your AI Has an iMessage Now. Who's Texting It?

Claude Code now has iMessage, Discord, and Telegram channels. That's cool until you realize anyone who can spoof a phone number can talk to your AI. We built a guard for that.

Matt Jezorek|5 min read|
productidentity

Why We Built Calling Into LastID

62% of organizations faced a deepfake attack last year. Families are using code words. Executives are sharing OTPs over iMessage. We built verified calling into LastID because nobody else is solving this.

Matt Jezorek|7 min read|
identityslack

Verify Anyone's Identity Directly in Slack and Microsoft Teams

Someone joins a channel, claims to be from legal, and asks for access. One @mention and a QR code scan later, you know they are who they claim to be.

Matt Jezorek|4 min read|

We use analytics to understand how people use our site.

We use analytics to see what's working and improve the experience. We don't sell data, run ads, or follow you around the internet. You can decline and nothing changes. Privacy Policy