A New Form of Verification on Bluesky
Bluesky has launched a blue check verification system for authentic accounts, allowing notable organizations like The New York Times to verify users, while self-verification options remain available.
Read original article
Bluesky has introduced a new verification system aimed at enhancing trust on its platform. Initially, in 2023, Bluesky allowed users to link their accounts to their domains, resulting in over 270,000 accounts utilizing this feature. To further improve authenticity recognition, Bluesky is now implementing a blue checkmark system for verified accounts. This blue check will be assigned to notable and authentic accounts, with verification conducted by Bluesky's moderation team. Additionally, the platform is introducing "Trusted Verifiers," which are independent organizations authorized to issue blue checks directly. These verifiers will have a distinct scalloped blue check, indicating their status. For instance, The New York Times can now verify its journalists through the app. Users can view which organization verified an account by tapping on the blue check. While users can self-verify by linking their domain, Bluesky is not currently accepting direct applications for verification but plans to introduce a request form in the future. Users also have the option to hide verification indicators in their settings.
- Bluesky has launched a blue check verification system for authentic accounts.
- Over 270,000 accounts have linked their usernames to their domains since 2023.
- Trusted Verifiers, such as The New York Times, can issue blue checks directly.
- Users can view the organization that verified an account by tapping the blue check.
- Self-verification is encouraged, but direct applications for verification are not yet accepted.
Related
The Dawn of Decentralized Social Media
Bluesky, a decentralized social media platform, launched publicly on February 6, 2024, experiencing significant user growth, original content creation, and effective moderation against suspicious accounts and low toxicity levels.
Bluesky Soars to Top 5 in US App Store After Rival X Changes How Blocks Work
Bluesky has climbed to No. 5 in the US App Store, gaining 500,000 users in one day after X's controversial blocking feature update, offering customizable feeds and domain name handles.
Bluesky is cracking down on parody accounts and impersonators
Bluesky Social is enforcing stricter rules on parody and impersonation accounts, requiring clear identification to combat identity churning, as 44% of top accounts face impersonators amid rising user numbers.
Angry users react to Bluesky's upcoming blue check mark verification system
Bluesky is launching a blue check mark verification system with "Trusted Verifiers," facing backlash over centralization concerns. Users can hide badges, while some support visual indicators for genuine accounts.
Bluesky may soon add blue check verification
Bluesky plans to launch a blue check verification system involving trusted organizations, with an announcement expected on April 21, 2025, differing from X's criticized model.
- Concerns about centralization: Many users express skepticism about the centralization of trust and verification, fearing it may lead to a system similar to Twitter's problematic blue check feature.
- Trust hierarchy: Some users support the idea of a trust hierarchy, where organizations like The New York Times verify their journalists, but others worry this could create an unequal system.
- Verification's purpose: There is debate over the actual need for verification, with some questioning whether it truly addresses a problem or simply creates a false sense of security.
- Technical implementation: Users discuss the technical aspects of verification, suggesting alternatives like domain-based verification or a points system to enhance trust.
- Mixed feelings on moderation: While some appreciate the potential for better moderation, others fear it may lead to censorship and a loss of the platform's original ethos.
45 commentsOn a technical level, this sort of works like a Root CA: anyone can verify anyone by publishing a `app.bsky.graph.verification` record to their PDS. Bluesky then chooses to turn those from trusted accounts into the blue check, similar to browsers bundling root CAs into the browser.
* https://pdsls.dev/at://did:plc:z72i7hdynmk6r22z27h6tvur/app.... <- bluesky verifying me. it's coming from at://bsky.app, and therefore, blue check
* https://pdsls.dev/at://did:plc:3danwc67lo7obz2fmdg6jxcr/app.... <- me verifiying people I know. it's coming from at://steveklabnik.com, and therefore, no blue check.
I am not 100% sure how I feel about this feature overall, but it is something that a lot of users are clamoring for, and I'm glad it's at least "on-protcol" instead of tacked on the side somehow. We'll see how it goes.
How is this compatible with Bluesky's internal cultural vision of "The company is a future adversary"[1][2][3]? With Twitter, we've seen what happens with the bluecheck feature when there's a corporate power struggle.
[1]: https://news.ycombinator.com/item?id=35012757 [2]: https://bsky.app/profile/pfrazee.com/post/3jypidwokmu2m [3]: https://www.newyorker.com/magazine/2025/04/14/blueskys-quest...
We need a way to reflect that human "social trust" is born distributed, and centralising trust subverts it. But here, while they introduce third party verifiers, rather than individuals deciding which verifiers to trust, bsky is going to bless some. So this is just centralised trust with delegation.
The approach they've taken ("trusted verifiers") is an approach aligned with their values, as it is an extension of the labelling concept that is already well established in the ecosystem. As an idealist, it is a shame that they gave up, I think they could have had an impact on shifting how non-technical people view domain names and understand digital identity... but as a pragmatist, this is the right choice. Bluesky has to pick their battles, and this isn't a hill to die on.
[1] https://handles.net [2] https://news.ycombinator.com/item?id=42749786
All I’m saying is that if weak moderation has had a positive effect somewhere, it’s worth showcasing that. Otherwise the evidence is decisively in favor of strong moderation.
In terms of how to keep the moderation team from deteriorating, other platforms could learn a thing or two from HN: put someone competent in charge of the team, and give them lots of incentives to do well.
Something like
bluesky user X is equivalent(has control)
to domain A(domain verification)
to youtube account B (youtube verification)
to mastodon account C (mastodon verification)
to D@nytimes.com (email verification)
The problem is that some domains would have no problem standing up this sort of verification. The Times only benefits from verifying it's employees. However I can see fellow social media sites balking as this equivalency weakens their walls that keep people in.
As someone who believes in equal access and privilege, this is just horrible. "Trusted Verifiers" - how does the bsky team decide which orgs can be trusted? One could argue that this is worse than Twitter. And of course, the echo chamber is going to get worse.
It seems to me that BlueSky is trying to rewind the clock and be the pre-Elon Twitter. They had a decent chance to become what Signal is to messaging, but looks like they are trying to be just another Social Media company.
We’re truly in the post-social media age.
They describe it as a "blue check" when in fact it is a white check on a blue circular background.
Just nit-picking I guess but sometimes I read a passage that describes something and I conjure an image in my mind of what I would see should I open my eyes with it all laid out in front of me. This does not fit the image that is described in the post and makes we want to question the author's observational skills.
The web really was better with more pseudonyms. I don't care if you are you, I can read your text, judge it on it's merits (according to my yardstick) and I basically don't care if you or other people consume information that is true or false.
Am I missing something?
Internet was intended to be anonymous.
It doesn't mean "this person is trustworthy" it means "this person is who they claim to be". But people desperately want it to be the former, or some sort of club.
But these are completely orthogonal concepts that demand different solutions.
Bluesky should do better here though, their definition of "verified" is buried in the blog post as "authentic and notable". This is okay I guess, sort of matches old Twitter. But a bit wishy-washy.
One idea could be to link verification badges to Wikipedia (or Wikidata) entities so you understand who is confirming what about the account. "This Mark Cuban Bluesky account is the same as the Mark Cuban in this Wikipedia article" and let the Wikipedia editors fight over noteworthiness etc.
Maybe people trying to protect their "brand"? Is there really that much demand for branded content?
I’m a proponent of verification only for “important people”. Yes, the definition of important is funny, and people may feel slighted by it: but I’ve yet to find a system that helps me identify high quality sources so immediately on a social media platform.
If I am verified by 2 parties each of whom is verified by 10 parties each of whom is verified by 1 party then my verification score would be 20 (= 2 x 10 x 1).
Then people could trust me beinhg me 20 x more than somebody who is only verified by one party who is only verified by one party who is not verified by anybody?
Not sure how big of a priority this is for the team that runs it, but I would probably use it 20x more if it was ran competently.
And even that is not a guarantee as it needs to be validated by the bluesky team, for which it helps, in their own words – to have connections with them.
Otherwise I could buy dozens of domains and spin up bots to churn out AI slop as "validated" accounts. I could buy linustorvalds.com for 25k and impersonate him.
It's still a two-tier system for clout-chasers. If you're cool enough, you get a "Officially Cool™" badge from the bsky team. If you're not, hope that a 3rd party provider decides to give you one. Or you're a second-grade netizen.
A high score usually indicates a trusted account. Check it out here: https://bluefacts.app/top
Trust is always going to be a game of cat and mouse, and this seems like just another move.
Is this not still a top-down system, just with one level of indirection?
Something not-top-down might look more like the web-of-trust model.
https://news.ycombinator.com/item?id=40298552#40298804
Delegation similar to bluesky's "NYT org issues certs to journalist" is also possible and done in a far more versatile manner.
If you have a domain and want the ability to issue certs to others, email me...this will just be for experimenting of course :)
Fine with this albeit very 'manual'...but not clear if any other choice. I do really like the domain username scheme and if anything this news just draws more attention to that because there's sooo many organizations/news outlets etc not taking advantage.
Can a country I don't like verify it's president that I don't like neither?
Prime minister? Members of the Senate? All citizens? Their own bot farm?
haha
Before Twitter did any sort of verification it was not difficult to determine whether an account claiming to be someone was actually that person for anyone who was actually interested.
I suspect a lot of people have this delusional fantasy where “verification” is going to shape political discourse in their favor.
Can't be that hard to have this
After all, we already have an established and highly-monitored set of sibling "trust roots" — we call them Certificate Authorities.
And we already have an identity-validation system coupled onto X.509 FQDN-as-CN (i.e. TLS) certificates — certificate validation levels.
BlueSky could just:
1. require a domain username for verification;
2. require that the domain presents an Organization Validated (OV) cert for verification as a "public individual" (i.e. the kind with a "personal brand" — which usually implies "worth registering as an LLC");
3. require that the domain presents an Extended Validation (EV) cert for verification as a corporation.
...and the whole problem of identity validation becomes outsourced, and federated, and decentralized. (Federated because multiple sibling CAs; decentralized because every computer administrator gets to decide for themselves which CAs their machine should trust.)
---
A rebuttal might be that "EV certs can't be used for this, because EV certs are too expensive, take too long to get, and don't integrate well with automatic per-subdomain DV cert issuance via ACME."
But (IMHO) that's not a problem to be worked around; that's a problem to be fixed. Why leave a broken generalized web-of-trust infrastructure sitting there unused?
If an online casino can KYC/AML you in two minutes with a passport scan and a 3D camera photo, it shouldn't be impossible to do for OV+EV validation what we did for DV validation with ACME. (Ideally in such a way that you can do the interactive process once, receiving not a cert, but some kind of collateral; and then, later on, any ACME server should accept that collateral during an interactive domain ownership probe, to upgrade the DV cert it's issuing you into an OV/EV cert.)
---
The other neat thing about this approach is that, in a "fat" native BlueSky app (i.e. not just an Electron wrapper), the app wouldn't have to trust the BlueSky service to say who's verified. The app could TLS-validate each domain username itself, to compute the appropriate badge for that user — just as a web browser does when you visit a website. And it would presumably use your machine's OS TLS CA store for that validation, just as (some) browsers do.
Not a good look.
Domain verification was genuinely all the verification needed. This checkmark system is just a copy-paste troublemaker from Twitter, and we all saw how well that turned out whenever a celebrity or billionaire's account got hacked to shill grifto schemes. Training users to only look for a symbol just desensitizes them to the complexities of identity and sanctioned speech.
Related
The Dawn of Decentralized Social Media
Bluesky, a decentralized social media platform, launched publicly on February 6, 2024, experiencing significant user growth, original content creation, and effective moderation against suspicious accounts and low toxicity levels.
Bluesky Soars to Top 5 in US App Store After Rival X Changes How Blocks Work
Bluesky has climbed to No. 5 in the US App Store, gaining 500,000 users in one day after X's controversial blocking feature update, offering customizable feeds and domain name handles.
Bluesky is cracking down on parody accounts and impersonators
Bluesky Social is enforcing stricter rules on parody and impersonation accounts, requiring clear identification to combat identity churning, as 44% of top accounts face impersonators amid rising user numbers.
Angry users react to Bluesky's upcoming blue check mark verification system
Bluesky is launching a blue check mark verification system with "Trusted Verifiers," facing backlash over centralization concerns. Users can hide badges, while some support visual indicators for genuine accounts.
Bluesky may soon add blue check verification
Bluesky plans to launch a blue check verification system involving trusted organizations, with an announcement expected on April 21, 2025, differing from X's criticized model.