[mschuster91]

Why so complex. ID cards could solve that issue, every European ID card has a powerful and programmable crypto processor / secure element inside and so do all ICAO compliant passports.

Have the website emit a random nonce (to guide against replay attacks / reuse) plus an information what is requested (name, DOB, address, some like the Croatian ID card even store photographs), the card prepares a response with that data, signs that using its private key (with a 2FA being possible as well by using a PIN/password) and returns it to the website.

The Croatian ID card doesn't even need a middleware because it doesn't do 2FA, you can ask it all of that by pure NFC communication. The German ID card requires a middleware ("AusweisApp", open source) for added protection though.

[Edmond]

Age verification could indeed be implemented in other ways. The approach outlined above is for information verification and trust projection in general, meaning you can put just about any verified information on a certificate and it can be used online.

Here is a concrete example of how trustworthy certificates can be used online, this is my personal profile on bluesky with verification that is independent of the Blue sky service: https://bsky.app/profile/bitlooter.bsky.social

If you click on the profile image you can enter that code into https://certisfy.com/app to verify the identity of the profile. That sticker could be on any online profile to prove high quality authenticity, it could for instance be on an e-commerce site to prove that the site isn't a scam.

[ekr____]

The problem with this specific design is that it reveals your identity to the site, which is obviously undesirable from a privacy perspective.

For those who are interested one of my recent newsletter posts goes into a fair amount of detail about the various technical options here for using digital IDs in this context: https://educatedguesswork.org/posts/age-verification-id/

[LukeShu]

In 2005, we decided that we were going to have Real ID by 2008. We're now looking at a 2027 completion date.

[pyuser583]

At the airport they said I wouldn't be able to travel unless I had a real ID by 2019.

[LukeShu]

First they said you wouldn't be able to travel unless you had a Real ID by 2008. Then they delayed it. Many times. Based on which airport/facility and what state your ID was from, some enforcement started in 2014. Not all states were even issuing Real IDs yet in 2019. Finally, in 2024, all states and territories are issuing Real IDs, but full enforcement won't be until 2027.