Can you give me one example of a 2FA implementation that would work? Where nobody in the login chain can know your identity, but you can still prove you're 18?
Every commercial 2FA app I know is intrinsically linked to verifying a known identity, so they do not provide anonymous verification.
Or they're hardware or secret key based, and their results can be shared and don't actually verify that the holder is 18+ (eg, physical authenticator). That works when your user wants to keep people out of their bank account, but doesn't work when they want to share their account online so everyone can login with it.
Edit: I forgot the third vitar requirement, that it needs to be sufficiently foolproof that the government can cheaply and efficiently implement and administrate it.
Can you give me one example of a 2FA implementation that would work? Where nobody in the login chain can know your identity, but you can still prove you're 18?
Every commercial 2FA app I know is intrinsically linked to verifying a known identity, so they do not provide anonymous verification.
The identity is known at some level, yes. There are actually 2 sides to this.
The identity-verifying service doesn't need to know what websites/services you're accessing. It just needs to verify you once, and then provide some seed for One-Time-Passwords.
A website/service that needs age-authorization doesn't need to know precisely who accesses the site. It just needs to know a Pass/Fail based on a one-time-password-generated key.
If it's done correctly then:
ID-verifier doesn't know what you're doing with your ID
Service-needing-ID doesn't know your ID directly, just whether it's verified or not.
So yeah, you can do this in a privacy-respecting way. It's ultimately not any more difficult than setting up an account with Google and using your Google login on a 3rd party website. (Google probably does track you across sites via their login, but that's not because they have to, it's because they are creepy fucks).
Now is that theoretically game-able? Yeah, any system can be gamed. Credit cards can be gamed, physical IDs can be stolen or faked, photos / biometrics can definitely be faked. There's no 100% system.
Can you give me one example of a 2FA implementation that would work? Where nobody in the login chain can know your identity, but you can still prove you're 18?
Every commercial 2FA app I know is intrinsically linked to verifying a known identity, so they do not provide anonymous verification.
Or they're hardware or secret key based, and their results can be shared and don't actually verify that the holder is 18+ (eg, physical authenticator). That works when your user wants to keep people out of their bank account, but doesn't work when they want to share their account online so everyone can login with it.
Edit: I forgot the third vitar requirement, that it needs to be sufficiently foolproof that the government can cheaply and efficiently implement and administrate it.
The identity is known at some level, yes. There are actually 2 sides to this.
The identity-verifying service doesn't need to know what websites/services you're accessing. It just needs to verify you once, and then provide some seed for One-Time-Passwords.
A website/service that needs age-authorization doesn't need to know precisely who accesses the site. It just needs to know a Pass/Fail based on a one-time-password-generated key.
If it's done correctly then:
So yeah, you can do this in a privacy-respecting way. It's ultimately not any more difficult than setting up an account with Google and using your Google login on a 3rd party website. (Google probably does track you across sites via their login, but that's not because they have to, it's because they are creepy fucks).
Now is that theoretically game-able? Yeah, any system can be gamed. Credit cards can be gamed, physical IDs can be stolen or faked, photos / biometrics can definitely be faked. There's no 100% system.