Can you give me one example of a 2FA implementation that would work? Where nobody in the login chain can know your identity, but you can still prove you're 18?
Every commercial 2FA app I know is intrinsically linked to verifying a known identity, so they do not provide anonymous verification.
The identity is known at some level, yes. There are actually 2 sides to this.
The identity-verifying service doesn't need to know what websites/services you're accessing. It just needs to verify you once, and then provide some seed for One-Time-Passwords.
A website/service that needs age-authorization doesn't need to know precisely who accesses the site. It just needs to know a Pass/Fail based on a one-time-password-generated key.
If it's done correctly then:
ID-verifier doesn't know what you're doing with your ID
Service-needing-ID doesn't know your ID directly, just whether it's verified or not.
So yeah, you can do this in a privacy-respecting way. It's ultimately not any more difficult than setting up an account with Google and using your Google login on a 3rd party website. (Google probably does track you across sites via their login, but that's not because they have to, it's because they are creepy fucks).
Now is that theoretically game-able? Yeah, any system can be gamed. Credit cards can be gamed, physical IDs can be stolen or faked, photos / biometrics can definitely be faked. There's no 100% system.
The identity is known at some level, yes. There are actually 2 sides to this.
The identity-verifying service doesn't need to know what websites/services you're accessing. It just needs to verify you once, and then provide some seed for One-Time-Passwords.
A website/service that needs age-authorization doesn't need to know precisely who accesses the site. It just needs to know a Pass/Fail based on a one-time-password-generated key.
If it's done correctly then:
So yeah, you can do this in a privacy-respecting way. It's ultimately not any more difficult than setting up an account with Google and using your Google login on a 3rd party website. (Google probably does track you across sites via their login, but that's not because they have to, it's because they are creepy fucks).
Now is that theoretically game-able? Yeah, any system can be gamed. Credit cards can be gamed, physical IDs can be stolen or faked, photos / biometrics can definitely be faked. There's no 100% system.