Age verification doesn't need to suck
willhackett.ukThe method the article is describing requires a system with a secure enclave. That means it does indeed suck for people using machines that lack such a thing.
Author here. Mate, negativity just makes it harder for other voices to feel like they can be heard. Nobody should fear sharing their opinions… let’s be collaborative and show others how it’s done.
The approach I’m suggesting relies on the same secure enclave/TEE infrastructure passkeys use. Over 95% of iOS and Android devices are passkey-ready, TPM 2.0 is required for Windows 11 (although there are adoption issues here) but over a billion people have already activated a passkey. You’re right that coverage isn’t universal, but it’s broad enough to build on and beats uploading your passport to a third party.
My intention wasn't to be negative, it was to point out a real issue. If we're talking about a standard kind of age verification, then it's a problem. At least for me, I couldn't use such a system.
Since, with this system or any other, someone at some point needs to actually look at an ID, it seems to me that a purpose-built cert that indicates that this was done would be better. Then it would retain the same attributes (aside from being able to be used for anything beyond validating you're over a certain age), you could store it as a file and use it without any special hardware.
Another thought: what about people who use multiple machines? Since you couldn't share credentials across machines, wouldn't that require users to go through the enrollment process for each machine?
I envision it being similar to passkeys today. I'd expect that your smartphone would hold the credential, and you use the standard QR-code flow for most users.
I store my passkeys in a password manager, so it's conceivable that they can be portable... but in ways supported by the FIDO alliance.