> "Let’s say I downloaded the app, proved that I am over 18, then my nephew can take my phone, unlock my app and use it to prove he is over 18."
While I appreciate the zero-knowledge proofs is considered, how the hell did no one in charge of the app design think of this? It's is literally the first question I asked when I first heard about this app. You go to the app in a store to buy alcohol, you're asked to verify your age, but that's not what you're doing. Your simply showing the store that you have a phone, with and app, which was configured by some over 18 (maybe).
Honestly I don't think it's possible to verify that you're over 18 without also providing something like a photo ID (and even that is error prone).
You can probably do something online, where the website or app does some back channel communication to a server that verifies a token. Even that is going to have issues. You could add a "List of sites that has verified your age" option where you can revoke the verification, in case your nephew borrows your phone.
They are going to implement this and it will be "good enough", but I don't see this being 100% secure or correct.
Just like anyone can take anyone's credit card and go shopping - but in contrast Phones are (or at least can be) much more secure.
That's not what you're competing with. Your competing with a drivers license with a photo (not a great photo) and some countries have pretty easily faked drivers licenses, but others have drivers licenses in hard plastic with holographic features.
The credit card doesn't work as age verification.
You're competing with photos of a drivers license.
Not sure if you're joking or not, but Denmark have had people show an edited screenshot of the drivers license app, to get into clubs or buy alcohol.
I think they "fixed" it. I think it has some effect now that only works if you tilt the phone.
You're competing with that for "I want to make sure the person standing in front of me is of legal drinking age" use-case, but for the remote KYC/age-verification usecases, you're competing with a photo of the document and/or a selfie.
Maybe bundling these under the same system is a mistake and they should be separate systems with different considerations; it would certainly help with arguments about it online ;P
Bouncer love it, when someone says "oh sorry, I forgot my ID, can you let me in anyway?" they just tell them to download the app :)
I don't know about other countries, but here it requires your passport or actual drivers license, and a 12 or 24 hour wait, to actually activate the drivers license app.
Mhh, maybe it was the Sundhedskortet app? But that does not have a photo.
To be honest I just overhead the bouncer talking about them liking the app. Maybe I misheard it.
We're talking about the EU here, where the standard form of ID is an ID card with very strict requirements, including multiple secure features and an NFC chip with the photo and some other information.
How does the nephew unlock the phone and app?
If it's just a PIN, and the PIN is his aunts birthday, it might not be much of a challenge. We also have to consider the cases where the adult is complicit, in these cases the app is even less secure than photo ID (for store purchases, not necessarily online).
[dead]