You go onto you state gov website and get a token that just says “this is an adult.” Nothing else. Token lasts 10 minutes.
Cut and paste into the site. They authenticate without saying who theu are, back to the gov site, “yo, this legit?” State says “looks like something we would do.” State keeps no records of WHO validated the token, just that it was a legit token.
Not at all, this is well established technology already in use all over the place.
When countries use digital IDs, they are able to carve out validating individual aspects of an identity. Just address, just over 18, just class of driver’s license, etc.
So the State has a website/wallet where the user pulls a token from the State, basically a fancy hashed OTP/Login code.
The website, which can’t derive your identity from the code, sends the code to the state API and can’t ask more than “is this hash legit” and the State API doesnt need to say more than “yup.”
Where can things go wrong? The State can ask to know who needs the token. Or even demand to know, and log what sites use it. The state can contract this out to a vendor that logs it all, making data theft far more risky.
It all depends on his the state builds requirements.
Tokenization is the easy solution.
You go onto you state gov website and get a token that just says “this is an adult.” Nothing else. Token lasts 10 minutes.
Cut and paste into the site. They authenticate without saying who theu are, back to the gov site, “yo, this legit?” State says “looks like something we would do.” State keeps no records of WHO validated the token, just that it was a legit token.
Same way that routers connect to VPN services.
How does the state verify that you’re an adult and therefore should have a token?
This solution simply seems to be kicking the can down the road
Not at all, this is well established technology already in use all over the place.
When countries use digital IDs, they are able to carve out validating individual aspects of an identity. Just address, just over 18, just class of driver’s license, etc.
So the State has a website/wallet where the user pulls a token from the State, basically a fancy hashed OTP/Login code.
The website, which can’t derive your identity from the code, sends the code to the state API and can’t ask more than “is this hash legit” and the State API doesnt need to say more than “yup.”
Where can things go wrong? The State can ask to know who needs the token. Or even demand to know, and log what sites use it. The state can contract this out to a vendor that logs it all, making data theft far more risky.
It all depends on his the state builds requirements.