Mastodawn

Okay, obviously Persona is terribad. There is a real problem to address here though: how are organizations supposed to perform reasonable identity verification at a distance? Sophisticated impersonation attacks hit customer support lines every day. We need a reasonable defense against this.

I'm asking because I honestly can't imagine a solution to this particular problem that is both:

User friendly
Acceptable to privacy advocates

Super Owl Feb 27

@mttaggart It's a dilly of a pickle.

Soatok Dreamseeker Feb 27

@mttaggart I wrote about the cryptography needed to build a solution a while ago: https://soatok.blog/2025/07/31/age-verification-doesnt-need-to-be-a-privacy-footgun/

The usability on top of the cryptography is a whole 'nother can of worms, though.

And even if you use good cryptography for privacy, if your endpoint leaks your credentials anyway, you still put users at risk.

Further, even if a good solution existed, the ways the laws and regulations that are being written about these verification requirements are often shitty on top of all that.

There's not an easy answer. But there should be.

Age Verification Doesn’t Need to Be a Privacy Footgun - Dhole Moments

“Won’t someone think of the poor children?” they say, clutching their pearls as they enact another stupid law that will harm the privacy of every adult on Earth and create Prior R…

Dhole Moments

@soatok I remember this post, and I remember bumping on this line:

We would need existing identity verification services (e.g., ID.me in the USA) to vend PrivacyPass tokens that can be redeemed on third party websites.

This is where I think a lot of privacy advocates are gonna get off the bus.

Soatok Dreamseeker Feb 27

@mttaggart Anonymous credentials are a well-studied area of cryptography. If they balk at them, I dunno what to say lol

@soatok I mean reasonable or not, state-adjacent anything is just anathema right now. It's not a technical problem!

@mttaggart @soatok the thing I find interesting about id.me is that the reason it squicky me out is because its state *adjacent*, and its primary use case is for *members of the state* (military, though they do serve other communities).

The fact that it’s not my *state* verifying my *state service* is the weird part for me.

Linus Gasser Feb 27

@mttaggart @soatok I'm sure you can cobble something together using noir - it's an awesome framework, and makes ZKPs so much nicer.

Create a circuit which has been peer-reviewed and is identified by its hash
Private input: any ID, must be rooted (signed) by a trusted third party
Public input: whatever you want to know about the ID, plus the root (public key) of the trusted third party
Proof: I have an ID with a signature verifiable by the public key and fits the requirements

@soatok @mttaggart I think Yivi actually made this? (Disclaimer: I know just enough crypto to know I have no idea if they got it right)

But meh, if the goal really was to protect children, age verification wouldn’t be on top of the list.

Yivi - Your digital identity in one app

Yivi is de privacyvriendelijke ID-app waarmee je veilig inlogt, gegevens deelt en bewijst wie je bent. Wachtwoordloos, veilig en altijd in controle. All You. All yours.

Yivi

@mttaggart There's also the option to NOT build the Torment Nexus.

@mttaggart Depending on the required security/confidence level … Every tobacco store, every liquor store, every tobacco vending machine in the EU does age verification and then hands out an "anonymous" object. So if we consider "adult sites"/"social media" to be exactly as dangerous as smoking, these machines/stores could just sell "proof of age tokens".

Which could also serve as anonymous micropayments, while we are at it.

Taran Rampersad Feb 27

@mttaggart what is the definition of 'reasonable'?

That's the rub.

@mttaggart so, there’s a couple of different problems that got all smooshed together here.

One is how you verify that it’s the owner of the account that is taking action and not an impersonator. And that’s what MFA (of which Duo is one solution provider) has been trying to do for a while.

There’s what do you do when the MFA is inaccessible for some reason (eg my smartphone died). And that’s where things like verifying with the employee’s manager comes in to play. Or you actually have to come into an office as proof of identity (accepting that your work stops until this happens.)

Then there’s making sure you’re a real human at all - that you’re not a North Korean using a stolen identity. Which is something that should be handled *through the hiring process* by conducting a background check and forcing the employee to present (at an office or a recognized proofing services provider) physically somewhere with identity documents in hand to prove you match the person you say you are.

This latest offering seems to be an attempt to go after the last use case, but (maybe?) outside of the hiring process, which is the weird and concerning bit.

@TindrasGrove Maybe they're all different problems, but the attack I'm describing combines them into one. And indeed, MFA is a poor defense in this case for exactly the reason you described ("Help! My phone was run over by a car and all my passwords were on it"). For geographically disparate workforces, "just come in" is often not an option. So yeah, I don't think we have a lot of good answers for this, especially not ones we can give to the poor folks fielding these calls.

@mttaggart as someone who had to do this as part of my hiring process as a remote employee, this is where the trusted third-party proofing vendors come in. I had to go visit a FedEx office that had a designated person to check that I matched my passport and logged some stuff.

And, after that initial proofing of all my electronics go poof and I buy new stuff and need to re-prove who I am, my manager is able to vouch that I look and sound and act correct and have knowledge that only I should know (as protection against GenAI). Or I could be made to do that same proofing on-demand when it is warranted.

And since it’s coming from a different source than the MFA itself, there’s not a conflict of interest or other way for one system to impact the other without human intervention, which is how I like it.

@TindrasGrove That sounds solid on paper, but a lot of sticking points remain.

Access to manager (if there even is one)
What knowledge would that be? Secret words, etc. tend to become generalized and/or guessable, or yet another exfiltrated secret. Specific knowledge gets more complicated quickly and may in fact be misremembered. At any rate, codifying/systematizing highly personal challenge/responses is not simple.

I'm not saying it's impossible, but it is rather complex and takes a massive lift to get this kind of system implemented at scale.

@mttaggart to the best of my knowledge is saying “hey you’ve been working with this person for a while. Are they really them?” And it’s up to the manager to figure that out.

Which is a deeply imperfect situation, but it’s also one in which it’s easy to prep them to be sceptical, unlike your average phishing attempt.

@mttaggart I don't want to be identified as my flesh or government ID by most online services and there is generally no legitimate need to do so.