EU regulators aim for frictionless age verification, interoperability
Changes in age verification are on the minds of many legislators, regulators and providers. A recently released on-demand webinar presented by Biometric Update and Goode Intelligence explores age verification and estimation in the context of lessons from deployments and regulatory moves in the UK, but the flurry of age verification debate extends to Europe and beyond.
The European Commission-funded euConsent project has released a feasibility study investigating the viability of potential modifications to its architecture that would enable interoperability between age verification providers (AVPs).
Presently, euConsent provides a “distributed interoperable model,” based on eIDAS architecture for secure information exchange between nodes, which allows AVPs to reuse previous age checks performed by other providers as long as both are part of the euConsent network.
The “Feasibility Study for AVP Interoperability between Native Mobile Applications” is concerned with enhancements that would extend this capability to mobile apps. “This goal is not trivial,” reads the report, “since data sharing between different apps has many restrictions, and the two major mobile operating systems (Android – iOS) have different limitations.”
Functionally, the proposed system must be able to recognize when a user has not previously signed in to an age-restricted app that is part of the euConsent network, and therefore requires an age verification prompt. Once a user has signed into an app that is part of the network, other apps that require age verification will recognize that sign-in and apply it. User authentication on a device via PIN, password, or biometric authentication can provide conditional limits to access, or the transfer of permission can be seamless.
Newly downloaded apps using other euConsent AVPs for verification must be able to recognize that an age check has already been performed by the user on another euConsent AVP. For all of this to work, the different AVPs must be able to communicate.
Conflicting restrictions could be solved by deep linking
Challenges to implementation are significant, given the specific restrictions on different mobile apps and operating systems. The report points out that “iOS imposes strict sandboxing and prevent unauthorized access to data. Apps can only share data if both apps are explicitly designed to work together using one of the supported mechanisms.” This means the euConsent’s cookie-based token system – “a string token including information of a previous age check,” which “includes a unique ID of the AVP that performed the age verification” and an assurance score on the method – cannot facilitate the direct sharing of verification data between mobile apps.
The system is better for Android, but still imperfect. For euConsent, this all generates far too much friction.
The full study includes technical breakdowns and sequence diagrams for each relevant business scenario, and a more detailed explanation of technical workarounds leveraging web views – “a container within the app that displays web pages or web-based content without launching a separate web browser” and deep links, hyperlinks that take users “directly to a specific location or content within a mobile app, potentially bypassing the app’s home screen or landing page.”
It concludes with two key observations on these potential solutions. One, “the age verification should be initiated by a call to the mobile web browser and not within the native mobile app or in a web view hosted by the app. This is of key importance, so that age verification information (cookies) can be shared between different apps and different AVP nodes.” Two, it is important that “callback URLs are not http URLs, but deep links defined and handled by the app itself.”
In short, there are hurdles to AVP interoperability for mobile apps – but it is feasible, given certain conditions, and the continued work of euConsent.
Article Topics
age verification | biometrics | EU | euCONSENT | interoperability | regulation
Comments