Yoti and Luciditi demo interoperable age assurance through PKI

A method of using public key infrastructure (PKI) to enable interoperability among age assurance providers and systems was shared at the Global Age Assurance Standards Summit last week by Luciditi CTO Philip Young and Yoti CTO Paco Garcia.

In a session presented along with Mark Roberts of the Age Verification Provider’s Association (AVPA), they explained how the PKI approach works and why they selected it.

Digital certificates presenting an age claim are signed by a certification authority and presented as QR codes in a proof of age app, Roberts explained, allowing for its authenticity to be confirmed online or offline. Each issuer makes their public key available to verifiers through a public key directory (PKD).

The approach can be used for a variety of online and in-person use cases, including the major targets of age restrictions like pornography and gambling services. Just as important, it can meet the requirements set out by different jurisdictions around the world with different types of tokens, such as that a person is 18+ or 21+. It also supports consumer choice of providers.

euCONSENT, as an independent non-profit, can play the role of trusted central certification authority, Roberts suggests. PKI is easily scalable, and represents a “’lighter’ solution than that used in euCONSENT’s phase 1 pilot,” he says.

Garcia explained how the token can be added to a web browser, similarly to a cookie, or on a device, with limited time effect as dictated by local regulations.

PKI is a mature technology, Garcia point out, “it’s used in all the mission-critical infrastructure around the world,” like online payments and passports.

The token includes no identifier, as part of the privacy by design approach the partners took. Instead, it contains assertions that biometric liveness detection was used during the age check, the time the check was performed, the age threshold that was met, that the method used is one of the approved choices, and that it was issued by a trusted party. Geolocation can also be added, if the age verification scenario demands it.

The specifics of each can be defined by the local regulator.

“We wanted cost effective solution,” and one that is flexible, Garcia emphasizes. That flexibility includes support for token processing and generation in digital identity wallets including the EU Digital Identity Wallet (EUDIW), mobile driver’s licenses, via on-device checks, age estimation and checks against mobile network operators or credit agencies.

The demonstration depicted a QR code being generated by Yoti’s app, and then read by Luciditi’s, and the reverse, with a laptop held up to the camera running Yoti’s scanner. The payload with the proof of age appeared, and then disappeared after 10 seconds, as another privacy feature.

Young noted that the collaboration did not require extensive planning beyond agreeing that PKI is the best route to interoperability. The greatest amount of discussion, he says, went towards defining the QR code and how to make it smaller.

Article Topics

age verification  |  AVPA  |  biometrics  |  Global Age Assurance Standards Summit  |  interoperability  |  Luciditi  |  PKI  |  Yoti