Thanks to new approaches, Trusted Age provides the open source community with a sophisticated and well thought-out basis for operating its own age verification. The detailed documentation and explanation of potential improvements should enable the open source community to adapt Trusted Age to their respective needs, ID documents and legislation.

ZKP requirements and JWT

Since the last report, the Trusted Age team has overcome some technical challenges in the backend that make our solution more robust and versatile. A solution has been implemented that fulfils the zero-knowledge approach for proof of age and ensures data protection as well as enabling verification without an app download. The user's age is stored according to the ‘over 18’ scheme, without revealing or persistently storing the exact date of birth or other personal data, using JSON web tokens issued to the user as a certificate.

JWT token with SDK for integration

An SDK has been implemented that makes it easier for platforms to integrate Trusted Age. The JSON Web Tokens are validated by the hosted Trusted Age instance and the authenticity of the age certificate is confirmed to the platforms. The security settings for storing the tokens must be selected depending on the type of integration. Integration on a subdomain of an OIDC service is recommended to ensure secure communication. In this case, Trusted Age carries out the age verification with full data protection and only the information ‘over 18’ is added to the user profile on the OIDC server, for example.

If you want to set up quick age verification, Trusted Age also works as a standalone service thanks to the flexible JWT token integration with browser cookies and less restrictive settings. Here too, the user only presents the certificate, which only contains the ‘over 18’ information about the user.

Admin panel for manual verification

Another step forward is the introduction of a hybrid verification approach for document recognition. The original plan was to carry out verification fully automatically, but the analysis of the results showed that in certain cases, manual verification by an admin makes sense in order to reliably fulfil the regulatory requirements. Therefore, an admin panel was developed that allows administrators to manually confirm certain verification steps and thus ensure maximum security and accuracy. The front end automatically recognises the current status of the verification and takes the user back to the relevant point. Administrators are informed of new verification requests by email. Users receive a notification as soon as the verification is complete.

Docker and Gitlab CI

In addition, the entire backend infrastructure has been ‘dockerised’, which further facilitates deployment and future development by third parties. With the Docker architecture, future updates or customisations can be carried out easily without affecting the stability of the running system. The project also has a continuous integration setup for Gitlab. It can be customised for specific needs to speed up the deployment of Trusted Age.

Technical highlights

• Privacy-friendly proof of age: Implementation of a zero-knowledge approach to age verification without storing personal data.
• Hybrid document verification: Combination of automated document verification and manual verification by administrators.
• Docker-based architecture: Facilitates the further development and deployment processes for Trusted Age and creates flexibility for future adaptations.

Conclusion 

The further developments have laid the foundation for Trusted Age to become a future-proof and flexible solution that is suitable for platforms in every region and easy to integrate. Our architecture allows our solution to be quickly customised by the global open-source community to meet the needs of a global market while protecting user privacy. We hope to see Trusted Age grow as a tool to potentially play a significant role in a secure digital space for all.