How would you prevent the token from being used by a different person than it was issued to? This is the online equivalent of getting your older cousin to buy you alcohol from the store using their own valid ID
How do you prevent your house key being used by a different person, that it was not issued to?
I don’t get the analogy. I keep my house keys out of the hands of people I don’t want in. In this case, the age verification is being circumvented by someone simply asking another person to perform it on their behalf.
I guess the practical answer is that it’s impossible because there’s always the option to have an adult perform the verification and then hand over the device to the minor
Yes, the analogy is the burglar getting into the house by asking you to open your door for them. Adults are permitted to decide such a thing, because they know the risks and are expected to be able to reason about that. When an adult has decided, then there is no problem, as far as age verification is concerned. We have regulations when adults are in fact not able to decide such a thing "correctly".
We already have penalties for adults mistreating children by exposing them to dangerous things, but this is orthogonal to age verification.
Why do you want the online process to be more secure than the one using physical IDs?
Mostly because online process can scale a lot further and faster. An older cousin can only walk into a store to buy so much alcohol but a stolen token can be reused a million times in a second.
There's a type of token called a JWT that's really common nowadays, which is composed of 3 parts: Metadata describing encryption for the third part, the actual base64-encoded data, and the encrypted signature. The second part would include "is over 18" and "expiration date" to limit reuse/abuse, and is trivially decoded by anyone to confirm there's no personal information in there.
You'd get this token from your government site and copy/paste it into the site needing verification. The government site would provide a standard public key that can be used with the third part of the JWT to confirm it hasn't been tampered with (verification is built-in to JWT libraries). There would only be one public key that rarely changes, allowing the site to cache it, preventing the government site from correlating users based on timestamps - they never see the JWT from the other site (verification is done locally), and the other site would only need to pull the public key once for however many thousands of people use it.
...that said technical issues aside, I kinda feel like this would be the most acceptable version simply because it doesn't require the average user to trust the math - they could go to a JWT-decoding website and look at it themselves.