At the recent California DMV Hackathon, the Block team, represented by members from Square and TBD, won the Best Privacy & Security Design award for building a prototype of an instant age verification system. This solution utilizes mobile drivers’ licenses (mDLs) to provide secure, privacy-centric transactions for age-restricted purchases with Square’s Point of Sale (POS) system.
In this post, we’ll explore the core technical components behind our solution, which centered on using TruAge technology to enable seamless, secure age verification.
How TruAge QR Code Verification Works
At the heart of our prototype is the ability to scan and verify a TruAge Age Token QR code. These QR codes contain a verifiable credential (VC) that confirms a person’s legal age without exposing unnecessary personal information. Here’s a breakdown of how we approached verifying these credentials in our solution.
-
Decoding the QR Code Payload
The first step in the verification process was reading the QR code provided by the customer. TruAge QR codes follow a standard format which encodes the verifiable presentation (VP) in a compact CBOR format.
Our team implemented a scanner using our open source web5-swift SDK that reads the QR code and decodes the CBOR-encoded payload. This CBOR format is efficient, allowing the verifiable presentation to be transmitted and processed quickly, minimizing any delays at the point of sale.
-
Converting CBOR to JSON
Once we decoded the CBOR data, the next step was to parse it into a JSON-based verifiable presentation using the W3C Verifiable Credentials (VC) Data Model v1.1. This model is critical to ensuring interoperability across different platforms and services, as it standardizes how credentials are represented and exchanged in a decentralized manner.
-
Validating the Issuer’s DID
After converting the data into a verifiable format, we needed to validate the digital signature on the credential. We retrieved the issuer’s Decentralized Identifier (DID) from the TruAge server, which provided us access to a sandbox environment containing their list of authorized DIDs.
Using DIDs, we were able to validate the cryptographic signature to ensure that the credential was issued by a trusted TruAge provider. This validation step is critical for ensuring that the credential has not been tampered with and is issued by a legitimate authority.
-
Credential Content Verification
Once the issuer’s signature was validated, the next step was to check the contents of the verifiable credential itself. In this case, we looked for proof that the individual was over 21 and verified that the credential had not expired.
This lightweight verification process ensures that businesses can quickly and easily confirm a customer’s legal age, while protecting their privacy by not exposing sensitive information like birthdates or addresses.
Building the Integration: Web5 and TruAge Libraries
To bring this solution to life, we used a few key technologies:
iOS: Our team developed the iOS implementation using the web5-swift library, which allowed us to efficiently handle the scanning, decoding, and parsing of the TruAge QR codes on Apple devices.
Android: For Android, we modified the TruAge library provided by Digital Bazaar to make it compatible with our solution. This involved adapting the library for seamless integration with our QR code parsing and validation logic.
Privacy and Security at the Forefront
Our approach ensures that personal information is protected at every stage of the transaction. By focusing solely on verifying the specific data point needed (in this case, whether someone is over 21), we avoid collecting or storing any unnecessary information. This is a win for both businesses and consumers, as it minimizes risk while maintaining a smooth user experience.
By integrating this technology into Square’s Retail POS system, we not only enhanced security but also brought innovative, privacy-preserving solutions to small businesses that need to comply with age verification laws. This prototype has the potential to extend to many other use cases, from secure employee onboarding to identity verification for suppliers and customers.
Top comments (1)
Neat