@[email protected] @[email protected]

One scenario I can imagine of is an age check from someone who’s still legally a minor (I’m not sure whether the age check would check for minors faces, I can think of platforms intended to minors, e.g. schools and gaming, having to check if the user is not an adult, but it’s just my speculation), who tries again some time later when they’re legally into adulthood. If the token isn’t validated, they’d be stuck into a perpetual “minor” label.

Sure, a token could be not returned by the wallet if the age check fails (i.e. if the user is a minor), but the associated credentials (email, phone number, username) would be tied, database-wise, to a failed age check attempt, and those teens will one day become adults, and a system shouldn’t lock them out forever. Hence the need for re-validation.

Also, depending on how the token is built and stored, it may or may not have an expiration timeout. In computing systems, it’s common practice for tokens and sessions to have an expiration date (just like logged in sessions will eventually log out and ask for logging in again). It’s different from having to do the age check again: it’s simply about renewing the token that identifies someone as adult, someone who already did the age check, with the wallet simply returning the renewed token without demanding the user to go through the age check flow again.

Another scenario: imagine a relative’s phone being pick-pocketed/stolen by the kid during late night, and the kid somehow knows the relative’s password/pin/pattern or even uses the relative’s finger to the biometric sensor to unlock it, all during the relative’s sleep. Then they head into the “forbidden fruit website”, which happens to be accessed by the relative as well, so it means that the website is already authorized with the relative’s wallet. I can see govs foreseeing this situation and requiring that websites always re-validate the authorization before effectively letting the user into the website’s “adult” content.