@edri : apart from the privacy risks you describe, the internet is way to insecure for citizens to strongly authenticate online.The reason is that internet users have no reliable means to distinguish between fake and authentic websites [1].This makes AitM (Attacker in the Middle) attacks easy: the citizen is made to believe that they have to prove their minimum age (and probably more PII) on fake website F.When they do that, software on F will forward their identity proofs to real website R and obtain a grant to access R.If that grant is a webbased cookie or anything else that can be copied, it will be sold to children and people who want to remain anonymous - while using someone else's identity.BTW, the same will happen to users of EDIW/EUDIW [2]. Credit cards and loans will carry their name while they won't receive even a Eurocent themselves, but likely they will have to pay "back".From [0]: «Authentication mandates a trustworthy verifier. The first step to find out whether a verifier is trustworthy, is to know *who exactly* they are. A domain name simply does not suffice.»[2] https://ec.europa.eu/digital-building-blocks/sites/display/EUDIGITALIDENTITYWALLET/Security+and+privacy[1] https://infosec.exchange/@ErikvanStraten/113079966331873386[0] https://infosec.exchange/@ErikvanStraten/113138678307912960@EU_Commission #Authentication #Impersonation #OnlineAuthentication #WeakAuthentication #Verifier #AitM #MitM #DV #Certificates #Trust