Maybe you could limit the number of verifications a key can have in a day? Limit it to say 10 verifications per day. So if you’re on Pornhub and have an account, you can have the key associated with the account, verified, and so you don’t need to re-verify. But if you go on 10 completely different sites and verify for each one, you can’t verify after that 10th one within the same 24hr period?
You could maybe also include guidelines for integration where if a key is associated with an account, that key can’t be used for any other account. You can include that under some requirement that says you have to make ‘best efforts’ to ensure that a key is only ever used by one account at a time. That way, if a million people are sharing the same key, you’d have to trust that all one million of them will never associate that key with their account because if they do, it invalidates that key for every use other than through that account on that site.
How would you solve replay attacks? Like a million people, of age or not, sharing the same key?
Maybe you could limit the number of verifications a key can have in a day? Limit it to say 10 verifications per day. So if you’re on Pornhub and have an account, you can have the key associated with the account, verified, and so you don’t need to re-verify. But if you go on 10 completely different sites and verify for each one, you can’t verify after that 10th one within the same 24hr period?
You could maybe also include guidelines for integration where if a key is associated with an account, that key can’t be used for any other account. You can include that under some requirement that says you have to make ‘best efforts’ to ensure that a key is only ever used by one account at a time. That way, if a million people are sharing the same key, you’d have to trust that all one million of them will never associate that key with their account because if they do, it invalidates that key for every use other than through that account on that site.