EU age verification app not planning desktop support

2025-09-2411:52576410github.com

Hi I found multiple usability issues with this solution. The focus is so strong on the app, that it assumes everyone owns a smartphone. The other day I saw a granny on the bus with a phone that was...

Show article

Hi I found multiple usability issues with this solution.

The focus is so strong on the app, that it assumes everyone owns a smartphone. The other day I saw a granny on the bus with a phone that was 2cms thick and predates the famous Nokia 3310. How is she and other users without a smartphone supposed to verify their age online?
How will this impact the browsing experience on the web? Every website has GDPR checkboxes these days which somewhat disrupts browsing experience if browsing in for example incognito mode. Imagine if you want to browse the web privately. Websites don't know who you are so you will have to verify your age every single time. This makes the web unusable for anyone who wants to browse the web privately. Especially on a pc. A solution would be to have some sort of browser extension that handles it automatically. Since you at least claim to value privacy that could work. But it wouldn't really look trustworthy. Note this doesn't only apply to incognito but browsing the web in general. Like trying to compare various news sites. Doing this for every website to visit is a major hindrance usability wise.
What will the cost be of implementing this? My trust in the EU to develop affordable and good technologies has diminished since we created a Peppol access point for our company. The solution was made using technologies only java has proper libraries for. Locking the developer to that language and eco system. Of course not a big issue for a big company. But a small start up won't be able to survive if they have to implement this.

You can’t perform that action at this time.

Read the original article

Comments

By harrisoned 2025-09-2416:217 reply

> At present the project is focused on mobile platforms, specifically Android and iOS, as they cover the vast majority of users and real-world use cases. (..) Desktop support is not currently within the project's scope.

This is the equivalent of a "Do you guys not have phones??"[1] but on a way larger scale.

At least where i live i am able to use the bare minimum of phones, even working with tech. The friction is increasing though, which worries me a lot, and day after day there is a new attempt to shove it down your throat if you want to be considered a member of society. Seeing that a lot of countries (including mine) are pushing for age verification, and the whole thing about Android blocking 'sideload', by the end of 2026 you won't be considered a human being without a government certified smartphone.

[1]: https://www.youtube.com/watch?v=ly10r6m_-n8

By kulahan 2025-09-2416:252 reply

I do find it interesting that in an attempt to bring more people into modern society (via ability to access everything from an inexpensive smartphone), we're creating a stratification in society.

My brother hates tech more than me, and only has an old flip phone. I'm always surprised by the random problems he runs into as a result. Unresponsive desktop sites that beg you to download apps are the worst.

By ACCount37 2025-09-251:15

"Mandatory app" is an anti-accessibility anti-feature.

By FridayoLeary 2025-09-250:00

How is it that in todays day and age websites can be broken on desktops and favours smartphones? They are at best a compromised ux. Small screens and they are awkward to type on. Those are inherent limitations which are unlikely to change anytime soon. folding phones are a niche item and are likely to stay that way for the forseeable future. Tactile touchscreens will only mitigate the inherent drawbacks not solve them. The other solution is of course wearables like ar but not surprisingly people are stubbornly resisting buying them. I'm not sure what Apple and Meta were even thinking. What else is there? Projected holograms in 3d like in movies? I'm not yet ready for my entire world to turn blue.

By bonoboTP 2025-09-2418:1910 reply

Another recent news about mandated app use: Ryanair now (from November) requires using their app for the boarding pass, no more printouts from the desktop. Also, they refuse to show the QR code for the boarding pass in a mobile browser via the website, you must use their app.

https://www.msn.com/en-ie/travel/news/ryanair-s-new-check-in...

By wkat4242 2025-09-2421:031 reply

A BIG reason these companies like Ryanair want you to use their app its that it's much easier to collect data about you than through a website :(

By XorNot 2025-09-2421:235 reply

No, it's a cost cutting measure. App-only reduces support and development costs with whoever they're outsourcing this too.

There's a line item which basically said "mobile web" and they wanted it gone to save some number of dollars per year.

By bonoboTP 2025-09-2421:323 reply

No, sending a pdf by email is no extra cost. They already have an email output interface for tickets and recipts and confirmations.

It's all about better tracking. I'm not quite sure what additional info they get exactly, but tons and tons of mobile websites (that work and don't get deleted) are close to unusable due to a barrage of popups telling you to use the app (e.g. Reddit and other socials).

Also there is no indication they will stop the mobile web version. Already today the mobile web version is there but it explicitly refuses to show the boarding pass QR code: https://i.redd.it/lj3wdnfp9mq91.jpg

By tgsovlerkhgsel 2025-09-2423:51

Not just tracking - also a chance to spam you with notifications until you figure out how to block them, and free ad space on your home screen in the form of the app icon.

By bryanrasmussen 2025-09-255:17

>I'm not quite sure what additional info they get exactly

probably more guaranteed location tracking - hey this guy is buying tickets from the expensive part of town on the newest model iPhone! Chance we can jack up the price, 99% good!

By XorNot 2025-09-2421:364 reply

As an SRE I can assure you that "sending a PDF by email" is far from free to support, and anything email is pretty much top of the list to eliminate.

By wkat4242 2025-09-2421:471 reply

It doesn't need to be by email. They can simply show it in the mobile website.

But they refuse to do so in order to get all that data which they can sell. In a mobile app it's way harder to run ad blockers and much easier to sneakily collect information on the user. Especially on android which is by far the biggest OS in the countries where Ryanair operates.

By throwaway287391 2025-09-2423:131 reply

I really doubt it's that, as opposed to the maintenance cost of an extra flow to a boarding pass. Or perhaps just a perceived complexity/annoyance cost when something breaks in the desktop flow here and there.

I'd think it's only maybe 5-10% of customers at most who both use desktop over mobile to get their boarding pass and use an ad-blocker on desktop. And honestly I don't remember ever seeing an ad (even on Ryanair) when getting my boarding pass on mobile. OTOH I distinctly remember seeing many giant ads on printed boarding passes, most often on printed boarding passes brandished by other customers (usually printed in full color!). I'd think that's hugely more valuable as advertising real estate than the iota of additional data they get to collect on a few adblock users who have been forced to use mobile.

By wkat4242 2025-09-252:43

It's not the ads on their site/app but the data they can sell to ad brokers like Google. Remember an adblocker also blocks trackers.

And even without adblockers a mobile app can gather much more data on you than a website can.

By Zenbit_UX 2025-09-257:101 reply

I don’t often log in to HN to comment, but when I do it’s usually when I see this type of comment.

You can always spot them by the first word being “No” or “False” followed by a confidently asserted yet hilariously incorrect statement.

I suggest reading this [0] and approaching these discussions with more humility in the future. As you yourself stated, you’re an SRE, not a security expert, yet this forum is full of them.

0: https://peabee.substack.com/p/everyone-knows-what-apps-you-u...

By frm88 2025-09-259:49

Wow! The linked article is downright terrifying. It convinced me that spying is the real purpose of forcing apps on users. How do we look in terms of regulations on this issue? I assume the EU data act covers part of that, right? What do we have for the rest of the world?

By sally_glance 2025-09-2421:531 reply

We (software agency) recently encountered this line of argument for the first time here in Germany.

It definitely reduces costs to swap 3 platform support to 2, but it still came as a kind of surprise to me. They (customer) poured years and seven digit figures into the web-based version which is now effectively going to be trashed. The current prod metrics are not supporting the 90% mobile thesis... I guess they just have high confidence that it will become true soon.

I'm wondering if these are the first signs of an age-based bias I have and the next generation just can't really imagine a majority of users using desktop PCs.

By johnnyanmac 2025-09-2422:091 reply

Ther's a line between "we don't support this platform" and actively making it hostile to try and use a platform. It may have even taken extra development time to make sure they can reject showing the QR code on a webpage, if their app is just serving that same web page.

By XorNot 2025-09-2510:02

If corporate no longer wants to support mobile web, then it means I don't have budget to host it. It means developers can't put time against fixing it, QA aren't tasked to test it before releases, and support staff are not being trained in supporting it. The last one is pretty key because it's a huge metric for cost center: how many support calls is a thing generating? And if the thing is not supposed to exist anymore, then I would have to answer questions like "why is it still accessible?"

Internal job tracking metrics would have to answer why any time is going to running this thing, and god help us if there's a security breach via this endpoint we were supposed to have eliminated N time ago.

An unsupported internal API is one thing - and they're generally a huge timesink anyway. An unsupported external user interface is a cost center which I can't justify, and impacts numerous other parts of the business.

By hulitu 2025-09-257:35

> No, it's a cost cutting measure

Only marketed as such. Selling user data generates revenue. Win-win

By EvanAnderson 2025-09-2419:392 reply

Ticketmaster and their stupid app is another good example. As if I couldn't hate Ticketmaster any more I recently bought some tickets and learned about this idiocy.

By SketchySeaBeast 2025-09-2419:412 reply

I throw the tickets into my (digital) wallet and then don't think about the app until the next time I need to buy tickets. But that's not helpful if you don't have a phone.

By EvanAnderson 2025-09-2419:48

I used to print paper tickets so I could get into a show if my phone died / got broken / etc. That doesn't happen often, to be sure, but I also don't want phone bullshit to keep me out of a show that, in the case of this recent one, I have >$500 in tickets for. One less dependency is a good thing.

More to the point, the app isn't for my convenience. It doesn't do anything to make my experience better.

By smcg 2025-09-2420:121 reply

And most wallet apps don't work if you install your own phone OS.

By lmm 2025-09-254:18

Most e-tickets designed for wallet apps follow a well understood standard which has multiple implementations available for different OSes, e.g. https://linuxphoneapps.org/services/pkpass/

By 1over137 2025-09-250:48

With Ticketmaster you can at least still show the ticket via logging into their website, no app needed.

By sunshine-o 2025-09-2514:15

What do you expect?

Ryanair has always been an horrible corporation in the business of shipping drunk and old people for £5 with the help of public subsidies. They also largely abused their staff to enable that business model.

They are like many other corporations creating more and more fragile systems and I bet one of those days something is gonna go wrong and nobody will board their plane for a day or two.

Just stop feeding the beast...

By llimos 2025-09-2418:232 reply

Big difference between a private company mandating app use, and a government

By bonoboTP 2025-09-2418:331 reply

I disagree. It's a tandem, and corporations and the government are increasingly welded together.

Also, I'm not too worried about the airport usecase as we're already being tracked and surveilled and inspected there as much as possible.

But it's another step to normalize and mandate phone and app use. The puzzle pieces are falling in place. Soon, AI could screen-capture your phone screen to detect suspicious activity, and track every tap you do, also taking pictures with the front-facing camera without you knowing, listening on the mic, etc. etc., connecting it all to your real identity. Because why not? If it's done step by step, nobody will care at all. Maybe that sounds pessimistic, but it looks like the end game and I see no principled political stance against it, nor any insurmountable technical hurdles.

By card_zero 2025-09-2419:251 reply

> increasingly welded together

That's an insinuation with some vague truth to it, but not much. Budget airlines are not government departments, and competition between them isn't phony.

"The sky is blue" "I feel that it is increasingly yellow"

By bonoboTP 2025-09-2419:292 reply

There's little competition pressure because consumers don't care. I guess the standard theory says that the buck ends there. If people are fine with it, it's fine.

By card_zero 2025-09-2419:312 reply

Now you're talking! People suck, it's their fault.

By bonoboTP 2025-09-2420:19

We'd do well with taking an honest stock of what allowed the formation of democracies and civil liberties, because likely it wasn't that average people longed for it so much that it happened. It's out of my weight class to pitch a grand narrative for this, but we've seen many forms of societies and governances and the current one (or from 20 years ago) won't be the last.

By johnnyanmac 2025-09-2422:12

There have been very few policies truly passed because "everyone wanted it". It always starts with some "radical" minority bringing the idea to light and then campaigning for it. Even if the thing is obvious.

The former happening would make so many things easier.

By XorNot 2025-09-2421:261 reply

You are arguing there's little competition pressure between budget airlines, a business with notoriously razor thin margins which people shop almost exclusively on price to the exclusion of all other parameters?

This isn't a serious argument.

By bonoboTP 2025-09-2421:36

Only price pressure. No measurable number of consumers will choose a different airline due to their boarding pass app policy.

By horsawlarway 2025-09-2419:20

Functionally, I'm not sure I agree.

Ex - we already have plenty of cases where the government outsources payment processing to 3rd parties. What happens when that private 3rd party declares it's not accepting payments through anything except a mobile app?

By alexchamberlain 2025-09-2419:331 reply

But what if my battery runs out?

By bonoboTP 2025-09-2420:013 reply

They are verbose and vague about it: "Some passengers may be concerned about what they can do if they lose their phone or of their devices run out of battery before the pass board the aircraft. Ryanair has said they will assist people experiencing difficulties free of charge at the gate gathering their information and flight details which will be cross-checked and validated against the flight manifest so that they can board as normal."

By jacobgkau 2025-09-2420:373 reply

Of course-- there will be accommodations to start out with. Then, after the new system has become "just the way things work," the accommodations will be removed for security or efficiency or some other reason.

Or maybe not. I've never lost a boarding pass, but if you lose one, you can get it re-issued somewhere, right?

By bonoboTP 2025-09-2421:122 reply

Without endorsement of the behavior, here's a guy getting arrested for being argumentative about not having a boarding pass in the app, and being told he can't pay their 5 dollar boarding pass print fee with cash.

https://www.youtube.com/watch?v=0QwwPmHyuEA

Again, being argumentative like this never helps, but it will be you either go along with it, get escorted out or not fly in the first place.

By john01dav 2025-09-253:231 reply

Morally, this guy did nothing wrong. These abusive practices need to be stood up to. I'd rather live in a world where this sort of vehement NO when someone with power tries to pull something unreasonable, like demanding an app or fee, is common and effective, than this world where companies and governments can just steamroll people. Ideally, other passengers would see what's going on, see the systemic problem (even if minor in this case), and also join in in the NO. Make the terminal unusable with an angry growing mass until they decide to be reasonable. The comments on that youtube video mocking the guy and not even addressing the airline's unreasonable policy are also an absurd lack of solidarity against these companies. When someone is mad they probably have a reason to be mad and we ought to listen to them and then get mad too if we agree, other than just dismissing someone for feeling an emotion, lest we'll just have more and more rights, privileges, and respect eroded. We need a culture of standing up for each other against injustice, no matter how small.

I know that his behavior was not a rational pursuit, since in practice humans are too skittish about standing up for themselves and too skittish against anyone whom they see as abnormal/not complying with social norms. But, this does not change the fact that he's completely in the right. I'd love to know a more effective strategy to deal with this shit from companies, if anyone knows one. What should he do instead in this situation where it is simply too unjust to him to be acceptable to give in?

Also, I'm offended at this cop for telling the guy to "be cordial". NO. The airline's behavior is not cordial! They do NOT deserve it back! Freedom of speech means freedom to get mad at someone, possibly REALLY mad, when they try to be unreasonable. Being angry is different from being violent, and the government shouldn't shield people and companies from this consequence (angry people) of their actions.

By brokenmachine 2025-09-255:37

>The comments on that youtube video mocking the guy and not even addressing the airline's unreasonable policy are also an absurd lack of solidarity against these companies.

I see this a lot on reddit and youtube. I tend to think that it's bots paid for by the company.

There's always just too much unanimous agreement in favor of the corporation.

Maybe I just don't want to believe that people are that homogenized.

By hulitu 2025-09-258:18

This really looks dystopian. But, this is the future.

No TLS certificate (which will expire soon), no boarding. /s

By bonoboTP 2025-09-2421:221 reply

The likely future is where you'll be given a USB-C charger to charge your phone. If you have no phone or is broken, it will be the equivalent to having a strongly damaged passport. No fly that day, get a new phone, fly on another date, just like if you needed a new passport. The phone will be your ID, passport, credit card and everything. But since it will be all backed up in Google/Apple/Microsoft cloud, maybe you'll be able to buy a new simple phone near the gate, log in via fingerprint and facial recognition and go on your merry way. But also, once all this stuff is connected up in the cloud, maybe facial and fingerprint recognition will be enough to fly. NFC chips under the skin are probably too bad optics for the near future, but in one or two generations, attitudes will shift.

> I've never lost a boarding pass, but if you lose one, you can get it re-issued somewhere, right?

Yes, typically there's a fee for getting it printed at the check-in counter.

By qingcharles 2025-09-262:06

I had a very worn passport. I got to check-in one time and as I handed my passport to the agent my photo fell out of the back page.

They still let me fly from UK to USA and back.

This was 1997. Wild times.

By tgsovlerkhgsel 2025-09-2423:53

With a normal airline? You walk up to the gate, say you lost your paperwork (boarding pass, ticket, doesn't matter), show your ID, and get a new boarding pass issued within about a minute of managing to get someone's attention. At least that was my experience. No hassle, no fee.

Ryanair? I would expect them to offer you their boarding pass printing service for only $99.99 (you missed the $49.99 special that was only available until 4 hours before boarding, silly you).

By koyote 2025-09-250:301 reply

Maybe we need to collectively all 'lose' our phone just before boarding at the gate, resulting in some flight delays, so that this nonsense gets reverted.

By john01dav 2025-09-253:241 reply

This is the sort of solidarity that we need against this insanity.

By sjw987 2025-09-259:121 reply

And the sort of solidarity that unfortunately will never happen. Most people will just download the app and carry on. Very few people hold the very real concern about things moving in this direction.

Your average phone user is already hostage to 7 hours of screentime daily. They don't mind installing more apps. The average person has hundreds of apps on their phone, many of which are never even used.

By bonoboTP 2025-09-2511:24

And they have a constant barrage of notifications, and they tap "Allow" on everything. It can be mind boggling if you spend your life in a developer-minded bubble. They watch ads. They sometimes like the ads and smile at them and don't skip them immediately.

Nothing much has changed since the times when you had to "fix" your aunt's computer in 2003 because it's "slow" and found a zillion toolbars and cleanup/speedup utilities.

By Asooka 2025-09-2513:57

Oh so I can just carry a phone with a dead battery and don't have to go through their idiotic app.

By interloxia 2025-09-2513:32

https://corporate.ryanair.com/news/ryanair-confirms-wed-nov-...

By WaitWaitWha 2025-09-2422:43

This has been the same for most low cost airlines (e.g., Frontier, Spirit). To get a boarding pass without a mobile, customer must go to the counter, pay an additional fee and get the printed version.

By CraigRood 2025-09-256:18

I'm confused by your statement as the article suggests you can get a boarding pass via email.

By anonym29 2025-09-255:16

Wow, rendering their entire core business operation vulnerable to extortion from a DDoS attack that's capable of taking down a single API endpoint? Even if they have a major commercial WAF/CDN, the cost to take down Cloudflare is a lot lower than the revenue lost by an entire airline being unable to process boarding at all.

Fingers crossed the Russians figure this out and help remind these businesses why lacking paper alternatives is NOT a cost-saving measure. The group that can take down that API endpoint can pretty much name their price to Ryanair and the C-suite will effectively have a fiduciary duty to shareholders to pay it if there's truly zero alternative and that starts disrupting revenue indefinitely.

By oblio 2025-09-2418:531 reply

What about Google Wallet? Or just a PDF from your email?

By bonoboTP 2025-09-2419:09

To me, that's getting bogged down in details. What matters is the intent and direction. Maybe you will have some workarounds for some time. But just as more and more places go cashless, it will also be paperless and mandatory app-based.

By andreasmetsala 2025-09-2511:541 reply

Maybe off-topic but I remember when people were worried about services becoming digital and older users no longer being able to access them without a personal computer.

Fast forward a few decades and now the old users are on desktop and we’re worried about services only being available for smartphones.

By 7bit 2025-09-2517:30

Are we the old people now?

By GoblinSlayer 2025-09-2521:18

>This is the equivalent of a "Do you guys not have phones??"

Remotely related: https://ottawacitizen.com/news/manor-park-ottawa-sidewalk-re... there are dozens of us, dozens.

By b00ty4breakfast 2025-09-250:321 reply

the point is to have everyone "collared" and traceable. The conspiracy guys all worry about getting micro-chipped but that's far too invasive and obvious for modern society. the new Control gives the illusion of endless opportunities and freedom while also being the very method of limiting that freedom. It is the leverage through which control is exerted.

to quote Gilles Deleuze's Postscript on Societies of Control(1992):

>The conception of a control mechanism, giving the position of any element within an open environment at any given instant (whether animal in a reserve or human in a corporation, as with an electronic collar), is not necessarily one of science fiction. Felix Guattari has imagined a city where one would be able to leave one's apartment, one's street, one's neighborhood, thanks to one's...electronic card that raises a given barrier; but the card could just as easily be rejected on a given day or between certain hours; what counts is not the barrier but the computer that tracks each person's position-licit or illicit...

https://faculty.umb.edu/gary_zabel/Courses/Spinoza/Texts/Pos...

By gyomu 2025-09-2513:43

It is insane to read Deleuze, Baudrillard, Debord, etc. in 2025. Just insanely prescient, and the perfect illustration that being able to describe and anticipate problems is nowhere near sufficient to solve them.

By krzyk 2025-09-2416:571 reply

This is good I think because lack of verifications anywhere is good. So at least desktops will be free of it.

By simjnd 2025-09-2417:012 reply

Worse: You just won't be able to use websites on desktop unless you pull out your phone and verify.

By BeFlatXIII 2025-09-2420:231 reply

I hope the push for verification leads to the normies learning the ways of identity theft. The fun really ramps up once they figure out free money tricks.

By GoblinSlayer 2025-09-2423:171 reply

Normies don't use desktop computers.

By fn-mote 2025-09-252:24

I am pretty sure that the point is that the "normies" are going to be getting their identities stolen in order for others to pass the age verification.

By mindslight 2025-09-2418:121 reply

But this will at least create a healthy pressure for competing options for users on desktops, likely based on novel secure protocols.

By avra 2025-09-2419:081 reply

Most of the times the user prioritizes more convenient options over privacy. "Pressure for competing options" will mean that options compete for the most convenient way, not most secure or most private.

By mindslight 2025-09-2419:191 reply

Sure, but the point is that the more convenient less-secure ways are going to be criminalized. Otherwise nobody would use the age verification app in the first place.

By raxxorraxor 2025-09-258:07

Then the recommendation from this should be to become criminal.

By raxxorraxor 2025-09-257:07

Developers contributing to that project should be ashamed. I am sadly situated in Europe and the crap the EU pushes out recently with chat control, bad ID solutions and censorship doesn't match what democracies should expect.

Not going to use the app of course. If that restricts me I will seek to route around this censorship and share with others. This crap has to be resisted.

Stupid project, stupid design, stupid continent.

By bilekas 2025-09-2413:078 reply

This is a great example of how this whole requirement hasn't been properly thought out.

> Desktop support is not currently within the project's scope.

What I would like to take from this is that, by their own definition, desktop apps are out of scope for Age Verification. So does that mean we will see a return of the 'desktop applications' instead of everything being a web service ?

One can dream perhaps. Until then adults who are willing to 'do what they're told' will be the ones who are inconvenienced by this constantly.

Edit: Also this will completely disable any new phone OS' being developed. Why would anyone bother when you can't verify your wallet to do anything online.

By j0057 2025-09-2414:165 reply

> Also this will completely disable any new phone OS' being developed. Why would anyone bother when you can't verify your wallet to do anything online.

This already the case today, you can't run your bank's app or government eID apps on anything but Google or Apple devices.

By logifail 2025-09-2415:043 reply

> you can't run your bank's app

I can log in to my bank account using my desktop PC

> government eID apps

I can sign into government websites using my desktop PC and its smart card reader and my government-issued eID smartcard. No smartphone needed.

By okanat 2025-09-2415:2611 reply

Not in EU. Many banks mandate you either have an iPhone or Google approved Android as 2FA. Those fucking idiots have killed their own competition options.

By BasilofBasiley 2025-09-2417:173 reply

While everyone took the opportunity to reply to you with "Not in my bank/country/to-my-awareness" This is what's happening in Portugal:

https://old.reddit.com/r/portugal/comments/1msc886/obriga%C3...

Effectively, if the client doesn't download the App, they will never be able to log into the homebanking website again. The bank enforced this and now if you login normally it will redirect to a page where you can download the app or use up one of three remaining chances to login. I am down to two. From now on, I'm only able to use ATM's or go to an actual teller to make payments and such. The app requires that I have a Google account or an Apple account and I think that's just messed up, specially for a Portuguese bank.

The app on the google store is pt.novobanco.nbsmarter if anyone is curious. It has interesting permissions as well.

Edit: This is the landing page (one login left, oh dear...) https://files.catbox.moe/x117iy.png

rsync, here you go:

https://reports.exodus-privacy.eu.org/en/reports/652314/

By wkat4242 2025-09-2421:06

> While everyone took the opportunity to reply to you with "Not in my bank/country/to-my-awareness" This is what's happening in Portugal:

Well yeah but that's what you get when you make overly broad statements like "not in the EU".

By eikenberry 2025-09-2419:131 reply

You say "The bank"... does this mean Portugal only has one bank? If not, wouldn't this be a good reason so change banks? Maybe to a credit union (bank co-op) if they have those in Portugal as the members generally have much more of a say.

By BasilofBasiley 2025-09-2419:531 reply

When I wrote "the bank" I meant, the bank in question, which is the one mentioned in the URL. Hope this makes it clearer for you.

As for alternatives, yes there are, I'm still figuring which ones do not require an app on the smart-phone, though.

I believe I've found a fair alternative after asking a few friends but, I have to account for other factors as well, like, how secure their infrastructure is.

This is because offline 2FA keyfobs were never that popular in Portugal (to my knowledge), unlike 2FA via SMS which I find less secure that keyfobs, but now with the SCA directives from the EU, most banks are jumping on the App 2FA bandwagon. Some do offer a government issued alternative [0] but it still requires an app. I'd be perfectly happy to sign in with my Citizen's ID card reader but that is also rarely implemented (bank-wise), specially since the Chave Movel Digital app from the government [0].

Bottom line, most major banks are going in one direction (deploying their own apps onto customer devices), while smaller banks are staying put (with SMS 2FA) but their security was never that great. So I'm still prospecting and yes, there's a bank co-op on my list also.

Oh, and by "security" I'm mostly going by feel here. Like, if the web interface is a bit jankie I don't feel secure. I'm not going to look into obfuscated .js and pretend like I know anything about web security.

[0] https://www.autenticacao.gov.pt/a-chave-movel-digital

By GoblinSlayer 2025-09-2423:231 reply

Just use a strong password, then 2fa is redundant.

By geggo98 2025-09-2510:40

Not sure where gp lives. But most banks here restrict you to 4 digits as the password. So basically a PIN. If you are lucky, you get 6 digits or even letters. But be careful: if you use “fancy letters” (symbols, umlauts, …) you risk locking your account: you will be able to set this password, but the actual login form won’t allow you to enter it. Banks here are highly regulated, so don’t hope for competent competition.

They mitigate the obvious security thread with mandatory 2fa (actually mandated by regulation). Some use this as an opportunity to push their apps: no separate 2fa method, but only integrated in their bloated app, that checks for rooted devices and only supports the newest OS.

It’s quite hard to find out in advance, what 2fa methods with which fees each bank actually requires. I remember that some of them had funny ideas, what a customer should be billed for 2fa SMS. I think it was 50 cents per SMS.

By rsync 2025-09-2418:501 reply

Can you expand on:

"It has interesting permissions as well ..." ?

I assume a banking app needs (temporary) permission to use the camera for check photos or things of that nature ... and possibly (temporary) use of location data.

I would be alarmed if it requested microphone or access to either contacts or photo storage ...

By BasilofBasiley 2025-09-2418:58

I updated the above comment. Cheers.

By yupyupyups 2025-09-2415:38

My bank (in the EU) has a fully functional website where I can identify myself using an offline 2fa device.

By Fargren 2025-09-2415:34

Yes in EU. I'm in Spain and I sign up to several banks as well as government sites in my desktop PC.

By Retric 2025-09-2416:03

That’s what competition is for. You can still swap banks over such nonsense.

By Semaphor 2025-09-255:14

Many or even most banks in Germany don’t require google verification, many even work on rooted phones.

By johnisgood 2025-09-2416:452 reply

Which banks? Which country? How do they check and enforce iPhone / Google wrt. 2FA? Are you referring to TOTP as 2FA?

By okanat 2025-09-2421:283 reply

All banks are required to have "safe" 2FA in the EU by EU regulation. SMS is banned.

Most banks in Germany, Austria and Portugal default to Play Store or App Store apps with OS integrity checks. It seems like the Nordic countries have it a bit better with the ID reader apps. There are sometimes alternatives and some of them require paid subscription.

The apps they require are proprietary. They are not generic TOTP generators. Some of them require biometric approval. Some just logging in and approving a notification. I have seen some generate a form of non-standard TOTP. Otherwise I wouldn't complain about being locked into Google or Apple ecosystems. They are Play Store or App Store apps that require attestation from the libraries / systems provided Google or Apple like SafetyNet or Play Integrity. Some require strong hardware attestation. If the OS is modified, those checks do not pass. You cannot use any FOSS system without crazy hacks. If the phone is stolen, you have to go through manual reonboarding. It sucks when you're out of the country.

By cycomanic 2025-09-252:11

> Most banks in Germany, Austria and Portugal default to Play Store or App Store apps with OS integrity checks. It seems like the Nordic countries have it a bit better with the ID reader apps. There are sometimes alternatives and some of them require paid subscription.

Most banks? Do you have evidence? AFAIK many (and certainly the most used) German banks (Sparkasse, Commerzbank, Hypovereinsbank) allow chiptan which does not require a smartphone.

By BasilofBasiley 2025-09-2422:451 reply

>SMS is banned. Really? I didn't know that. Can you point me to a document that states that? I'd greatly appreciate it.

>SafetyNet or Play Integrity

A few days ago I did inspect the NovoBanco (Portuguese) apk, and I did look for SafetyNet specifically. They didn't use it. But since I'm not that familiar with the android eco-system I couldn't really tell if Play Integrity was used instead. But I did find a LOT of HMS (Huawei Mobile Services) stuff, and some if it was definitely related to security.

I might take a look at it again tomorrow.

I was curious if I could sideload the app without logging into a google account, meaning without using google services, but all I did was a tiny bit of static analysis instead of actually trying it.

If you have any write-ups on crazy hacks for foss systems, again it would be awesome if you could share them and greatly appreciated. Cheers

Also, is using HMS a normal thing in android development? Last I checked Huawei was persona non grata in the west, at least when it came to hardware like network equipment and consumer devices. I was surprised when I saw HMS in the apk.

By GoblinSlayer 2025-09-2423:371 reply

Try to run it in virtualbox.

>Last I checked Huawei was persona non grata in the west

Isn't it only in USA?

By johnisgood 2025-09-253:14

> All banks are required to have "safe" 2FA in the EU by EU regulation. SMS is banned.

Hungary is in EU and the most popular bank sends a one-time code (with expiry) via SMS for logging in, making a transaction, for the mere displaying of "Telecode", and so on.

There is no TOTP, only this one-time code sent via SMS.

I do not use their apps on any platform. I login via their website when I need to which is rare. When I make a payment via card, I have to provide the provided 3-digit "Telecode" and the one-time code sent via SMS. There is an option "What if I do not have access to that phone number?" or whatever the literal translation is, but I have not checked that out yet.

... which is why I left a comment asking you about the details. You telling me SMS is banned and referring to EU regulations just left me more confused given the above.

By pimterry 2025-09-2416:571 reply

All of them now require some kind of 2FA, everywhere. This is due to a legal requirement on all EEA payment providers that they require 2FA for almost everything since 2020, including accessing your account on their website: https://en.wikipedia.org/wiki/Strong_customer_authentication

TOTP codes would be allowed by the regulation, as would biometric approaches or separate physical tokens, but in practice every bank I've used in recent years (quite a few, mostly Spanish but also in Belgium & Switzerland) require that you accept a confirmation prompt or similar in their app.

By logifail 2025-09-2418:50

It feels like "gold-plating" of regulations is and always has been a significant problem in the EU.

Regulations are written (at EU level) to allow X, Y and Z; somehow by the time it's implemented at member state level it miraculously only allows only X or Y, and once it gets to actual service providers (who've presumably been advised by their in-house lawyers that 'Y is bad') we end up with a choice of X or nothing.

Then if you ask anyone at EU level what's going on, they point to what the regulation says, and everyone shrugs.

By xxs 2025-09-2416:272 reply

Of course in the EU - pretty much all Baltic and Nordic countries support id cards connected via usb

By okanat 2025-09-2417:102 reply

Well not in Germany. Some banks accept their branded authenticators, some of them don't.

ING in Germany forces you to either have a single Google approved smartphone or a single authenticator, not both.

DKB requires a paid Girocard to use the authenticator or a Google approved smartphone.

N26 requires a single phone but they are a bit lenient. However they have way too many incidents reported where they closed people's accounts without a reason.

The traditional banks have high fees. One pays upwards 10 - 15 Euros a month for Sparkasse or Commerzbank for a simple checking account. Using Sparkasse means you cannot deposit money outside county (yes county and country) borders. Many traditional banks have high fees for withdrawing outside the network.

So one is forced to choose between modern banks with better online experience that's tied to Google and Apple or a traditional bank with oftentimes awful online experience and high fees.

By riedel 2025-09-2417:531 reply

My German bank started to require an Android or IOS smartphone [0]. No dedicated HW, no desktop. I actually dumped my well working Xiaomi Phone because it was either security or banking.

[0] https://www.1822direkt.de/service/fragen-und-antworten/detai...

By okanat 2025-09-2421:331 reply

I actually considered switching to 1822direkt last year. No more!

By riedel 2025-09-2510:36

They used to be ahead of the bunch 20 years ago. They sent out PGP encrypted transaction statements if you wanted. Then they degraded. I think of switching to a normal Sparkasse, they typically even can do account creation with EID l, have Wero and allow 2FA Hardware.

Absurd thing is that 1822 claims to make things much more secure but their 2FA reset with a single phone PIN is a joke.

By generic92034 2025-09-2422:40

> So one is forced to choose between modern banks with better online experience that's tied to Google and Apple or a traditional bank with oftentimes awful online experience and high fees.

I do not understand how you are coming to that conclusion regarding modern banks. You can use the authentication device, which is completely independent of Google or Apple.

By GardenLetter27 2025-09-2416:532 reply

Nope, Sweden requires Mobile BankID on iOS or Android for example.

By Samtidsfobiker 2025-09-2417:051 reply

BankID has a desktop version, and no site which requires Mobile BankID would not allow you to also use the desktop version.

By GardenLetter27 2025-09-2417:591 reply

But it doesn't support Linux.

By Jensson 2025-09-2510:04

It used to, it could quickly get back support if there was a reason to.

By osks 2025-09-256:05

Several of the biggest banks have alternative methods that don’t require mobile BankID.

By synecdoche 2025-09-2415:401 reply

Likewise in Sweden. No bank that I’m aware of is limited to require mobile only login.

By nextos 2025-09-2416:51

Some neobanks are limited to mobile-only. The OP's statement was too general. It's also true that some regular banks are phasing out 2FA via SMS, which is outdated per EU regulations, and may not easily offer alternatives to their app for 2FA codes.

By wkat4242 2025-09-2421:041 reply

Spain provides smart cards to their citizens. Mobile is not needed.

By dzhiurgis 2025-09-2421:27

My experience of using them is horrible.

By 1over137 2025-09-250:531 reply

>Not in EU

That's especially crazy. With Trump's/USA's belligerence, why on earth would EU companies/banks/governments want to require that you have an Apple/Google account, it makes them totally dependant on foreigners!

By hulitu 2025-09-258:44

Because "deal". Why implement an aithentication when you can use the Google/Apple/Microsoft one ? It's free. You only have to make a "deal" and give them all your data (which they have anyway, because they run the keylogger on your device).

By janice1999 2025-09-2417:22

>Not in EU.

Please stop spreading disinformation. I live in the EU and my EU bank supports desktop browsers + Card reader matching everything the mobile app can do.

By 3836293648 2025-09-2418:471 reply

Well in Sweden we can't. You already need bankid on your phone to log in on your PC. There used to be a bankid desktop app and dedicated hardware, but that's gone from many sites now

By osks 2025-09-256:11

There are banks/companies that require BankID, but there are several big banks that have alternative methods. It seems that only Swedbank of the big four require mobile BankID for sign in.

By tarsinge 2025-09-2415:251 reply

For now, there is an increasing number of banks and government websites that are broken if you are not using Chrome or full on requires it.

By agf 2025-09-2416:02

This has been true since it stopped being true for Internet Explorer. I've not noticed any significant change over time. I have been using Firefox for over 20 years.

By ale42 2025-09-2414:23

True. But it doesn't _need_ to be so, it's actually a problem.

By freehorse 2025-09-2414:58

True, but there are alternatives to using these services, though a bit more inconvenient. What will be the alternative to the age verification mobile app?

By anttiharju 2025-09-2419:171 reply

> This already the case today, you can't run your bank's app or government eID apps on anything but Google or Apple devices.

Fairphone 6 with e/OS begs to differ. Dutch phone with a French OS. No issues.

By em-bee 2025-09-2420:20

well, my bank's app does not run on /e/OS. i get some kind of security error

By lloydatkinson 2025-09-2414:262 reply

Back when Microsoft said they were going to let Android apps run on Windows before killing it off for I think the third time, I was excited that I'd be able to run my bank app on my desktop. The app is a simple process to login, but the website has about 50 steps to login making it unappealing to use (probably on purpose).

By Gander5739 2025-09-2414:52

You can, aith Windows subsystem for Android. Unsurprisingly, it's not going to be supported for much longer.

By worldsayshi 2025-09-2415:23

I get that it wouldn't be optimal but can you run it on an android emulator?

By qiine 2025-09-2413:144 reply

This read more like "we thought pc was a dead relic of the past" sadly

By sjw987 2025-09-2414:181 reply

To me it reads that, since many people already believe this is more about tracking than safety, they are focusing on a device which is the perfect surveillance system, and which conveniently already accounts for 7+ hours of many peoples daily computer/internet interaction.

A desktop computer doesn't necessarily have a microphone or camera, and doesn't necessarily have to be connected to the internet. I'd wager most crime, including that which affects children is done on "disconnected devices" in this sense.

By sidewndr46 2025-09-2414:262 reply

you could pretty much replace the statement with "General purpose computing considered harmful"

By ethagnawl 2025-09-2415:37

> "General purpose computing considered harmful"

Even though it sounds like _you_ probably know this, Cory Doctorow has been sounding this alarm for years. As usual, it seems he was right about the possibility of this being a legitimate battlefront in the (actual, non-hyperbolic) war on freedom.

By qiine 2025-09-2415:201 reply

or user 'having free will is problematic and unsafe' if we want to go even deeper :(

By eimrine 2025-09-2510:09

What is the location of your free will in your body? Is it in brain or in quantum particles, or anywhere else?

By amelius 2025-09-2413:302 reply

I think it's more that smartphones have built in security measures that prevent hacking. It already works for bank apps, so why not use it for government stuff too?

It sucks, yes, but that's probably how these people think.

By dathinab 2025-09-2413:46

but if age verification is used for what it claims it is such hacking protections are not only unnecessary but fundamentally harmful (i.e. if a child hacks their PC it's fine if they circumvent age verification, the main responsibility still lies with parents and as such tools like parent controls are much more relevant)

the main reason is that this is not a reference implementations or "this is the app everyone must use" case but a "to see what is technical possible/practical" "research/POV" project

this also makes the "EU age verification app" title quite misleading

By littlestymaar 2025-09-2414:03

> I think it's more that smartphones have built in security measures that prevent hacking.

Which is a joke when you know that most phones in the wild are using an obsolete OS version (most of the time due to lack of software support from the manufacturer, but sometimes because some people just refuse to update because updates are in fact downgrades — looking at you iOS).

By ktosobcy 2025-09-2413:534 reply

Well, looking around I see more people using smartphones for anything and even not having a PC…

By mrweasel 2025-09-2414:192 reply

I've seen this as well. It's getting increasingly normal, but I cannot imagine doing the same myself.

There's a much bigger likelihood of me going back to a feature-phone, compared to me starting to use my phone for anything but the absolute basics.

By Imustaskforhelp 2025-09-2415:00

I used to use a feature phone and I genuinely didn't miss any of the same things.

my commute is a really long ride and I just don't like using my phone in it.

My dumb phone had music system and sd card (I finally managed to have that sd card fixed after an year of using that dumbphone without even an sd card for music)

I just used to stare into nothingness / surrounding and think. (Yes I have edited it because I didn't used to think, I used to overthink just as I am doing right now lol)

Not that productive, but my current phone is so slow that I can't even tell you guys or start telling you. It takes me 1/2 a minute just to unlock it and the only thing its truly good at is having a music player run and some occasional hackernews or pokemon showdown or youtube scrolling.

But tbh, I don't have any banking apps etc. so to me there isn't thaaat much of a difference. I feel like a macbook is genuinely nice as it has that less friction and a pc is great too as compared to a phone for the most part when I am at home.

My screentime is usually just some shorts that I occassionaly watch on phone when I am extremelyyy bored.

I am sad that my dumb phone was in my bag one day and then it just stopped (working??) , I swear I kinda regret having my dad's old phone. I am not sure how he was even using it.

By ktosobcy 2025-09-2415:42

Same, but I also have other quirks and that doesn't mean this is TheTrueWay and everyone should adapt to it :)

By nozzlegear 2025-09-2414:262 reply

Smartphones are a lot more portable than desktop PCs or even laptops. Unless you enter everyone's home to take an inventory of their devices, it stands to reason that you're going to see more smartphones than anything else by just looking around.

By bigstrat2003 2025-09-2415:27

Sure, but computers are a lot more capable. Even for just scrolling sites, a desktop computer is a superior experience.

By ktosobcy 2025-09-2415:461 reply

[flagged]

By nozzlegear 2025-09-2416:021 reply

> Please get off of your high-horse and actually try to interact with wider world and not the IT bubble :)

That seems pretty rude and uncalled for, why would you say that to me? Do you think that I don't have friends outside of the "IT bubble" myself, or that I don't have my own spouse who is a non-tech person?

By ktosobcy 2025-09-2510:441 reply

What's so rude and uncalled for? It's just a statement without steeping to any offensive vocabulary.

And it's kidna funny that you are offended by it while you outright dismissed my comment with your "all knowing": "Unless you enter everyone's home to take an inventory of their devices, it stands to reason that you're going to see more smartphones than anything else by just looking around." - wouldn't you say that was offensive as well? But no - you feel entitled to this opinion and see nothing wrong with such silly rebutal :D

By nozzlegear 2025-09-2520:14

> What's so rude and uncalled for? It's just a statement without steeping to any offensive vocabulary.

Spare me your sophistry.

By EvanAnderson 2025-09-2419:431 reply

The vast majority of those people are never going to know the freedom and power afforded by using a general purpose computer you actually control.

The "war on general purpose computing" need only be the waiting-out for those of us who remember actually owning a computer to die.

By qiine 2025-09-2510:07

I secretly believe that the PC is simply so unbelievably powerful that its impossible to kill

By mariusor 2025-09-2414:422 reply

But as long as there are still people using desktop computers, removing access from them is an overreach and makes these ideas totally undemocratic. I am frankly baffled that an organization having the principles and know-how of the EU can even think of gating access to information with something so slipshod.

The only eventuality where this is acceptable is when desktop computers won't even be gated, and then if anyone can circumvent the problem with a computer, why is anyone even bothering with the whole thing...

By ktosobcy 2025-09-2415:43

Are they?

Again - this is only just one of the possible implementations of https://ageverification.dev/Technical%20Specification/archit...

It's possible to have others but as POC they are focusing on covering the biggest chunk of the population…

By bigstrat2003 2025-09-2415:302 reply

> I am frankly baffled that an organization having the principles and know-how of the EU can even think of gating access to information with something so slipshod.

That doesn't surprise me at all. Principles in a government body don't exist. They are all crooks.

By HankStallone 2025-09-2415:511 reply

It doesn't surprise me either, because I'd never be able to use a phrase like "the principles and know-how of the EU" with a straight face. (To be fair, you could replace "the EU" with almost any large bureaucracy.)

By mariusor 2025-09-2416:092 reply

Sure. But the EU is not just your average bureaucracy. It's an entity that has as one of it's specific goals the following[1]:

> combat social exclusion and discrimination

[1] https://european-union.europa.eu/principles-countries-histor...

By graemep 2025-09-2417:571 reply

Any large bureaucracy has similarly lofty official goals

By mariusor 2025-09-2418:411 reply

I understand we're all old and cynical here, but one of the tenets of discussions on HN would be to take someone's arguments at face value, so I prefer to believe that the EU as an organization actually wants to diminish social exclusion and discrimination. I'm not sure if I'd give the same credit to any other capitalist entity, but the EU does not have the implicit goal of increasing revenue for its shareholders to subvert any of the others stated.

By graemep 2025-09-2419:34

Lots of countries have has similar goals and lofty promises in its constitution.

I take your argument at face value (in that I take it that you believe the EU has that goal at some level). I just to not expect it, as an organisation, to consistently promote that goal (for much the same reasons lots of countries fail to serve their citizens).

Profit making businesses have the explicit goal of making shareholders better off. Management usually choose to balance this against other goals (ethics, the good of wider society, their own interests...), just as the EU has the explicit aim you state, but, similarly, has other conflicting aims.

By GoblinSlayer 2025-09-250:00

There's always "you're not our target audience" exception.

By wwweston 2025-09-2416:05

“They are all crooks” is the motto of another kind of personal corruption: the kind where people abdicate any responsibility to detail or distinction for the sheer indulgence of moral posture without any of the work.

Every time someone says “they’re all crooks” they are the enablers of crooks. The crooks couldn’t do it without people like that.

By cortesoft 2025-09-2420:58

> This is a great example of how this whole requirement hasn't been properly thought out.

I think this is more an example of you misunderstanding the desires of the people pushing for this.

They want to actually ban this content, they just know that is a harder sell than restricting to adults. So for them, making it harder or impossible to access the content is a feature, not a bug.

By b800h 2025-09-2414:26

Or rather: "You will need a smartphone to use this desktop app".

By Luker88 2025-09-2413:133 reply

> oes that mean we will see a return of the 'desktop applications'...?

No. It's still required by law, which means that your desktop application will require some interaction with your smartphone.

By cenamus 2025-09-2413:173 reply

Further forcing everybody to have their phone on person at all times

By nehal3m 2025-09-2413:36

And as a prerequisite enforcing dependency on titanic (and in my case foreign) tech companies that are free to unilaterally ban you from communicating with your government. This is a BAD idea.

By jeroenhd 2025-09-2413:512 reply

Depending on the implementation, you can run the app on your computer. I don't see why the iOS app wouldn't work on macOS, and there are tons of tools to run Android apps on Windows and Linux.

If the actual implementations do copy the dependency on Play Integrity and other such APIs, that does become a problem (getting past that is a major annoyance on amd64 computers because there are so few real amd64 Android devices that can be spoofed).

However, the law regarding these apps specifically states that the use of this app must be optional. I'm not sure websites and services will implement other solutions, but in theory you should not need a phone unless you want the convenience and privacy factor of app verification. I expect alternatives (such as 1 cent payments with credit cards in your name) to stick around, at least until we get a better idea about how this thing will work out in practice.

By 1over137 2025-09-250:55

>I don't see why the iOS app wouldn't work on macOS

That requires an AppleID, i.e. an account with a foreign corporation.

By Imustaskforhelp 2025-09-2415:04

Waydroid on linux comes to mind. It sort of semi worked out of the box on archlinux but I can't try to imagine setting up somewhere else..

Wait a minute, while writing this comment, I realized that there was a guy who sort of packaged waydroid into flatpak-ish to run android apps in flatpak.

https://flathub.org/en/apps/net.newpipe.NewPipe

(It uses android translation layer??)

I am not an EU citizen but if somebody is & they want this age verification app on desktop, maybe the best way might be to support this android translation layer to convert this EU app into something that can run through flatpak and then use linux I suppose.

I mean, some of y'all are so talented that I feel like surely someone would do it if things do go this way! So not too much to be worried about I suppose :>

By pessimizer 2025-09-2413:248 reply

I've been saying this for years: eventually not having your phone on you and powered up at all times will not be a crime, but it will be grounds for questioning and search.

One day, there will be a knock on your door.

"Good morning, this is the police. Is there something wrong with your phone? Is your phone broken? Can we provide you with a charge?"

"No, I must have turned it off accidentally."

"Can we assist you with an upgrade? The newer models don't have power buttons."

By fhdkweig 2025-09-2414:23

According to Mallen Baker, this is already happening in 9 countries. https://youtu.be/0zlDVM1x8P4?t=228

By sjw987 2025-09-2414:232 reply

I think you're exactly right, and the groundwork is being laid today by the standards society is setting for everybody. People will assume a lack of phone or the presence of a phone but lack of usage / content on it, makes you guilty of some sort of crime similar to owning a burner phone.

Tell somebody you use your phone less than 10 minutes a day and look at their face change.

By thewebguyd 2025-09-2416:411 reply

> Tell somebody you use your phone less than 10 minutes a day and look at their face change.

While not less than 10 minutes per day for me, but I was having this argument on reddit over the iPhone Air - people couldn't fathom that there's someone out there that is not on their phone 24/7, and doesn't use their phone as their main computing device.

I clock in at under an hour screen time most days. It's the least ergonomic device for me to do anything remotely serious. Can't even stand typing on a virtual keyboard. My laptop is, and will remain, my main interface to the net and communication with others.

You'd think I was some kind of weird hermit luddite because of it.

By sjw987 2025-09-258:09

I've found the divide between people who switched to using a phone full time and people who still use physical peripheral based computers (even for recreational activity) is generally linked with whether the person is a digital productive/consumerist type person.

Nobody is coding or writing anything longer than an email or social media post on a virtual keyboard.

The average screen time for younger people borders on 7 hours. It's almost a third of the day or 40% of the woken day for most people. I still can't wrap my head around how that can even be possible, but then I see in public most people you look at in any given moment are reading, watching or sending/sharing something.

If the conspiracy theorists are right, the tech industry created a surveillance system beyond their wildest dreams.

By vikarti 2025-09-256:45

Scroogled, by Cory Doctorow comes to mind.

By vikarti 2025-09-256:56

Possible option(will it BE Option?): EU:Here is my phone. Yes, it's working. It's chinese one with Huawei's Harmony OS, photos are great. or it's Russian one, I really like Pushkin so decided to get their model. Russia: Here is my phone. Yes,it's google pixel with GrapheneOS (it's more secure - Mother Russia is danger so everyone must be vigilant! I banking app via RuStore). USA: Here is my phone. I really like French. it's phone with with stock e/OS Point is - if it's impossible NOT to be observed - you (for now) still have choice which security service will observe you. $NOT_YOUR_COUNTRY_OR_ALLIANCE security services/police is unlikely to arrest $CITIZENS_OF_YOUR_COUNTRY_OR_ALLIANCE without $NOT_YOUR_COUNTRY_OR_ALLIANCEtroops be here FIRST (and you will knew it). Only potential threat is that $NOT_YOUR_COUNTRY_OR_ALLIANCE could try to be interoperable with each other

By GoblinSlayer 2025-09-250:13

Not having power button is useless if the battery works only for a few hours.

By mhitza 2025-09-2414:35

Black Mirror "The entire history of you" now in mobile app version.

By BolexNOLA 2025-09-2413:57

The Pedestrian: https://xpressenglish.com/wp-content/uploads/Stories/The-Ped...

By marcosdumay 2025-09-2416:09

So... 1984?

By im3w1l 2025-09-2416:32

What does seem to be happening is rather that the assumption of having a phone will be built into every little thing - in particular mobile payments are becoming mandatory in some places. Transportation including parking is sometimes locked behind an app. We could also see stuff like landlords moving to smart locks that a tenant open with their phone.

Since children are universally not considered real people with real rights schools requiring them to have the right apps to perform their schoolwork are to be expected.

By izacus 2025-09-2413:502 reply

My EU country allows tapping the ID card on a NFC reader on PC for verification. No smartphone needed for desktop use.

Why wouldn't that be sufficient?

By Freak_NL 2025-09-2414:26

Don't worry, that feature will inevitably be phased out because only a small percentage of people use it.

Every new secure government identification/authentication/verification thing will try to 'just' use Android/IOS, because 'everyone' has one those smartphones.

By 201984 2025-09-2413:583 reply

Most PCs don't have NFC readers.

By izacus 2025-09-2416:16

Cool, but that's the fallback they offer for folks who can't use the mobile app and it works just fine.

By monksy 2025-09-256:34

Smart card readers are normal in Israel on desktops.

By baq 2025-09-2414:25

No reason that couldn't change. China should give good bulk discounts on 300M units /s

By Aaargh20318 2025-09-2413:203 reply

The wallet app can be started using a QR code. You can then finish the verification on your phone and continue on the desktop website/app/whatever.

By hellojesus 2025-09-2413:513 reply

What if you don't have a phone? Or what if your phone runs a custom rom and can't pass google's attlestation?

By Imustaskforhelp 2025-09-2415:08

"Google, google everywhere. It's attestation is gonna be a nightmare."

Idk I created this just right now lol.

But on a serious note, Maybe check out my comment on something known as the android_translation_layer with flatpak to see if that might help to run that app atleast in linux.

Linking it here : https://news.ycombinator.com/item?id=45361397

By codedokode 2025-09-2416:08

If you don't have a phone, you cannot create a new Google or Vk (social network) account today. I expect there will be more things you won't be able to do if you don't want to leak your information.

By Aaargh20318 2025-09-2415:263 reply

Then you can't use this method of identification, just like you can't use it now. Surely it won't be the only way to identify yourself online. If this provides a frictionless way to do this for 95% of people then it's already a huge win.

Don't let perfect be the enemy of good.

By debazel 2025-09-2415:38

No, this is worse because it solidifies Apple/Google's duopoly over the smart phone market even more than it already is.

Not only that, but having this locked behind something that works for 95% of users means the other 5% will never have enough leverage for any other implementations to be approved. Which is absolutely unacceptable for such an essential feature like age verification.

By hellojesus 2025-09-2416:081 reply

Why can't we continue with an open web standard? We should have complete interoperability regardless of whether I'm using a google smartphone or a custom os I wrote in my garage or bsd or nixos. That is the entire point of web standards: to create the ability to communicate with one-another regardless of system design, so long as standards are properly implemented.

This is a general computing crisis.

By Aaargh20318 2025-09-2510:58

> Why can't we continue with an open web standard?

The EU wallet does use an open standard, and the wallet app itself is developed in public as open source.

By Saline9515 2025-09-2415:55

The requirement for age id is already stupid.

The target, which are the children who access "forbidden" websites without authorization is likely to be lower than amount of people who won't be able to access due to those narrow specs.

By alerighi 2025-09-2417:01

This is plain stupid. Countries (e.g. where I live) already have systems like SPID or CIE that can authenticate users using a multitude of factors, for example I can authenticate myself with a QR and a phone, or I can not even have a phone at all and have a 20 euros NFC reader connected to the PC and can authenticate using my digital document and a PIN.

I see this as a huge stepback to be fair.

By snickerdoodle14 2025-09-2413:301 reply

How can I do this when I don't have a phone?

By ToucanLoucan 2025-09-2414:514 reply

Don't you people have phones?

Edit: Sorry that reference was a deep cut, I was quoting the devs of that awful Diablo mobile game way back.

By debazel 2025-09-2415:121 reply

A phone isn't enough, you need an Apple or Google account as well. So if your Google account gets banned, you might as well just jump of a bridge because it's over for you.

By shmel 2025-09-2415:461 reply

That is easy to solve though. If Apple/Google become essentially an utility, they are legally mandated to provide an account for any EU citizen =)

By 1over137 2025-09-251:00

You want companies based in a country threatening to take over parts of the EU (Greenland) as being required for everything you do in society?

By Imustaskforhelp 2025-09-2415:17

No? I had been with dumb phone for almost a year from like 2024-25? What point are you trying to make as I think that there are some good dumb phones in the market which even support things like signal.

I used to use the messaging app through SMS tho, the people that knew me (that 1 friend gets a shoutout here who used to msg me through SMS in the world of whatsapp and my mom!!)

Most phones are used for two things that my father used to quote: Whatsapp (messaging app) and youtube(social media)

Entertainment could somewhat be offloaded via music player etc. into dumb phones and to be really honest, I think that even things like hackernews could be operated on those dumb phones if given the ability to.

https://www.youtube.com/watch?v=QdYrBpBJRI4 : this is the dumbphone which supports signal btw. Wish there was a way to make app for dumbphones like these just as how we can make apps for androids.

I was shocked by how much feature packed my chinese dumb phone was for 11.27$ lol. It just didn't have internet & yeah games as well.

By tmtvl 2025-09-252:421 reply

Was it Diablo? I thought it was Dungeon Keeper.

By ToucanLoucan 2025-09-2512:02

Diablo Immortal, 2018. (How the fuck was that 7 years ago already Christ…)

By slackfan 2025-09-2415:51

For what it's worth, I chortled.

By mrtksn 2025-09-2413:342 reply

App not available doesn't mean age verification not required. You can be required to confirm your account from your mobile phone or scan some QR code on mobile that will take you to age verification session and once completed you can continue from the desktop.

I mean, otherwise would be like not being bound to speed limits if you don't have a speedometer.

By Levitz 2025-09-2414:14

>I mean, otherwise would be like not being bound to speed limits if you don't have a speedometer.

That only works in a world in which the government provides speedometers, which restrict the vehicle automatically, and in this case they refuse to provide them at all for blue cars.

By whatevaa 2025-09-2413:533 reply

So a loss of mobile phone will mean loss of everything? Maybe we should just kill people if they lose a portable mobile device which can just stop working by itself? I fully expect there to be some idiotic scenarios where to get x, you need to already have x.

By zelphirkalt 2025-09-2414:08

Be as much work as possible in all places, where the default option is to do something with your mobile phone. If enough people do that, then the alternative to using your phone will need to have good process, so that it is not holding up everyone else.

If something doesn't work without your phone, report it being broken. If they tell you to use your phone, tell them you don't have one. If possible, leave their service, if they don't care.

We have to make it their issue as much as possible, when they try to push their shit onto us.

Surprisingly often there is a workable alternative to using ones smart phone. We have to make use of those as much as possible, so that the cost for them to get rid of those options will be high and they think twice before doing that and offending us.

By fithisux 2025-09-2415:06

They will terrorize us like that and then, they will use implanted chips. One primary one backup. It is extremely rare to lose both. Possibly the primary will be in your head.

By mrtksn 2025-09-2414:09

Why would loss of a mobile phone be that dramatic? Go buy a new one? Having the equipment in something that requires an equipment is pretty reasonable when the price range is within the reach of everybody.

By sidewndr46 2025-09-2414:25

Just wait until kids figure out you can run an emulator for an older desktop platform on a modern phone with ease

By hopelite 2025-09-2417:59

> What I would like to take from this is that, by their own definition, desktop apps are out of scope for Age Verification. So does that mean we will see a return of the 'desktop applications' instead of everything being a web service ?

I doubt it unless something odd happens like triggering some reaction. They’ve looked at the data and see the majority of society using “phones”, which are really just increasingly small computers that happen to have a feature to also make calls; and they’ve decided that this trap they’re leading us all into can and may even need to stay open and inviting for a while anyways until the older people die off and desktop form factors kind of fall by the wayside, before the trap is even ready to be sprung. In the mean time they’ll just gaslight and lie about what they’re doing, to save and protect the children of course, until the day that you tune around from a distraction and the trap door is shut behind you.

It’s the same MO as always, with the gullible and naive enablers being essentially the worse threat than the actual perpetrators.

By f_devd 2025-09-2416:034 reply

I've posted this as a response but I'll post it again since it seems like a lot of people are confused about the project:

This project is not THE digital wallet, it is an early prototype of the wallet (which can be criticized for what it is, but the issue is somewhat orthogonal).

The actual infrastructure is not based on attenstation, if you read the guidelines (or the readme) they actually want to implement a double-blind approach with ZKPs, which imo is significantly better than a challenge-response pub key system in term of privacy as some suggested. And allows for cross-platform (and in theory hardware) support.

If you're not familiar this would mean the verifier doesn't learn anything except a statement about attributes (age, license, etc); and the EU doesn't learn what attributes have been tried to verify or by who.

By 11mariom 2025-09-256:12

> I've posted this as a response but I'll post it again since it seems like a lot of people are confused about the project

Even if it is ZKP still… whole idea is just bad. I mean whole age-veryfication done by gov is bad.

And forcing one to use smartphone is even worse.

By Confiks 2025-09-2417:161 reply

> a lot of people are confused about the project

This is misleading. They are merely exploring options that may allow for issuer unlinkability, but they are actually implementing a linkable solution based on standard cryptography that allows issuers (member state governments) to collude with any verifier (a website requiring age verification) to de-anonymize users. The solution is linkable because both the issuer and the verifier see the same identifiers (the SD-JWT and its signature).

The project is supposed to prove that age verification is viable so that the Commission can use it as a success story, while it completely disregards privacy by design principles in its implementation. That the project intends to perhaps at some point implement privacy enhancing technologies doesn't make it any better. Nothing is more permanent than a temporary solution.

It will also be trivial to circumvent [1], potentially leading to a cycle of obfuscation and weakening of privacy features that are present in the current issuer linkable design.

[1] https://news.ycombinator.com/item?id=44458323

By f_devd 2025-09-2417:341 reply

> This is misleading. They are merely exploring options that may allow for issuer unlinkability, but they are actually implementing a linkable solution based on standard ECDSA..

The repository we're commenting on has the following in the spec[0]: "A next version of the Technical Specifications for Age Verification Solutions will include as an experimental feature the Zero-Knowledge Proof (ZKP)". So given that the current spec is not in use, this seems incorrect.

> It will also be trivial to circumvent

If you have a key with the attribute of course you can 'bypass' it, I don't think that's bug. The statement required should be scaled to the application it's used for; this is "over-asking" is considered in the law[1].

> The project is supposed to prove that age verification is viable, while it completely disregards privacy by design principles in its implementation. That the project intends to perhaps at some point implement privacy enhancing technologies doesn't make it any better.

I agree that in it's current state it is effectively unusable due to the ZKPs being omitted.

[0]: https://github.com/eu-digital-identity-wallet/av-doc-technic... [1]: https://youtu.be/PKtklN8mOo0?si=bbqtzMhIK7cFLh6S&t=375

By Confiks 2025-09-2418:021 reply

> So given that the current spec is not in use, this seems incorrect.

No, that's not what they mean. They just mean that the spec (and for now only the spec, not the implementation) will be amended with an experimental feature, while the implementation will not (yet).

I understand (?) that you are interpreting this as: "we'll later document something that we've already implemented", but this is not the case. That isn't how this project operates, and I'm intimately familiar with the codebase so I'm completely certain they haven't implemented this at all. There is no beginning or even a stub for this feature to land, which is problematic, as an unlinkable signature scheme isn't just a drop-in replacement, but requires careful design. Hence privacy by design.

> If you have a key with the attribute of course you can 'bypass' it, I don't think that's bug.

Anyone of age can make an anonymous age attribute faucet [1] for anyone to use. That it's not technically a bug doesn't make it any less trivial to circumvent. I wouldn't expect the public or even the Commission to make such a distinction. They'll clamor that the solution is broken and that it must be fixed, and at that point I expect the obfuscation and weakening of privacy features to start.

So as we already know that the solution will be trivial to circumvent, it shouldn't be released without at least very clearly and publicly announcing it's limitations. Only if such expectations are correctly set, we have a chance not to end up in a cycle where the open source and privacy story will be abandoned in the name of security.

[1] Because of the linkable signature scheme in principle misuse can be detected by issuers, but this would be in direct contradiction with their privacy claims (namely that the issuer pinky promises not to record any issued credentials or signatures).

By f_devd 2025-09-2419:30

> Anyone of age can make an anonymous age attribute faucet [1] for anyone to use. That it's not technically a bug doesn't make it any less trivial to circumvent. I wouldn't expect the public or even the Commission to make such a distinction. They'll clamor that the solution is broken and that it must be fixed, and at that point I expect the obfuscation and weakening of privacy features to start.

I can see this argument, but it has a few caveats:

- The 'faucet', providing infinite key material in an open proxy is also very vulnerable

- If the only attribute is age verification then uniqueness is not required; i.e. you can borrow the key of someone you trust and that should be fine.

- The unlinkability is a requirement from the law itself, i.e. the current implementation cannot be executed upon assuming rule of law holds

By vaylian 2025-09-2416:072 reply

Thanks for chiming in! Is there some documentation on the Zero-Knowledge-Proof, that this app is supposed to use?

By MatteoFrigo 2025-09-2421:21

See https://github.com/google/longfellow-zk

By f_devd 2025-09-2416:57

I don't know the specific ZKP variant if that's what you mean, but the general architecture of the system is best described in the 38C3 talk from earlier this year: https://www.youtube.com/watch?v=PKtklN8mOo0

There are some choices that are debatable (more on the issuer side iirc), but imho for the goals it has it's a competently made architecture.

By NooneAtAll3 2025-09-2416:072 reply

> This project is not THE digital wallet, it is the wallet

...what?

By maxfurman 2025-09-2416:25

GP has edited the comment to make more sense