The European Commission's proposed interim solution for age verification (ageverification.dev) is actually pretty good vs the shitshow of the US and UK.

It works like this:

1. You contact an age verification provider (e.g., national eID schemes, banks, or mobile operators) and provide proof of identity, which they will verify possibly against government databases or whatever, etc. Once they confirm your age they will issue you with a bunch of Age attestations. At this point you don't even know where you will use these, so that info literally cannot be sent to the provider. The attestations are a JWT-like envelope with a payload conceptually equivalent to `{"nonce": "LARGE_RANDOM_HEX_STRING", "age_over_18":true}`, signed with the provider's public key. (The actual implementation is more complex).

2. This is stored in a local app, which will guarantee each attestation only gets used once (to avoid linking user across relying sites). There is no special authentication of the app in the protocol with the replying site, so you can write your own. The Commission provides an open source reference app. There is a standard protocol for communicating with verification providers, however it is not mandatory, so using the reference app might not support all verification providers, but should support a variety.

3. When you want to visit some site needing age verification, and you already have a verified account, you just sign in, otherwise, that site will use a standardized protocol to request proof from the app. The app will provide just the attestation token. The relying site does not get any info about your identity, other than the attestation token. Plus of course, the relying party must accept any age verification provider approved by the commission, not just its preferred one. The EC's solution also supports the app providing the relying site a Zero-Knowledge Proof of having such a token, which makes it possible for the relying site to learn the user's identity even if colluding with the age verification provider.