In the past few years, governments across the world have rolled out digital identification options, and now there are efforts encouraging online companies to implement identity and age verification requirements with digital ID in mind. This blog is the first in this short series that will explain...
I don’t think this is true. We have mechanisms in authentication systems to prevent that. For example make requests valid for one use only. And I’d say if an attacker can ask about age every single day until a user turns 18, and by that gaining knowledge about their exact birthday, it’s something like a side-channel attack and by definition not “zero” knowledge any more and needs to be handled/prevented by the implementation.