The Age of Authentication

~ Jeremy B. Blevins

There is a quiet shift underway in how we are expected to exist online.

It does not announce itself with the force of a new technology, nor with the clarity of a single policy. It appears instead as a requirement, a small prompt during account creation, a field to be filled, a box to be checked.

Enter your age.

It is easy to dismiss such things as trivial. We have been entering our birthdates into websites for decades, often with little thought and less honesty. But something has changed, though I find it difficult to say precisely when. The request is no longer isolated.

From Assertion to System

For most of the internet’s history, identity was a matter of assertion. You claimed to be who you were. A username, a password, perhaps an email address, these were sufficient to establish a presence. Verification, where it existed, was local. Each system decided for itself what it required and how much it trusted what it received.

There was no universal standard. Identity was fragmented, contextual, and often ambiguous. In retrospect, this seems almost quaint.

The California Signal

A recent California law, the Digital Age Assurance Act, offers a glimpse of a different model. Beginning in 2027, operating systems will be required to collect a user’s age at account setup and provide that information to applications through a standardized interface.1 Applications will no longer need to ask. They will be told. What matters here is not the accuracy of the information, nor even the policy objective behind it.

What matters is the placement.

Identity has moved downward, into the operating system itself.

The Operating System as Identity Provider

This is a familiar pattern in enterprise environments, though it rarely presents itself so plainly. Identity providers issue tokens. Systems trust those tokens. Access decisions are made not on direct knowledge, but on delegated authority. The operating system begins to resemble such a provider.

  • It gathers attributes.
  • It packages them into signals.
  • It distributes those signals to any application authorized to receive them.

The application does not know the user. It knows what the system says about the user.

From Person to Attribute

There is a certain reduction that occurs in this process. A person, with all the complexity that implies, is translated into a set of attributes:

  • age bracket
  • account status
  • device trust level

These attributes are necessary. Systems cannot operate on nuance. They require categories, values, states that can be evaluated quickly and consistently. But the translation is not neutral. What is not captured does not exist, at least as far as the system is concerned.

Regulatory Gravity

There is another feature of this model that is less visible, though perhaps more consequential. Laws such as this do not remain confined to their place of origin. California is not merely a jurisdiction. It is a market. And systems designed for that market rarely remain isolated from others. The same is true, perhaps more so, of the European Union.

A company cannot easily maintain one operating system for California, another for Europe, and a third for everywhere else. The cost is too high, the complexity too great. It is simpler to adopt the strictest standard and apply it universally.

In this way, local regulation becomes global practice.

The user in one place finds himself governed by decisions made in another, not through direct enforcement, but through the quiet logic of standardization.

I hesitate to call this coercion. It does not feel like force. And yet the outcome is difficult to distinguish.

A Constitutional Hesitation

I find myself wondering whether there is also a constitutional dimension to all of this.

The American tradition has long recognized a right to move through certain aspects of life without constant identification. In Katz v. United States, the Court reframed privacy as an expectation that attaches to the person, not merely to physical space.2 Later decisions, such as Carpenter v. United States, acknowledged that digital systems complicate that expectation, extending observation into domains once considered private.3

At the same time, the Court has been wary of compelled identification in matters of speech and association. In McIntyre v. Ohio Elections Commission, anonymity was treated not as a loophole, but as a protected form of expression.4 In NAACP v. Alabama, the forced disclosure of membership was understood to carry a chilling effect, even absent direct punishment.5

What unites these cases is not a single rule, but a posture. A hesitation. A recognition that requiring individuals to identify themselves as a condition of participation alters behavior in ways that are difficult to measure and easy to underestimate.

Modern systems approach this boundary from a different direction. They do not always prohibit. They require.
And the justification is often familiar. It is framed in terms of safety, of protection, of necessity, frequently in the language of protecting children. That concern is not trivial. But it has a way of ending conversations that might otherwise continue.

I am not yet certain where the proper boundary lies. But I am wary of systems that treat identification not as an exception, but as a default condition of participation.

The Beginning of Infrastructure

It would be a mistake to view this as a finished system. The law, as written, allows for self-reported age. There is no immediate requirement for verification beyond declaration. It is, in that sense, a weak signal. But infrastructure rarely arrives fully formed.

It begins with a framework, a way of structuring information and making it available. Once that framework exists, it can be strengthened, extended, refined.

  • What begins as optional becomes expected.
  • What begins as approximate becomes precise.
  • What begins as local becomes universal.

There is, perhaps, a distant resemblance here to older ideas of observation and discipline, though the mechanism is different. The system does not need to watch constantly if it can simply require that we identify ourselves when asked.

The Direction of Travel

I find myself uncertain whether this represents progress or merely change. There are clear benefits to systems that can reliably determine who is allowed to access what. The early internet’s ambiguity was not without cost.

But something else is happening as well.

We are moving from a world in which identity was situational to one in which it is persistent. From one in which it was self-declared to one in which it is system-provided.

And once identity becomes infrastructure, it does not remain idle. It invites use.

Closing Reflection

It may be that we are entering an age in which identity is no longer something we present, but something we carry, quietly, from system to system.

Not as a story about ourselves, but as a set of signals, always available, always ready to be consulted. What those systems choose to do with those signals is a separate question. But it is not one we will be able to avoid for long.

References:

  1. Tom’s Hardware. (2025). California introduces age verification law requiring OS-level age checks.
    https://www.tomshardware.com/software/operating-systems/california-introduces-age-verification-law ↩︎
  2. Katz v. United States, 389 U.S. 347 (1967).
    https://supreme.justia.com/cases/federal/us/389/347/ ↩︎
  3. Carpenter v. United States, 585 U.S. ___ (2018).
    https://www.supremecourt.gov/opinions/17pdf/16-402_h315.pdf ↩︎
  4. McIntyre v. Ohio Elections Commission, 514 U.S. 334 (1995).
    https://www.oyez.org/cases/1994/93-986 ↩︎
  5. NAACP v. Alabama ex rel. Patterson, 357 U.S. 449 (1958).
    https://www.oyez.org/cases/1958/91 ↩︎

Leave a comment