Comment by Confiks

> This whole end-to-end attestation with play integrity is supposed to make setting up token-as-a-service things impractical.

Indeed according to some (i.e. the Commission) it's supposed to, but they should know better. And many member state wallet developers do know better.

Play Integrity can easily be bypassed unless you want to exclude a very large amount of users – especially disadvantaged people using older phones – because there are many vulnerable phones in use by those users, and you only need one to build such an age attribute faucet.

See also this comment: https://news.ycombinator.com/item?id=45363853