Comment by andrewla

There is no "done correctly". Intrinsically you simply cannot do this, and you have to accept this as almost axiomatic.

If the online age token is not attached to a human identity in a strong way, then it can be transferred to others without friction. The only way we can make it sticky is a mix of technological solutions (how we tie to identity) and real-world systems -- having the ability to prosecute misuse and to link to a physical identity.