Most active commenters
  • jwally(6)

←back to thread

Show HN: Anonymous Age Verification

(gist.github.com)
70 points jwally | 15 comments | 31 Aug 25 17:14 UTC | HN request time: 1.966s | source | bottom

So I'm not an expert in this area, but here's an attempt at cost effective, anonymous, age verification flow that probably covers ~70% of use cases in the United States.

The basic premise is to leverage your bank (who already has had to perform KYC on you to open an account) to attest to your age for age-restricted merchant sites (pornhub, gambling, etc) without sharing any more information than necessary.

Flow works like this:

1) You go to gambling.com

2) They request you to verify your age

3) You choose "Bank Verification"

4) You trigger a WebAuthn Credential Creation flow

5) gambling.com gives you a string to copy

-------------

6) You log into your bank

7) You go to bank.com/age-verify

8) You paste in the string you were given

9) The bank verifies it/you and creates a signed payload with your age-claims (over_18: true, over_21: false)

10) You copy this and go back to gambling.com

---------------

11) You paste the string back into gambling.com

12) You perform WebAuthn Auth flow

13) gambling.com verifies everything (signatures, webauthn, etc)

14) gambling.com sets a session-cookie and _STRONGLY_ encourages you to create an account (with a pass key). This will prevent you from having to verify your age every time you visit gambling.com

The mechanics might feel off, but it feels like this in the neighborhood of a way to perform anonymous age verification.

This is virtually free, and requires extremely light infra. Banks can be incentivized with small payments, or offer it because everyone else does and don't want to get left behind.

1. drhodes ◴[31 Aug 25 19:18 UTC] No.45086168[source]
Just an FYI: In the US, 5.6 million households are unbanked.

https://www.fdic.gov/news/press-releases/2024/fdic-survey-fi...

replies(3): >>45086520 #>>45086744 #>>45090854 #
2. djoldman ◴[31 Aug 25 19:58 UTC] No.45086520[source]
Yep, this would be a big problem. We'd have to have alternate methods as well.
replies(1): >>45086630 #
3. jwally ◴[31 Aug 25 20:11 UTC] No.45086630[source]
Exactly. No one way will solve this problem, but this would knock out a lot.
4. oncallthrow ◴[31 Aug 25 20:23 UTC] No.45086744[source]
Okay, and those 5.6 million probably aren't accessing sites that require age verification. Not every solution needs to work for 100% of people.
replies(3): >>45086807 #>>45087110 #>>45094615 #
5. blahaj ◴[31 Aug 25 20:30 UTC] No.45086807[source]
> and those 5.6 million probably aren't accessing sites that require age verification.

Why would you presume that?

> Not every solution needs to work for 100% of people.

A solution that censors large amounts of speech and culture from millions of people is clearly either insufficient or, if it is deemed sufficient, authoritarian.

replies(2): >>45087631 #>>45088196 #
6. alwa ◴[31 Aug 25 21:08 UTC] No.45087110[source]
What on earth would lead you to conclude that unbanked households don’t use online services? I can’t imagine any possible set of starting assumptions that would lead there, short of fairly cartoonish assumptions about the demographics the FDIC pointed out at that link.

Even within the unbanked households, the FDIC link points out that 1/3 use online non-bank services instead. And independently of that, it makes sense that even cash households might interface with online commercial activity: pick up gig work through DoorDash or UberEats or whatever; get paid out through a neighborhood informal-cash-service operator (multiservicio, hawala, guy who informally cashes out undocumented drivers). Or through opening a Venmo or CashApp account instead of a bank account.

That leads to a slightly stronger form of the claim: that those 5.6 million are likely to have undergone KYC/AML through other, non-bank financial providers…

But even then, why should a bank account be connected to whether or not you’re an adult in society’s eyes?

7. jwally ◴[31 Aug 25 22:21 UTC] No.45087631{3}[source]
Any incremental advance is better than nothing where our rights are getting eroded faster than we can contact the ACLU to start investigating whether or not we have a case. The American Right have figured out that they can DDOS the legal system with all kinds of bullshit laws that they know won't stick, but it will take everyone 10x the time and effort that they spent spewing it out.

We can't back and wait for the perfect solution that covers all corner cases and makes everyone happy and has the perfect UX. We have to fight now while we still have something to fight for.

replies(1): >>45087716 #
8. nickthegreek ◴[31 Aug 25 22:37 UTC] No.45087716{4}[source]
If the system is that I have to prove my id or age for averag network connections, then the system has already failed me. The only system I am behind is a flag that some devices can send if enabled that lets the receiving party know the user is underage. Completely optional (controllable by device owner/guardian) but if received, that party must behave in a way that acknowledges that fact. It is not a perfect system, but it retains the freedoms and anonymity of the user.
replies(1): >>45102215 #
9. 627467 ◴[31 Aug 25 23:58 UTC] No.45088196{3}[source]
> solution that censors large amounts of speech

I did not read anywhere that this solution can only be used if it's the ONLY solution. Did you?

How is the statement "not every solution needs to work for 100% of the people" controversial? People are different, with different circumstances and ideally there are a variety of solutions to cover all of them

10. szszrk ◴[01 Sep 25 08:51 UTC] No.45090854[source]
So? I'd say the 340 million of people that actually could verify with a bank is not a bad attempt.

1. 7 million (2020) has no proper ID [0].

2. 120 million struggle with reading [1], and you can assume at least 7 million realistically can't read.

3. Banks already do identity verification across the world, even on behalf of the governments themselves.

I see many challenges in what OP is proposing, but banking adoption across population is not one of them.

[0] https://www.voteriders.org/voter-id-research/

[1] https://www.apmresearchlab.org/10x-adult-literacy

replies(1): >>45090941 #
11. jwally ◴[01 Sep 25 09:07 UTC] No.45090941[source]
You get it! Thank you!

My attempt at _a_ solution isn't _THE_ solution; but it seems like there's legitimately something around leveraging existing KYC infra that could get a solid 98 out of 100 - and can realistically be implemented in a realistic timeframe.

If I'm AYLO and have been cut off from 1/3 of the U.S. for the last 18 months, I'm contacting every lawyer, cryptographer, and engineer I can get my hands on to try and get _anything_ out of this concept or ones like it.

12. const_cast ◴[01 Sep 25 17:17 UTC] No.45094615[source]
Soon every website will require age verification. And, currently, no access to the web means no access to society.

These people are already disenfranchised and mistreated by society. Let us not marginalize them more.

13. jwally ◴[02 Sep 25 12:28 UTC] No.45102215{5}[source]
I'm sorry. The system has already failed me. Short of moving or becoming king of Texas; what should I do? Practical advice is welcomed!
replies(1): >>45106124 #
14. nickthegreek ◴[02 Sep 25 17:21 UTC] No.45106124{6}[source]
vpn, use different sites that dont make you give a govt id.
replies(1): >>45107265 #
15. jwally ◴[02 Sep 25 18:40 UTC] No.45107265{7}[source]
How's that going for China?