←back to thread

Show HN: Anonymous Age Verification

(gist.github.com)
70 points jwally | 2 comments | 31 Aug 25 17:14 UTC | HN request time: 0.001s | source

So I'm not an expert in this area, but here's an attempt at cost effective, anonymous, age verification flow that probably covers ~70% of use cases in the United States.

The basic premise is to leverage your bank (who already has had to perform KYC on you to open an account) to attest to your age for age-restricted merchant sites (pornhub, gambling, etc) without sharing any more information than necessary.

Flow works like this:

1) You go to gambling.com

2) They request you to verify your age

3) You choose "Bank Verification"

4) You trigger a WebAuthn Credential Creation flow

5) gambling.com gives you a string to copy

-------------

6) You log into your bank

7) You go to bank.com/age-verify

8) You paste in the string you were given

9) The bank verifies it/you and creates a signed payload with your age-claims (over_18: true, over_21: false)

10) You copy this and go back to gambling.com

---------------

11) You paste the string back into gambling.com

12) You perform WebAuthn Auth flow

13) gambling.com verifies everything (signatures, webauthn, etc)

14) gambling.com sets a session-cookie and _STRONGLY_ encourages you to create an account (with a pass key). This will prevent you from having to verify your age every time you visit gambling.com

The mechanics might feel off, but it feels like this in the neighborhood of a way to perform anonymous age verification.

This is virtually free, and requires extremely light infra. Banks can be incentivized with small payments, or offer it because everyone else does and don't want to get left behind.

Show context
AndrewDucker ◴[31 Aug 25 19:14 UTC] No.45086127[source]
I don't see why you need the first step.

What you need[0] is a certificate, signed by a recognised provider[1], asserting that email address X is associated with a person aged over 18.

Once you have that, you can then provide it to anyone who asks for it. The certificate provider doesn't need to know who you're proving it to. Literally all they have to do is check whatever information they need to[2] to be happy asserting "Oh yeah, that's an adult".

If your browser (or an add-on for it) wanted to make this easy by storing the certificate for you securely, then that would be awesome, obviously.

But there's no reason why the certification provider needs to know who they're certifying your adulthood to.

[0]Assuming that you want a way to prove you're an adult.

[1]That could be a bank, a government, or anyone else who has sufficient levels of societal trust.

[2]Photo of you, use of a credit card, records of you using that email address for more than 18 years. Whatever makes them happy making that assertion, that they'd be willing to stand up in court and defend their processes if one of their certificates was issued wrongly.

replies(2): >>45086182 #>>45087304 #
ajsnigrutin ◴[31 Aug 25 19:19 UTC] No.45086182[source]
But that requires sharing your email every time you want to open pornhub.
replies(1): >>45086326 #
AndrewDucker ◴[31 Aug 25 19:34 UTC] No.45086326[source]
I would absolutely set up an alternate email address for use with things I didn't want my identity to be associated with. Possibly several of them.

The alternative is something like the Zero Knowledge Proofs that Google recently open sourced: https://blog.google/technology/safety-security/opening-up-ze...

This would allow you to prove that you have the certificate that was issued to you, without giving up more detail than that.

I think that building that into things is a ways off though.

replies(1): >>45086483 #
1. ajsnigrutin ◴[31 Aug 25 19:53 UTC] No.45086483[source]
I mean, the alternative is parents parenting their kids and installing parental control on their phones, and well.. pornhub without providing your email.

Kids will still be able to torrent porn, but the end goal of having to use real ID with social networks will prevent any free speech still left and kill online anonymity.

replies(1): >>45093378 #
2. GoblinSlayer ◴[01 Sep 25 15:17 UTC] No.45093378[source]
Don't they require phone number already? Also messengers.