←back to thread

Show HN: Anonymous Age Verification

(gist.github.com)

70 points jwally | 1 comments | 31 Aug 25 17:14 UTC | HN request time: 0.202s | source

So I'm not an expert in this area, but here's an attempt at cost effective, anonymous, age verification flow that probably covers ~70% of use cases in the United States.

The basic premise is to leverage your bank (who already has had to perform KYC on you to open an account) to attest to your age for age-restricted merchant sites (pornhub, gambling, etc) without sharing any more information than necessary.

Flow works like this:

1) You go to gambling.com

2) They request you to verify your age

3) You choose "Bank Verification"

4) You trigger a WebAuthn Credential Creation flow

5) gambling.com gives you a string to copy

-------------

6) You log into your bank

7) You go to bank.com/age-verify

8) You paste in the string you were given

9) The bank verifies it/you and creates a signed payload with your age-claims (over_18: true, over_21: false)

10) You copy this and go back to gambling.com

---------------

11) You paste the string back into gambling.com

12) You perform WebAuthn Auth flow

13) gambling.com verifies everything (signatures, webauthn, etc)

14) gambling.com sets a session-cookie and _STRONGLY_ encourages you to create an account (with a pass key). This will prevent you from having to verify your age every time you visit gambling.com

The mechanics might feel off, but it feels like this in the neighborhood of a way to perform anonymous age verification.

This is virtually free, and requires extremely light infra. Banks can be incentivized with small payments, or offer it because everyone else does and don't want to get left behind.

1. wsces ◴[31 Aug 25 20:01 UTC] No.45086549[source]▶

>>45084905 (OP) #

Isn't this roughly what mDL (and broader future W3C Digital Credentials spec) offers albeit with the issuing agency of the ID (e.g. state DMV) acting as the credential issuer rather than a bank? A relying party make a claim for a coarse age limit 'is user over N years old'? With the user's consent, the application receives an attestation back from their wallet, with a chain of trust back to the issuer (without the issuer's intervention or knowledge).

The user's credential is bound to the device and protected by their biometrics (Face ID/Touch ID), and the consent screen feels very similar to using a Passkey (gaining in mainstream popularity) or Apple Pay (pretty mainstream at this point).

- https://www.w3.org/TR/digital-credentials/

- Apple's implementation - https://developer.apple.com/wallet/get-started-with-verify-w... (and moving to the browser in iOS 26 https://support.apple.com/en-gb/guide/apple-business-connect...)

The challenge here is adoption and availability of digital credentials. It appears State Department is allowing iOS 26 to issue digital credential representations of US passports also. Japan are also providing their national ID card in this way. Given some US states' online age verification laws (and whatever it is the UK are trying to do at the moment), seems like a great incentive for those governments to provide robust digital ID infrastructure.