←back to thread

Show HN: Anonymous Age Verification

(gist.github.com)
70 points jwally | 2 comments | 31 Aug 25 17:14 UTC | HN request time: 0.001s | source

So I'm not an expert in this area, but here's an attempt at cost effective, anonymous, age verification flow that probably covers ~70% of use cases in the United States.

The basic premise is to leverage your bank (who already has had to perform KYC on you to open an account) to attest to your age for age-restricted merchant sites (pornhub, gambling, etc) without sharing any more information than necessary.

Flow works like this:

1) You go to gambling.com

2) They request you to verify your age

3) You choose "Bank Verification"

4) You trigger a WebAuthn Credential Creation flow

5) gambling.com gives you a string to copy

-------------

6) You log into your bank

7) You go to bank.com/age-verify

8) You paste in the string you were given

9) The bank verifies it/you and creates a signed payload with your age-claims (over_18: true, over_21: false)

10) You copy this and go back to gambling.com

---------------

11) You paste the string back into gambling.com

12) You perform WebAuthn Auth flow

13) gambling.com verifies everything (signatures, webauthn, etc)

14) gambling.com sets a session-cookie and _STRONGLY_ encourages you to create an account (with a pass key). This will prevent you from having to verify your age every time you visit gambling.com

The mechanics might feel off, but it feels like this in the neighborhood of a way to perform anonymous age verification.

This is virtually free, and requires extremely light infra. Banks can be incentivized with small payments, or offer it because everyone else does and don't want to get left behind.

Show context
alkonaut ◴[31 Aug 25 19:56 UTC] No.45086505[source]
The POC shouldn't even be mentioning banks explicitly. Any one that needs or could know you. Any authority such as a tax authority, voting registry, whatever, that already knows who you are, could verify this. An authority is preferable to a bank.

And if a country already has a functioning digital ID solution that covers every citizen it should be a simple add-on to add this. The "functioning digital ID solution that covers every citizen" seems like the step to fix _first_ (definitely before imposing age verification laws online!).

Also, having such a system really should be seen as par for the course for any developed country.

replies(2): >>45086545 #>>45099834 #
jeffrallen ◴[31 Aug 25 20:00 UTC] No.45086545[source]
The new eIDs in Switzerland and the EU will allow this use case.
replies(1): >>45086718 #
1. uyzstvqs ◴[31 Aug 25 20:21 UTC] No.45086718[source]
But are not completely anonymous and can share your browsing activity with the government. At least with the EU's system.

https://news.ycombinator.com/item?id=44870161

replies(1): >>45087167 #
2. jeroenhd ◴[31 Aug 25 21:15 UTC] No.45087167[source]
The source behind that comment doesn't verify the claim that your browsing history is being shared. Only that the app currently being developed is a temporary app for use until the full app has been finished.

In fact, the linked article links to the EU website where it is specifically stated that the final protocol will be compatible with the temporary app (the anonymous age verification protocol).

The final app will also serve as a method to identify oneself (i.e. to a police officer) but that's separate functionality from the token based authentication.

The current lack of zero knowledge proofs does pose a potential privacy issue when websites and governments work together to track you across a length of time and re-authentications, but it's not like you're inherently sharing your browser history with the government. As far as I know, the temporary app intents to implement ZKPs but ran into standardization issues, so it's not like this is an intentional shortcoming either.