←back to thread

Show HN: Anonymous Age Verification

(gist.github.com)
70 points jwally | 2 comments | 31 Aug 25 17:14 UTC | HN request time: 0.493s | source

So I'm not an expert in this area, but here's an attempt at cost effective, anonymous, age verification flow that probably covers ~70% of use cases in the United States.

The basic premise is to leverage your bank (who already has had to perform KYC on you to open an account) to attest to your age for age-restricted merchant sites (pornhub, gambling, etc) without sharing any more information than necessary.

Flow works like this:

1) You go to gambling.com

2) They request you to verify your age

3) You choose "Bank Verification"

4) You trigger a WebAuthn Credential Creation flow

5) gambling.com gives you a string to copy

-------------

6) You log into your bank

7) You go to bank.com/age-verify

8) You paste in the string you were given

9) The bank verifies it/you and creates a signed payload with your age-claims (over_18: true, over_21: false)

10) You copy this and go back to gambling.com

---------------

11) You paste the string back into gambling.com

12) You perform WebAuthn Auth flow

13) gambling.com verifies everything (signatures, webauthn, etc)

14) gambling.com sets a session-cookie and _STRONGLY_ encourages you to create an account (with a pass key). This will prevent you from having to verify your age every time you visit gambling.com

The mechanics might feel off, but it feels like this in the neighborhood of a way to perform anonymous age verification.

This is virtually free, and requires extremely light infra. Banks can be incentivized with small payments, or offer it because everyone else does and don't want to get left behind.

Show context
sandeepkd ◴[31 Aug 25 20:22 UTC] No.45086732[source]
Theoretically a good idea, practically there are couple challenges with it-

1. Some one makes an intermediary service where they allow users to get the age verification from them. Get the information from the user provided to them by merchant, use their own (service providers) bank account to get the token and return back to the user. Identity less age verification is not practically possible, somewhere down the line you have to peg the identification for the user with a common identifier that services can mutually trust.

2. WebAuthn flow has timeouts (everyones spec implementation might be different) associated with it, most people are going to run into that

replies(1): >>45086818 #
1. jwally ◴[31 Aug 25 20:33 UTC] No.45086818[source]
Fair point on the timeout.

Webauthn ties the public keys to your device; chases signature of it verifies it; your webauthn authentication of chases signed version of your key proves it was you the whole time.

Nested dolls/Chain of custody.

What am I overlooking?

replies(1): >>45088017 #
2. sandeepkd ◴[31 Aug 25 23:28 UTC] No.45088017[source]
Chase signed a key that was provided to it, and chase verified for that user who logged in to chase. For whom the key was generated for and who entered in the chase site/api can be altogether two different entities. This is where it breaks.

And chase like banks do not have any practical reason/motivation to provide such a functionality where they are vouching for something but dont really control how that information is used. The legal would never approve it, there is nothing but risk in it for them.