←back to thread

Show HN: Anonymous Age Verification

(gist.github.com)

70 points jwally | 1 comments | 31 Aug 25 17:14 UTC | HN request time: 0.206s | source

So I'm not an expert in this area, but here's an attempt at cost effective, anonymous, age verification flow that probably covers ~70% of use cases in the United States.

The basic premise is to leverage your bank (who already has had to perform KYC on you to open an account) to attest to your age for age-restricted merchant sites (pornhub, gambling, etc) without sharing any more information than necessary.

Flow works like this:

1) You go to gambling.com

2) They request you to verify your age

3) You choose "Bank Verification"

4) You trigger a WebAuthn Credential Creation flow

5) gambling.com gives you a string to copy

-------------

6) You log into your bank

7) You go to bank.com/age-verify

8) You paste in the string you were given

9) The bank verifies it/you and creates a signed payload with your age-claims (over_18: true, over_21: false)

10) You copy this and go back to gambling.com

---------------

11) You paste the string back into gambling.com

12) You perform WebAuthn Auth flow

13) gambling.com verifies everything (signatures, webauthn, etc)

14) gambling.com sets a session-cookie and _STRONGLY_ encourages you to create an account (with a pass key). This will prevent you from having to verify your age every time you visit gambling.com

The mechanics might feel off, but it feels like this in the neighborhood of a way to perform anonymous age verification.

This is virtually free, and requires extremely light infra. Banks can be incentivized with small payments, or offer it because everyone else does and don't want to get left behind.

1. jeroenhd ◴[31 Aug 25 21:24 UTC] No.45087234[source]▶

>>45084905 (OP) #

This mechanism is essentially what the European age verification system is doing, except they're also dealing with offline credentials (so you can log into gambling.com while bank.com is down for maintenance).

There are some details thatihjt still need to be worked out for an American implementation (the lack of an eIDAS equivalent, for one), but the EU solution is being developed cross platform, in the open. You can just take the source code, replace/extend the chains of trust with whatever verification platforms you can convince others to join your programme, and reuse most of the existing code.

For an American implementation, you can probably take out the part where verifiers need to be registered with the verification service (which I believe is part of EU law but makes implementing anonymous verification difficult). The wording and name should probably also be changed to be more in line with American expectations, and removing the remote attestation requirement would be nice if your verification services don't demand you include it. I'd also wait for ZKPs to be implemented, or add them to the implementation, to reduce the potential impact of collusion between governments and websites.

The account creation part is optional but probably recommend. I wouldn't lock it to just passkeys, though, having a fallback to classic username/password is probably a good idea just in case.