←back to thread

Show HN: Anonymous Age Verification

(gist.github.com)
70 points jwally | 1 comments | 31 Aug 25 17:14 UTC | HN request time: 0.202s | source

So I'm not an expert in this area, but here's an attempt at cost effective, anonymous, age verification flow that probably covers ~70% of use cases in the United States.

The basic premise is to leverage your bank (who already has had to perform KYC on you to open an account) to attest to your age for age-restricted merchant sites (pornhub, gambling, etc) without sharing any more information than necessary.

Flow works like this:

1) You go to gambling.com

2) They request you to verify your age

3) You choose "Bank Verification"

4) You trigger a WebAuthn Credential Creation flow

5) gambling.com gives you a string to copy

-------------

6) You log into your bank

7) You go to bank.com/age-verify

8) You paste in the string you were given

9) The bank verifies it/you and creates a signed payload with your age-claims (over_18: true, over_21: false)

10) You copy this and go back to gambling.com

---------------

11) You paste the string back into gambling.com

12) You perform WebAuthn Auth flow

13) gambling.com verifies everything (signatures, webauthn, etc)

14) gambling.com sets a session-cookie and _STRONGLY_ encourages you to create an account (with a pass key). This will prevent you from having to verify your age every time you visit gambling.com

The mechanics might feel off, but it feels like this in the neighborhood of a way to perform anonymous age verification.

This is virtually free, and requires extremely light infra. Banks can be incentivized with small payments, or offer it because everyone else does and don't want to get left behind.

Show context
AndrewDucker ◴[31 Aug 25 19:14 UTC] No.45086127[source]
I don't see why you need the first step.

What you need[0] is a certificate, signed by a recognised provider[1], asserting that email address X is associated with a person aged over 18.

Once you have that, you can then provide it to anyone who asks for it. The certificate provider doesn't need to know who you're proving it to. Literally all they have to do is check whatever information they need to[2] to be happy asserting "Oh yeah, that's an adult".

If your browser (or an add-on for it) wanted to make this easy by storing the certificate for you securely, then that would be awesome, obviously.

But there's no reason why the certification provider needs to know who they're certifying your adulthood to.

[0]Assuming that you want a way to prove you're an adult.

[1]That could be a bank, a government, or anyone else who has sufficient levels of societal trust.

[2]Photo of you, use of a credit card, records of you using that email address for more than 18 years. Whatever makes them happy making that assertion, that they'd be willing to stand up in court and defend their processes if one of their certificates was issued wrongly.

replies(2): >>45086182 #>>45087304 #
1. jeroenhd ◴[31 Aug 25 21:32 UTC] No.45087304[source]
Why would you need to include the email address? Just the token should be enough, shouldn't it? Handing out a valid certificate is proof already, you can leave the common name empty as long as it's signed by the right authority.

This approach does make it rather trivial to clone certificates and spread them, though. All it takes is one kid on their parents' computer dumping a p12 file and the entire school is suddenly bypassing age filters.

Another problem is that colluding websites/trackers (i.e. those "first party" trackers that will use things like CNAMEs to trick browsers into executing their tracker code) can use the public key you use to authenticate your age to track you across websites. Your public key will also be non-repudiable unless your CA often makes you reauthenticate and publishes your private key after expiry (similar to how Signal does this, except less secure).