(gist.github.com)

70 points jwally | 1 comments | 31 Aug 25 17:14 UTC | HN request time: 0s | source

So I'm not an expert in this area, but here's an attempt at cost effective, anonymous, age verification flow that probably covers ~70% of use cases in the United States.

The basic premise is to leverage your bank (who already has had to perform KYC on you to open an account) to attest to your age for age-restricted merchant sites (pornhub, gambling, etc) without sharing any more information than necessary.

Flow works like this:

1) You go to gambling.com

2) They request you to verify your age

3) You choose "Bank Verification"

4) You trigger a WebAuthn Credential Creation flow

5) gambling.com gives you a string to copy

-------------

6) You log into your bank

7) You go to bank.com/age-verify

8) You paste in the string you were given

9) The bank verifies it/you and creates a signed payload with your age-claims (over_18: true, over_21: false)

10) You copy this and go back to gambling.com

---------------

11) You paste the string back into gambling.com

12) You perform WebAuthn Auth flow

13) gambling.com verifies everything (signatures, webauthn, etc)

14) gambling.com sets a session-cookie and _STRONGLY_ encourages you to create an account (with a pass key). This will prevent you from having to verify your age every time you visit gambling.com

The mechanics might feel off, but it feels like this in the neighborhood of a way to perform anonymous age verification.

This is virtually free, and requires extremely light infra. Banks can be incentivized with small payments, or offer it because everyone else does and don't want to get left behind.

Show context

longboredofit ◴[31 Aug 25 19:21 UTC] No.45086208[source]▶

>>45084905 (OP) #

What here stops someone from just sharing fake age verifications. If indeed the bank doesn't know what you are visiting and the site doesn't know who you are, anyone could just create an api to autogenerate fake authentications. Age verifications will always be a bad idea and will always leak information in one direction or another.

replies(1): >>45086603 #

jwally ◴[31 Aug 25 20:07 UTC] No.45086603[source]▶

>>45086208 #

Webauthn public key for pornhub gets signed by chase and authenticated on pornhub along with chases signature.

I give that to you, chases signature is valid but you can't perform webauthn auth.

Thats why you cant sell spun up credentials en masse.

replies(2): >>45087239 #>>45087379 #

1. jeroenhd ◴[31 Aug 25 21:43 UTC] No.45087379[source]▶

>>45086603 #

My Bitwarden extension stores my webauthn keys and those keys work on any device I have Bitwarden unlocked on.

I could definitely share any webauthn account with anyone of my choice if I wanted to. Just store the generated key in a shared webauthn vault.

You can go spec-incompliant and tell the browser to only accept certain types of hardware to store your credential, but unless the entire ecosystem maintains lists of compromised hardware and blocks half the desktop user base for defeated TPM mechanisms, you're going to have to deal with spoofed clients. The only reason spoofed TPM/hardware backed credential stores aren't a problem for webauthn right now is that there is no need to spoof them at the moment.

↑

Show HN: Anonymous Age Verification