←back to thread

Show HN: Anonymous Age Verification

(gist.github.com)

70 points jwally | 3 comments | 31 Aug 25 17:14 UTC | HN request time: 1.037s | source

So I'm not an expert in this area, but here's an attempt at cost effective, anonymous, age verification flow that probably covers ~70% of use cases in the United States.

The basic premise is to leverage your bank (who already has had to perform KYC on you to open an account) to attest to your age for age-restricted merchant sites (pornhub, gambling, etc) without sharing any more information than necessary.

Flow works like this:

1) You go to gambling.com

2) They request you to verify your age

3) You choose "Bank Verification"

4) You trigger a WebAuthn Credential Creation flow

5) gambling.com gives you a string to copy

-------------

6) You log into your bank

7) You go to bank.com/age-verify

8) You paste in the string you were given

9) The bank verifies it/you and creates a signed payload with your age-claims (over_18: true, over_21: false)

10) You copy this and go back to gambling.com

---------------

11) You paste the string back into gambling.com

12) You perform WebAuthn Auth flow

13) gambling.com verifies everything (signatures, webauthn, etc)

14) gambling.com sets a session-cookie and _STRONGLY_ encourages you to create an account (with a pass key). This will prevent you from having to verify your age every time you visit gambling.com

The mechanics might feel off, but it feels like this in the neighborhood of a way to perform anonymous age verification.

This is virtually free, and requires extremely light infra. Banks can be incentivized with small payments, or offer it because everyone else does and don't want to get left behind.

Show context

immibis ◴[31 Aug 25 19:39 UTC] No.45086361[source]▶

>>45084905 (OP) #

so what if I sell this service to under-18 people in exchange for $30 each time?

Apart from me going to jail, I mean. How would the protocol prevent this?

replies(2): >>45086445 #>>45086567 #

jwally ◴[31 Aug 25 20:03 UTC] No.45086567[source]▶

Webauthn ties the credential to your device.

replies(2): >>45086786 #>>45087515 #

hsbauauvhabzb ◴[31 Aug 25 20:27 UTC] No.45086786[source]▶

So now I can’t use a device that allows me to load kernel modules, no more sideloading, rooting or *desktop computers*?

replies(1): >>45087497 #

1. jeroenhd ◴[31 Aug 25 22:00 UTC] No.45087497[source]▶

Most devices support signing requests using a certificate baked into the device's hardware certificate store, in a way the OS can't tamper with. Using that certificate to sign a nonce would prove legitimacy of the hardware store (basically, remote attestation).

Your modified kernel can redirect communication attempts with the hardware to another device, but you'll still need a "sanctioned" device every time.

This system makes a lot of sense in corporate environments where compatible hardware can be bought and managed en masses. It doesn't make a lot of sense for something like this. Still, it's technically and practically possible to use such a mechanism, even if it's not advisable.

Webauthn isn't necessarily going to save you, though, and websites need to blacklist any hardware that has been found compromisable in the past (i.e. most consumer laptops, many consumer phones) and it won't work on Android phones running custom ROMs that don't implement the full security service but rather load in the bare minimum to get the API working.

replies(1): >>45087886 #

2. immibis ◴[31 Aug 25 23:05 UTC] No.45087886[source]▶

>>45087497 (TP) #

So it won't work on computers with open-source hardware?

And it's not anonymous at all, because it's it's signed by an unchanging device-specific public key?

replies(1): >>45107382 #

3. jwally ◴[02 Sep 25 18:49 UTC] No.45107382[source]▶

Luckily Chase and Pornhub aren't greedy and don't use ad-networks or share your data at all...