Show HN: Anonymous Age Verification

(gist.github.com)

70 points jwally | 3 comments | 31 Aug 25 17:14 UTC | HN request time: 0.68s | source

So I'm not an expert in this area, but here's an attempt at cost effective, anonymous, age verification flow that probably covers ~70% of use cases in the United States.

The basic premise is to leverage your bank (who already has had to perform KYC on you to open an account) to attest to your age for age-restricted merchant sites (pornhub, gambling, etc) without sharing any more information than necessary.

Flow works like this:

1) You go to gambling.com

2) They request you to verify your age

3) You choose "Bank Verification"

4) You trigger a WebAuthn Credential Creation flow

5) gambling.com gives you a string to copy

-------------

6) You log into your bank

7) You go to bank.com/age-verify

8) You paste in the string you were given

9) The bank verifies it/you and creates a signed payload with your age-claims (over_18: true, over_21: false)

10) You copy this and go back to gambling.com

---------------

11) You paste the string back into gambling.com

12) You perform WebAuthn Auth flow

13) gambling.com verifies everything (signatures, webauthn, etc)

14) gambling.com sets a session-cookie and _STRONGLY_ encourages you to create an account (with a pass key). This will prevent you from having to verify your age every time you visit gambling.com

The mechanics might feel off, but it feels like this in the neighborhood of a way to perform anonymous age verification.

This is virtually free, and requires extremely light infra. Banks can be incentivized with small payments, or offer it because everyone else does and don't want to get left behind.

Show context

greatgib ◴[01 Sep 25 07:09 UTC] No.45090258[source]▶

>>45084905 (OP) #

Indeed, you are a not an expert, and you are doing the same as reinventing your own broken crypto. Please do not!

This has the appearance of anonymous when it is not.

First, the moment that a value, being it a nonce, a random value or whatever will be common on both side, there is no anonymity anymore.

Then, there is timing attack, where visiting a website, you then need to go to your bank. And the bank will sign at a specific time for a specific timeframe.

Then, the need to manually "copy" the signature. I guess you don't see what size, difficult characters this has to have, but totally impracticable. So in the end people would use that to pretend that it is possible with anonymity skipping that step.

Then, if the bank doesn't know the website where you went, gambling.com will know what is your bank.

And in a lot of countries, age limit might be different for some activities, like gambling allowed at 21, porn at 18, or even rules would not be the same by countries. So again, you will be leaking the country and potentially you will have to leak to the bank the activity that is intended.

And what do you do when banking app force you to have a certified Apple or Google spying approved phone? Bank already have too much power and responsibility and easily abuse of it, so it would be better to not give them even more.

So again, please refrain of inventing stupid solution like that, that can give the wrong impression to the bad persons that it is possible, justifying laws and co, when it is not possible without costing hardly on our privacy!

replies(2): >>45090414 #>>45090502 #

1. jwally ◴[01 Sep 25 07:49 UTC] No.45090502[source]▶

>>45090258 #

A little more aggressive than maybe necessary, but I do appreciate the sentiment. Truly.

My goal here is to try and point out that there is a solution that can be rolled out in under 6 months by leveraging existing kyc infrastructure.

IT DOES NOT HAVE TO BE THIS!

Can this be beefed up to make credential resale impractical, while still preserving anonymity in the face of collusion while still being legitimate enough to rely on as evidence that someone is over 18? Absolutely! Will it be perfect? No.

As a Texan, my rights are being eroded daily, bit by bit (pardon the pun). Its dog shit that my kids have to live in a world where my government is effectively legislating morality and enforcing it on technicalities by DDOSing the legal system. But this IS the world I live in.

My other options are what? Vote, move, or use TOR?

If you're so clever, help. Improve it. Create something better but don't sit back and shit on a first draft of something that is trying (admittedly poorly) to put a speed bump in front of our freight train to the Republic of Gilead.

replies(1): >>45093822 #

2. greatgib ◴[01 Sep 25 16:00 UTC] No.45093822[source]▶

>>45090502 (TP) #

   My goal here is to try and point out that there is a solution that can be rolled out in under 6 months by leveraging existing kyc infrastructure.

You complain of the erosion of privacy, and yet your goal is to give the oppressors tools to justify their actions. Especially tools that you know are far from perfect to achieve the anonymity goal. I'm sure that you don't have bad intentions, but what is happening after is that persons less take savy will take your work as an example that "it is possible" and that technologists are bullshiting them when saying that it is not possible without eroding anonymity. They will not look further than that. Look we can do laws because it is not impossible if we want.

If you look well in UK, this is what is happening, the country trying to give the legislator a reality check, but too late.

replies(1): >>45103315 #

3. jwally ◴[02 Sep 25 14:07 UTC] No.45103315[source]▶

>>45093822 #

Better to go down with the titanic than leave your cabin with your hair disheveled! And what will the survivors say if you show up in the life boat with the same formal attire you had on the night before!?!

↑