←back to thread

Show HN: Anonymous Age Verification

(gist.github.com)
70 points jwally | 1 comments | 31 Aug 25 17:14 UTC | HN request time: 0.206s | source

So I'm not an expert in this area, but here's an attempt at cost effective, anonymous, age verification flow that probably covers ~70% of use cases in the United States.

The basic premise is to leverage your bank (who already has had to perform KYC on you to open an account) to attest to your age for age-restricted merchant sites (pornhub, gambling, etc) without sharing any more information than necessary.

Flow works like this:

1) You go to gambling.com

2) They request you to verify your age

3) You choose "Bank Verification"

4) You trigger a WebAuthn Credential Creation flow

5) gambling.com gives you a string to copy

-------------

6) You log into your bank

7) You go to bank.com/age-verify

8) You paste in the string you were given

9) The bank verifies it/you and creates a signed payload with your age-claims (over_18: true, over_21: false)

10) You copy this and go back to gambling.com

---------------

11) You paste the string back into gambling.com

12) You perform WebAuthn Auth flow

13) gambling.com verifies everything (signatures, webauthn, etc)

14) gambling.com sets a session-cookie and _STRONGLY_ encourages you to create an account (with a pass key). This will prevent you from having to verify your age every time you visit gambling.com

The mechanics might feel off, but it feels like this in the neighborhood of a way to perform anonymous age verification.

This is virtually free, and requires extremely light infra. Banks can be incentivized with small payments, or offer it because everyone else does and don't want to get left behind.

1. Bender ◴[01 Sep 25 14:46 UTC] No.45093052[source]
Anonymous age verification already exists but is not legally implemented or required.

RTA headers [1] tell the client the URL may contain adult content or user generated content which can be adult in nature and then the client can detect the header and prompt for a local password if parental controls are enabled. A simple law to require client applications to look for the header and triggering parental controls would handle this in an anonymous manor. Not perfect, nothing is, but would address much more than 70% of use cases for actual small children. Small children would be restricted to whatever browsing agents are installed as they do not have administrative permissions. If this was done in error the parent can reset the device.

Teens will bypass any method anyone can think of as current centralized methods do not even apply to most of their current methods of downloading and sharing porn.

[1] - https://www.rtalabel.org/index.php?content=howtofaq#single