Show HN: Anonymous Age Verification (gist.github.com)
The basic premise is to leverage your bank (who already has had to perform KYC on you to open an account) to attest to your age for age-restricted merchant sites (pornhub, gambling, etc) without sharing any more information than necessary.
Flow works like this:
1) You go to gambling.com
2) They request you to verify your age
3) You choose "Bank Verification"
4) You trigger a WebAuthn Credential Creation flow
5) gambling.com gives you a string to copy
-------------
6) You log into your bank
7) You go to bank.com/age-verify
8) You paste in the string you were given
9) The bank verifies it/you and creates a signed payload with your age-claims (over_18: true, over_21: false)
10) You copy this and go back to gambling.com
---------------
11) You paste the string back into gambling.com
12) You perform WebAuthn Auth flow
13) gambling.com verifies everything (signatures, webauthn, etc)
14) gambling.com sets a session-cookie and _STRONGLY_ encourages you to create an account (with a pass key). This will prevent you from having to verify your age every time you visit gambling.com
The mechanics might feel off, but it feels like this in the neighborhood of a way to perform anonymous age verification.
This is virtually free, and requires extremely light infra. Banks can be incentivized with small payments, or offer it because everyone else does and don't want to get left behind.
33 comments
[ 2.9 ms ] story [ 53.1 ms ] threadWhat you need[0] is a certificate, signed by a recognised provider[1], asserting that email address X is associated with a person aged over 18.
Once you have that, you can then provide it to anyone who asks for it. The certificate provider doesn't need to know who you're proving it to. Literally all they have to do is check whatever information they need to[2] to be happy asserting "Oh yeah, that's an adult".
If your browser (or an add-on for it) wanted to make this easy by storing the certificate for you securely, then that would be awesome, obviously.
But there's no reason why the certification provider needs to know who they're certifying your adulthood to.
[0]Assuming that you want a way to prove you're an adult.
[1]That could be a bank, a government, or anyone else who has sufficient levels of societal trust.
[2]Photo of you, use of a credit card, records of you using that email address for more than 18 years. Whatever makes them happy making that assertion, that they'd be willing to stand up in court and defend their processes if one of their certificates was issued wrongly.
[0] https://tlsnotary.org
https://www.fdic.gov/news/press-releases/2024/fdic-survey-fi...
1. 7 million (2020) has no proper ID [0].
2. 120 million struggle with reading [1], and you can assume at least 7 million realistically can't read.
3. Banks already do identity verification across the world, even on behalf of the governments themselves.
I see many challenges in what OP is proposing, but banking adoption across population is not one of them.
[0] https://www.voteriders.org/voter-id-research/
[1] https://www.apmresearchlab.org/10x-adult-literacy
Apart from me going to jail, I mean. How would the protocol prevent this?
And if a country already has a functioning digital ID solution that covers every citizen it should be a simple add-on to add this. The "functioning digital ID solution that covers every citizen" seems like the step to fix _first_ (definitely before imposing age verification laws online!).
Also, having such a system really should be seen as par for the course for any developed country.
The user's credential is bound to the device and protected by their biometrics (Face ID/Touch ID), and the consent screen feels very similar to using a Passkey (gaining in mainstream popularity) or Apple Pay (pretty mainstream at this point).
- https://www.w3.org/TR/digital-credentials/
- Apple's implementation - https://developer.apple.com/wallet/get-started-with-verify-w... (and moving to the browser in iOS 26 https://support.apple.com/en-gb/guide/apple-business-connect...)
The challenge here is adoption and availability of digital credentials. It appears State Department is allowing iOS 26 to issue digital credential representations of US passports also. Japan are also providing their national ID card in this way. Given some US states' online age verification laws (and whatever it is the UK are trying to do at the moment), seems like a great incentive for those governments to provide robust digital ID infrastructure.
Hell no! Banks should NOT assume an expanded role in transaction processes; rather, their involvement should be further reduced. The objective should be to establish public consensus that positions banks as an optional payment method, not as an integral component of daily activities. Even in scenarios where banks do not access personal identification information, their institutional power should be constrained rather than extended.
Cashless payment systems present inherent risks for surveillance and control, as they channel all transactions through centralized, heavily monitored networks. Individuals flagged within these systems may face severe exclusion from economic participation without due process protections.
KYC protocols may have poorly regulated flagging databases that lack the procedural safeguards associated with formal criminal records. Unlike criminal records, which require due process for inclusion and can be destroyed, banking flags operate without comparable regulatory oversight. This transfers significant power to corporate entities and their stakeholders, having this “shadow” power that would control the public.
Regardless of anonymity provisions, banks should function solely as optional convenience tools for payment processing, not as mandatory intermediaries in financial transactions or any process. The integration of banking systems into essential processes is the worst for anyone who cares about surveillance free society and create a concentrated institutional power, and it will reduce individual autonomy, financial or not.
1. Some one makes an intermediary service where they allow users to get the age verification from them. Get the information from the user provided to them by merchant, use their own (service providers) bank account to get the token and return back to the user. Identity less age verification is not practically possible, somewhere down the line you have to peg the identification for the user with a common identifier that services can mutually trust.
2. WebAuthn flow has timeouts (everyones spec implementation might be different) associated with it, most people are going to run into that
You get your verification code
Paste it into my website and pay $15
One of my crowdsourced reps will complete the request for you and collect $7.50
A better one is Chaum's Ecash protocol: https://en.wikipedia.org/wiki/Ecash
To use a metaphor for that protocol:
This is secure because the bank never saw the UID so they don't know if it was gambling-123 or disney-123. The gambling site can save that stamped UID and give it to the bank (or government) if required, but bank can't figure who came in to get that UID embossed. The only person who knows all the tracking information is the user. And as long as they burn the envelope (which is cryptographically secure), there is no usable tracking information.As long as the bank is Good and uses the same stamp for all users (i.e, they don't use alice-stamp, and bob-stamp, etc for different users), there is no way for anyone to connect that Alice got her gambling-123 UID stamped. But this stamp is normally using PKI so anyone can check the public key of the stamp.
This algorithm was originally conceived to create anonymous "cash" since the bank would charge $1 to stamp your envelope and the gambling site could sell their UID paper to the bank to get that $1 from the bank.
[0] https://www.rfc-editor.org/rfc/rfc9578
A valid and safe "age verification" (actually to be BANNED because meant as a way to pass internet censorship) could simply be: the State offer FLOSS and open-hardware IDs, we got a USB reader/built in in keyboard, built-in in laptop like we have hat in early 2000, who being all open we can trust, and the a simple boolean request "above age?" with a true or false answer PERIOD.
If we want more we ERASE the not needed anymore banking sector with a state backed crypto and state backed open hardware and FLOSS wallets with a simple display usable as smartwatch or pendent with a retractable necklace like the one we use for skipass, where we could see on a trusted device what we are going to approve or reject.
It's time to craft rules as code, in money/finance and laws/bureaucracy ERASING nazi censorship we see growing everywhere starting with biometry push.
The proper-ish solution to the problem are zero knowledge proofs: I get my government or whoever to give me a credential with my date of birth, I go to website which asks me for my age, the website gives me a token, I use the token and my gov credential to generate a proof that says "today i'm over 18" i give proof to website, the website verifies the proof using my governments public key and lets me pass. This way nobody knows anything more than necessary and it protects everybodys privacy. [1]
Hey we make it a standard open protocol! So everybody can implement it easily. We finance a open-source reference implementation. All the children are forever saved from harm. We have parties under rainbows and world peace!
[1] ZKRP's Zero Knowledge Range Proofs: https://arxiv.org/pdf/1907.06381
There are some details thatihjt still need to be worked out for an American implementation (the lack of an eIDAS equivalent, for one), but the EU solution is being developed cross platform, in the open. You can just take the source code, replace/extend the chains of trust with whatever verification platforms you can convince others to join your programme, and reuse most of the existing code.
For an American implementation, you can probably take out the part where verifiers need to be registered with the verification service (which I believe is part of EU law but makes implementing anonymous verification difficult). The wording and name should probably also be changed to be more in line with American expectations, and removing the remote attestation requirement would be nice if your verification services don't demand you include it. I'd also wait for ZKPs to be implemented, or add them to the implementation, to reduce the potential impact of collusion between governments and websites.
The account creation part is optional but probably recommend. I wouldn't lock it to just passkeys, though, having a fallback to classic username/password is probably a good idea just in case.
Translate this to a state collapsing into a dictatorship, like Serbia or Turkey, and you'd expect the supposed "trusted" verifiers, banks, to be run by people who collude with the people black-bagging people.
The assumption "banks are ultimately trusted" is not a sound assumption.
The implicit assumption "age attestation cryptography is only for unimportant things like gambling.com, so we can YOLO this" is not sound. Age-attestation is a general-purpose backdoor for doxxing people in many contexts—not just unimportant ones that are embarrassing at worst.
https://docs.yivi.app/technical-overview/
Since I learned about it I've been hoping a system providing such unlinkability would be further developed and preferably adopted as the standard for online identity by for example the EU. Unfortunately I don't think the current proposals for the eIDAS include this (although it's been a while since I read up on this and I'd love to hear from someone more familiar if I'm wrong!)