Show HN: Anonymous Age Verification
10 days ago
- #authentication
- #banking
- #privacy
- Zero-storage, privacy-preserving age check leveraging banks' existing KYC without revealing user identity or visited sites.
- Banks sign an age claim, not identity; merchants verify tokens without storing personal data.
- User acts as the transport layer by copy/pasting values between merchant and bank, ensuring no redirects or server-to-server calls.
- Framework designed for anonymous age checks using existing KYC, avoiding PII leaks, heavy ID uploads, or tracking.
- Process involves merchant nonce, WebAuthn key creation, bank authentication, and token verification without storing user data.
- Stateless merchant verification with HMAC'd nonce and WebAuthn, ensuring no database is required.
- Short-lived tokens and one-time keys enhance privacy and prevent cross-site correlation.
- Optional features like IP prefix or UA hash for stronger replay deterrence at some privacy cost.
- Passkey integration for one-click returns post initial verification, improving user experience.
- Security measures include token TTL, WebAuthn UV assertion, and trusted bank JWKs to mitigate threats like token replay or theft.
- Open for community contributions including reference implementations, libraries, and threat modeling.