Show HN: Anonymous Age Verification

Summary

Bank‑Based Anonymous Age Verification (BAV) A zero‑storage, privacy‑preserving age check that leverages banks’ existing KYC — with the user as the transport layer. Banks sign an age claim, not an identity. They never learn which site you’re visiting. Merchants verify a short‑lived token against their own nonce and a one‑time WebAuthn key. No database required. The user copy/pastes the values between merchant and bank. No redirects, no OAuth, no trackers, no server‑to‑server calls. YOU see and control everything. This is a framework / reference design to make anonymous age checks practical using institutions that already have KYC. It’s not “the one true standard” — it’s a clean baseline to critique, pilot, and iterate. Current age‑verification options are either leaky (share PII), heavy (ID upload & storage), tracky (central IdPs), or pricey (per‑verification fees). Banks already know your age via KYC — we reuse that fact without revealing who you are or where you’re going. [Merchant] │ (1) shows nonce Nm + challenge ▼ [User/Browser] —(2) creates fresh WebAuthn key Kt—► │ ├──(3) copy two short strings────────────────► [Bank] │ - SHA256(Nm) │ - jkt(Kt_public) = SHA256(SPKI(Kt_public)) │ ◄────────────────────(4) bank returns signed age token (short‑lived) │ └──(5) paste token + Kt_public back to merchant Merchant verifies: token signature, matches hashes, and checks WebAuthn assertion with Kt_public. Roles and data boundaries Who Sees Never sees Bank Your identity (already KYC’d), token issue time, the two hashes Merchant domain, URL cookies, user identity at merchant Merchant Their own nonce, age threshold claim (e.g., over_18), Kt_public, token times User identity, bank account details User Everything they copy/paste — High‑level flow (6 simple steps) Merchant → User: Render a page that displays (a) a signed nonce Nm and (b) a WebAuthn challenge. Browser: Create a fresh, ephemeral WebAuthn credential (Kt); extract Kt_public. UV must be required. User → Bank: Copy two...