alt Hacker NewsWorth noting the irony cycle: Discord's October 2025 breach leaked ~70,000 government IDs from their support vendor 5CA, which pushed them toward "privacy-preserving" on-device face estimation via k-ID. But the privacy-preserving design (run the model locally, only send metadata) is exactly what makes it trivially spoofable. The encryption is solid (AES-GCM with HKDF-derived keys) but it protects transport integrity, not input authenticity.
So they moved away from collecting IDs because collecting IDs is a liability, and moved toward a system that's bypassable because it doesn't collect enough to verify. This isn't solvable without hardware attestation (App Attest, Play Integrity), which kills the browser flow and still doesn't prevent pointing the camera at a screen.
Age verification as a concept requires either trusting the client (spoofable), collecting sensitive data (breach liability), or binding to attested hardware (excludes platforms and users). Pick your poison. Every vendor in this space is just choosing which failure mode they prefer.
Replies
Its like it is evolving in front of our eyes! Eventually they might get somewhere that meets all the requirements, natural selection governed by lawsuits.
You forgot one (the sane one, which is coming soon anyway):
Using a government issued eID system. The EU is going to rollout eID in a way that a site can just ask “is this person > age xy?”. The answer is cryptographically secure in the sense that this person really is this age, but no other information about you has to be known by the site owner.
Which is the actual correct way to do it.
I don’t understand why all the sites go crazy with flawed age verification schemes right now, instead of waiting a until the eID rollout is done.
EDIT: I forgot to mention that it’s only the correct way if the implementation doesn’t give away to your government on which sites you browse… Which I believe is correctly done in the upcoming EU eID but I could be wrong about it.