This comes up in every thread, but the purpose of the laws is not to verify that someone can access an anonymous token. If we had a true anonymous token system then everyone would just share tokens around.

The real world analog would be if you could buy beer at the store with anyone's ID because they didn't make any effort to reasonably check that the ID was yours or discourage people from sharing or copying IDs.

The systems enforce identity checking because that's the only way age verification can be done without having some reason to discourage or detect credential sharing.

The retort that follows is always "Well it's not perfect. Nothing is perfect." The trap is convincing ourselves that a severely imperfect system would be accepted. What would really happen is that it would be the trojan horse to get everyone on board with age verification, then the laws would be changed to make them more strict.

▲

miloignis 6 hours ago | parent | next [-]

Matthew Green talks about this in his blog on the subject: https://blog.cryptographyengineering.com/2026/03/02/anonymou...

The two methods that seem feasible are making it hard to copy (putting it in the secure element in your phone, for example, which I don't love) or doing tokens that can only be used a limited number of times per day, like in : https://eprint.iacr.org/2006/454

▲

an hour ago | parent | prev | next [-]

[deleted]

▲

goda90 6 hours ago | parent | prev | next [-]

Make it a duplication resistant hardware token that you can get for free then. The stakes just aren't high enough to worry about these kinds of edge cases.

▲

dpark 6 hours ago | parent | next [-]

Yeah, right. So the government is going to spend billions on “porn tokens”. That’s going to get through the legislature.

I’m sure there wouldn’t be a brisk illicit trade in these tokens either. Certainly no one would be incentivized to sell these tokens to teenagers for easy profit.

	▲	snackbroken 5 hours ago \| parent [-]
		Further, "porn tokens" are the pointy end of the wedge, because it's easy to misconstrue any opposition as advocating for "kids should have access to porn, actually". The broad end that is being hammered towards is "kids aren't allowed on social media because it's harmful to them" AKA "free speech tokens".

▲

akersten 6 hours ago | parent | prev [-]

The stakes just aren't high enough for us to implement any of this crap for the Internet in the first place. Let alone an entire government-administered hardware supply chain.

▲

nitwit005 4 hours ago | parent | prev [-]

Continuous age verification isn't possible, so you'll have to store some sort of proof of age somewhere, and that proof will always be sharable.

Let's say Facebook has verified my age somehow. I could share my Facebook login credentials, or the token that their authorization server sends back in response. You can create some hurdles to doing that, like requiring a second factor, but I can just share that too.

You might as well go down the route of accepting that possibility. These systems are never going to hold up in the face of a determined enough teenager.

	▲	dwaite 4 minutes ago \| parent [-]
		That really depends. A zero knowledge system would show to the verifier that the person is authorized for access _right now_, but thats just the answer to a particular challenge. Outside of the verifier who knows they came up with a random challenge without bias or influence, the response would mean nothing. I think a lot of age verification systems are the solution to the real core of legislation - to make companies liable for underage viewing of content. To put such legislation in place without providing a feasible way to accomplish age verification would be argued as discriminatory. In that sense, a zero knowledge system which doesn't give a company non-repudiation so that they can defend themselves in court may very well be insufficient. And that will require tracking identity long-term, although it could be done with a third-party auditor under break-the-glass situations with proper transparency.