April 22, 2026
CAPTCHA cure or privacy lure?
Anonymous credentials: an illustrated primer (Part 2)
Anonymous wristbands for the web: fans cheer, skeptics ask “do we trust the bouncer?”
TLDR: The post shows how anonymous “wristband” credentials like Privacy Pass already power CAPTCHA-free logins, and Google’s pushing anonymous age checks. Commenters split between relief at fewer tests and fear that big issuers could still track people or turn “limits” into new levers—privacy vs trust, in one debate.
“Anonymous credentials” are like wristbands that let you prove you’re allowed in without saying who you are. Today’s post dives into real products: Privacy Pass used by Cloudflare, Apple’s “Private Access Tokens”, Google’s “Private State Tokens”, even Brave and Microsoft Edge. Comments erupted: half the crowd cheered “bye CAPTCHAs,” the other half hissed “trust the Issuer?” Devs loved the simplicity—single-use “wristbands” with almost no info—while skeptics asked if an Issuer and a website could secretly match them up. The author’s “even Microsoft uses it” jab became a meme, with replies like “Edge found Settings > Privacy > On?”
The spiciest brawl: anti-bot limits vs true anonymity. Supporters say rate-limited tokens stop credential-cloning and bot swarms without doxxing anyone. Critics warn limits can become tracking in disguise if big firms tweak knobs. Meanwhile, Google’s new anonymous age check proposal split the room: parents and brand-safety folks applauded “safer web without IDs,” privacy diehards yelled “ID at the door by another name.” Meme parade: “Zero-knowledge? Same, bro,” “1980s math saves 2026,” and nightclub jokes about Cloudflare as the bouncer. Underneath the laughs, one theme: the math promises privacy, but who do we trust to hold the wristbands?
Key Points
- •Anonymous credentials allow users to authenticate without linking sessions to a specific issued credential.
- •Systems should limit credential usability (e.g., number of shows) to prevent cloning and bot abuse.
- •Expressive credentials let users prove specific facts without revealing additional data.
- •Privacy Pass is a simple, widely deployed anonymous credential protocol used by Cloudflare, Apple, Google, Brave, and Microsoft.
- •Privacy Pass is standardized in IETF RFCs 9576, 9577, and 9578; Google is also standardizing an anonymous age verification proposal.