“In the field of digital identity, we tend to talk about technology through the lens of specific use cases. Payments. Authentication.”

Fraud prevention. Account recovery. Which makes sense; you can’t solve a problem if you can’t map to something real.

Which takes me to one use case that keeps appearing in policy discussions around the world: age assurance.

How can someone prove they are old enough to access something—whether that means buying alcohol in person, signing up for social media, or accessing restricted content online—without exposing more personal information than necessary?

This is a really challenging use case because it has some significant trade-offs. 

Age restrictions exist across a wide range of activities: purchasing tobacco or alcohol, accessing online pornography, participating in social media platforms, gambling, and many others. The specifics vary widely by jurisdiction, but the concept itself is familiar. Protecting children from harm is a compelling argument everywhere.

At the same time, privacy advocates and civil liberties organizations have raised serious concerns about the infrastructure being built to enforce these restrictions. Age verification systems often require collecting identity data at scale, creating databases that may include precisely the people we are trying to protect. Critics warn that poorly designed systems can create new privacy risks while doing little to address the underlying harms. In an effort to protect the children, we might be making matters worse.

Regardless of where you personally land in that debate, organizations may soon be required to implement some form of age assurance.

So, let’s take a look at where things stand today, noting that age assurance is a moving target both politically and technically.

You can Subscribe and Listen to the Podcast on Apple Podcasts, or wherever you listen to Podcasts.

And be sure to leave me a Rating and Review!

Age Assurance, Age Verification, and Age Estimation

The first challenge is terminology. In policy discussions, several related concepts are often used interchangeably, even though they describe very different approaches.

• Age verification typically means confirming a person’s age using an authoritative credential such as a government ID.
• Age estimation uses probabilistic techniques to guess a person’s age, often through biometric analysis like facial recognition.
• Age assurance is the broader umbrella term that includes both of these approaches.

This distinction matters because each method has different privacy and technical implications.

Most age estimation technologies rely on biometric analysis, typically facial features, to infer an approximate age range. But advances in synthetic media and deepfake generation are already challenging those assumptions. If the image being analyzed is artificially generated, manipulated, or replayed, the system may be estimating the age of something that is not a real person at all.

Standards work around presentation attack detection and liveness verification attempt to mitigate these risks, but the dynamic between synthetic media and detection technologies is likely to remain an ongoing arms race.

Verification tends to be highly accurate, but it often requires linking the user to a real-world identity document. Estimation can be less intrusive, but it may introduce accuracy issues and potential bias. Age assurance systems frequently combine multiple techniques in an attempt to balance these tradeoffs.

In other words, there is no single solution. Instead, organizations must navigate a spectrum of approaches with different risk profiles.

The Regulatory Landscape

Age verification requirements are appearing in legislation around the world.

Several U.S. states have passed (or are planning to pass) laws requiring age verification for access to certain online content. The United Kingdom’s Online Safety Act introduces new responsibilities for platforms to protect minors from harmful content. Similar laws exist across Europe, Australia, and parts of Asia.

The details vary widely, but generally speaking, platforms are increasingly expected to determine whether users meet age thresholds before granting access to certain services.

This raises an obvious, but poorly answered, question. How exactly are they supposed to do that?

Where Does the Age Check Actually Happen?

From a technical perspective, there are several possible places where age checks can occur.

One option is platform-level verification, where the service itself asks users to upload identification documents or submit biometric data. Many online services already experiment with this approach.

Another option is third-party verification providers. Companies specializing in identity proofing perform the age check and return a confirmation to the platform.

A third approach involves digital identity wallets or credentials. In this model, a trusted issuer provides a credential that includes age attributes, and users present that credential when required.

Finally, some policymakers have proposed placing age assurance closer to the browser or device layer, allowing software intermediaries to mediate these checks.

Each of these architectures comes with different tradeoffs around privacy, interoperability, and deployment complexity. The identity industry is still actively exploring which approaches will prove viable at scale.

The Standards Ecosystem

Age assurance is not emerging in a vacuum. A number of standards and frameworks attempt to define how these systems should work.

Some focus on policy frameworks and governance, such as the IEEE 2089 family of standards, which address age-appropriate digital services and the design of age verification systems.

Others focus on identity proofing, including ETSI TS 119 461, which defines requirements for remote identity verification aligned with European regulatory frameworks such as eIDAS.

Biometric approaches often rely on standards like ISO/IEC 30107-3, which addresses presentation attack detection; essentially determining whether a biometric sample is coming from a real person rather than a photograph or deepfake.

Additional standards address privacy and data protection, including ISO/IEC 27018 and ISO/IEC 27701, which focus on safeguarding personal data during identity verification processes.

Taken together, these frameworks illustrate that age assurance is not a single technology problem. It touches identity proofing, biometrics, privacy engineering, and regulatory compliance all at once.

The Reality: Age Checks are Easy to Bypass

One reason policymakers are turning toward stronger verification systems is that existing safeguards are often ineffective.

Research examining children’s use of social media has shown that age restrictions embedded in platforms are routinely bypassed. In one study, 78% of children aged 10–15 were reported to have social media accounts despite minimum age limits, largely because existing verification systems rely on self-reported birth dates.

Parents in the same study also reported difficulty supervising their children’s online activity, highlighting the gap between regulatory expectations and everyday digital behavior.

In other words, current age-restriction mechanisms often function more as guidelines than enforceable barriers.

The Privacy Paradox

Efforts to strengthen age verification create their own set of risks.

Many proposed systems require users to upload identity documents, submit biometric scans, or otherwise provide personal data. These mechanisms can create large databases of identity information linked to sensitive activities.

The Electronic Freedom Foundation warns that such systems can easily become honeypots of sensitive personal data.

Even when the intention is to protect minors, poorly designed verification systems may introduce surveillance risks or create new attack surfaces for identity theft and data breaches.

The challenge goes beyond verifying age and straight into doing so without building a permanent record of who accessed what online.

Where Digital Identity Comes Into Play

This is where digital identity technologies enter the conversation.

One promising idea is the use of cryptographic credentials that allow selective disclosure of attributes and/or zero-knowledge proof of a fact like “over 18”. (I wrote about the differences between the two a few weeks ago.)

Instead of revealing a full identity document, a user might present a cryptographic proof that simply confirms “Age ≥ 18” without revealing name, address, or ID number.

Mobile driver’s licenses and verifiable credential systems are exploring exactly this kind of functionality. In theory, these approaches could enable age assurance while preserving a high degree of privacy.

Questions around issuer trust, credential revocation, device security, and interoperability, however, still need to be addressed before these systems can be widely deployed. Even when the technology works well enough, deploying it successfully and appropriately is still a challenge.

Age Verification as Social Infrastructure

Another important insight from policy research is that age restrictions alone rarely solve the underlying problem.

Studies examining digital risk among minors have found that regulatory approaches often struggle because they rely on a single mechanism — such as platform enforcement — without addressing broader social factors. Weak coordination between families, schools, platforms, and regulators can limit the effectiveness of age-restriction policies.

More broadly, policies aimed at protecting vulnerable populations frequently involve complex tradeoffs between social protection and other societal goals. Social protection frameworks can mitigate risks, but they may also introduce unintended economic or social effects depending on how they are implemented.

Age assurance sits squarely in this category. It is not purely a technical system. It is part of a broader governance problem.

The Deeper Question

For identity professionals, there is a question that goes beyond how to verify age and into the cost, both financial and architectural, of building the infrastructure required.

Age verification systems have the potential to reshape authentication, credential presentation, and identity mediation across the web. The same infrastructure that proves someone is over eighteen could, in theory, support many other forms of attribute verification.

Once that infrastructure exists, the temptation to use it for additional purposes may be difficult to resist. I refer the kind reader over to Andrew Hindle’s post on Proofing Creep. (He and I are also presenting at RSAC 2026 on that same topic.)

A Practical Perspective

For organizations facing age verification requirements today, several principles are worth keeping in mind.

• First, collect as little personal data as possible. Data minimization should be the default design principle.
• Second, where possible, prefer attribute proofs over identity disclosure. Confirm the necessary fact without exposing unrelated information.
• Third, avoid creating centralized databases of age-verification events. These systems introduce significant privacy and security risks.

Finally, recognize that age assurance works best when it is part of a broader ecosystem that includes parental guidance, digital literacy, platform accountability, and thoughtful regulation.

Age verification is rapidly becoming one of the most complex intersections of identity, privacy, and public policy on the internet.

For those working in digital identity, it may also be a preview of the next major shift in how identity systems interact with the web itself.

📩 If you’d rather receive an email than hope you catch the social media announcement when a new post is live, I have an option for you! Subscribe to get a notification when new blog posts go live. No spam, just announcements of new posts. [Subscribe here] 

Transcript

Welcome to the Digital Identity Digest, the audio companion to the blog at Spherical Cow Consulting. I’m Heather Flanagan, and every week I break down interesting topics in the field of digital identity, from credentials and standards to browser weirdness and policy twists.

If you work with digital identity but don’t have time to follow every specification or hype cycle, you’re in the right place.

---

Why age assurance matters

In digital identity, we usually talk about technology through specific use cases.

For example, we talk about:

• Payment use cases.
• Authentication.
• Fraud protection.
• Account recovery.

Those conversations usually focus on how to prove who someone is in different scenarios. However, a different question has been showing up in policy discussions around the world: not “Who are you?” but “How old are you?”

Age assurance is the ability to confirm that someone meets a legal age requirement. In practice, that sits at the intersection of policy, privacy, and digital identity.

At first glance, it seems simple. A person proves they are old enough to access something, whether that means buying alcohol in person, signing up for social media, or restricting online content. But as soon as you try to enforce age limits online, the problem becomes much more complicated.

---

Verification and estimation

One of the first questions is what we actually mean by age verification.

There are several related terms in use, and they are not the same:

• Age verification usually means confirming age with an authoritative credential, such as a driver’s license, passport, or official document.
• Age estimation is different. It tries to infer age probabilistically, often using biometric analysis like facial recognition.
• Age assurance is the umbrella term that includes those approaches and others.

That distinction matters.

Verification is usually more accurate, but it often requires linking a specific person to an identity document. Estimation may feel less invasive, but it raises concerns about accuracy, bias, and reliability.

Moreover, real-world deployments often combine multiple technologies to balance those trade-offs. So instead of one clean solution, we get a spectrum of approaches.

---

The policy landscape

The second major complication is the regulatory landscape, which is changing quickly.

Age assurance requirements are appearing in legislation around the world. For example:

• Several U.S. states have passed laws requiring age verification for certain online content.
• The United Kingdom’s Online Safety Act introduces new responsibilities for platforms.
• In Europe, age assurance is increasingly tied to digital identity wallets and credential frameworks.
• Australia has proposed and implemented similar restrictions around social media access.

The details vary by jurisdiction, but the direction is clear. Platforms are expected to determine whether users meet age thresholds before granting access to certain services.

That naturally leads to the next question: how are they supposed to do that?

---

Where checks happen

From a technical perspective, age checks can happen in several different places.

One option is platform-level verification, where the service itself asks the user to upload an identity document or submit biometric information.

Another option is third-party verification, where the platform sends the user to a verification provider that performs the check and returns a confirmation.

A third approach uses digital identity credentials. In that model, a trusted issuer provides a credential that includes an age attribute, and the user presents that credential when needed.

There is also a fourth possibility that has attracted policy interest: moving age assurance closer to the browser or device layer, so software intermediaries can mediate the check.

Each architecture has different implications for:

• Privacy.
• Interoperability.
• Deployability.
• Internet-scale implementation.

---

Standards and systems

Age assurance also sits within a surprisingly broad standards ecosystem.

Some frameworks focus on governance, such as IEEE’s 2089 series, which outlines principles for age-appropriate digital services and age verification systems.

Other standards focus on identity proofing, including European specifications such as ETSI TS 119461 for remote identity verification aligned with the eIDAS framework.

Biometric systems may also rely on standards for presentation attack detection, which helps determine whether a sample comes from a real person rather than a photograph or deepfake.

In addition, privacy standards remain central because personal data has to be protected during the verification process.

The important point is that age assurance is not a single technical problem. It touches identity proofing, biometrics, privacy, engineering, and regulatory compliance all at once.

---

The real-world problem

In practice, existing age restrictions are often easy to bypass.

Many platforms still rely on self-reported birth dates, and that is not a strong safeguard. If you have ever watched a 12-year-old set up an account online, you already know how effective that approach is.

Research on children’s social media use has found that a large majority of children under 13 still manage to create accounts despite formal platform restrictions.

That gap between policy and practice is one reason stronger age verification systems are being proposed.

However, stronger verification introduces a different set of risks. Many of the proposed systems require users to upload identity documents, submit biometric scans, or otherwise share personal information.

Civil liberties organizations have raised concerns that these mechanisms could create centralized repositories of sensitive identity data.

That is effectively a honeypot when the goal is to protect minors.

Poorly designed systems could also introduce:

• Data breaches.
• Identity theft.
• Unintended surveillance.

So the challenge is not only verifying age. It is verifying age without creating a permanent record of who accessed what online.

---

Privacy-preserving options

This is where digital identity technologies begin to offer more promising options.

One idea is cryptographic credentials that allow selective disclosure of attributes. Instead of presenting a full identity document, a user could present a cryptographic proof that simply confirms a statement like, “age is greater than or equal to 18.”

That means:

• No name.
• No address.
• No ID number.

Just the attribute needed for the transaction.

Mobile driver’s licenses and verifiable credential systems are exploring this kind of functionality. In theory, that could support privacy-preserving age verification.

Still, several questions remain:

• Do you trust the issuer?
• Can the credential be revoked?
• Is the device secure?
• Is the system interoperable with other ecosystems?

Those issues have to be resolved before these systems can be widely deployed.

---

Adoption and incentives

Even when the technology works, adoption is not automatic.

Platforms want solutions that are:

• Reliable.
• Affordable.
• Easy to integrate.

Governments often have their own expectations about assurance levels, while users usually want as little friction as possible.

That means the ideal solution is hard to achieve. In other words, you often have to pick two out of three.

At this point, the technical question starts to run into a practical one: how do you build something that actually works for everyone?

---

Broader policy effects

There is also a broader policy dynamic to consider.

Age verification is often framed as a child safety issue, and that is difficult to argue against. However, the infrastructure built to enforce age restrictions can reshape how identity systems work across the internet.

Once a system exists that can verify age attributes, it becomes technically possible to reuse it for other eligibility checks, such as:

• Voting eligibility.
• Location restrictions.
• Professional certifications.
• Other attribute-based requirements.

None of those uses is necessarily inappropriate. But they show how infrastructure designed for one purpose can gradually expand into others.

Over time, capabilities accumulate. Systems built for a narrow problem often become broader platform services.

---

Design principles

For organizations that may soon face age assurance requirements, a few design principles stand out.

First, collect as little data as possible. Data minimization should remain a core principle.

Second, whenever possible, prefer attribute proofs over identity disclosure. Confirm the necessary fact without exposing unrelated information.

Third, avoid creating centralized databases of age verification events whenever possible. Those systems create significant privacy and security risks.

Finally, remember that age assurance works best within a broader ecosystem that includes:

• Digital literacy.
• Parental support.
• Thoughtful regulation.
• Platform accountability.

Technology alone is not enough to solve a complex social problem.

---

Closing thoughts

Age assurance is becoming one of the most interesting intersections of identity, privacy, and internet governance.

For digital identity professionals, it may also be a preview of the next phase of how identity systems interact with the web itself.

The technical solution may turn out to be the easier part. The harder part is deciding what society wants to build, how it should be governed, and how long those decisions will shape the web.

Thanks for your time. Looking forward to coming back next week.

And that’s it for this week’s episode of the Digital Identity Digest. If it helps make things a little clearer, or at least a little more interesting, share it with a friend or colleague and connect with me on LinkedIn at hlflanagan. If you enjoyed the show, subscribe and leave a rating and review on Apple Podcasts or wherever you listen to podcasts. You can also find the written full post at sphericalcowconsulting.com.

Stay curious, stay engaged, and let’s keep these conversations going.