How do you check age online?
Currently, age verification checks (to the standards defined by ISO 27566), can be conducted using any of the following methods, either alone or in combination.
Different methods (or combinations) offer more or less confidence in the accuracy of the result – this is referred to as the “level of assurance”.
blank
Government ID Documents (Passport, Driving Licence, National or Military ID Card)
This method uses remote Electronic Identification Validation Technology (eIDVT) to verify physical, photographic identity documents such as passports, driving licences, national ID cards or military ID. The date of birth and photo are captured either visually (using optical character recognition (OCR) of the machine-readable zone (MRZ)) or by reading an embedded chip using near-field communication (NFC). The user takes a selfie which is then compared to the document image to confirm that the ID belongs to the person presenting it. Some systems require a video or a series of photos in quick succession to help prove “liveness” and guard against presentation attacks (using downloaded images of IDs, photos or masks etc.)
Mobile Phone account records
Method 1. This method accesses user information held by mobile network operators to confirm the registered age of the account holder. It can be particularly effective for contract phones but may be less reliable for pay-as-you-go accounts or where the phone is registered to a parent or guardian. In some jurisdictions, such as the UK, only adults can remove blocks to adult content, so this can also be used to infer age.
Method 2. This method estimates the age of a user by analysing the other online services where that user’s provided mobile / cell number has been used. It can suggest whether a user is likely to be over or under certain ages with a high degree of accuracy. The user may be asked to enter a code sent to the phone to prove it is under their control.
.
Credit reference agencies and other private sector databases
This method uses data held by credit reference agencies, such as Experian, Equifax or TransUnion, to verify the individual’s age. If the person has an established credit record, their date of birth can be confirmed against the information held on file. This method is generally only effective for individuals aged 18 or over who have engaged in some form of credit activity. Authentication can be achieved by confirming knowledge of data stored in the user’s record e.g. the amount of a recent mortgage payment, or only using the check when age-restricted goods are delivered to the addressed associated with the same record.
Credit Card
A credit card may be used to infer age in jurisdictions where they are only issued to adults. . It is not universally reliable, as some cardholders may be under 18 e.g, with a card guaranteed by a parent. Two-factor authentication systems already in use by many payment networks, or a micropayment that will show on the credit card owner’s statement, alerting them to use by a third party (albeit after the fact) confirm the user is the true owner of the credit card.
Open Banking
With the user’s consent, this method accesses verified information from their bank account using secure APIs regulated under the UK’s Open Banking framework. The date of birth on record with the bank can be used to confirm the user’s claimed age. This method does not share any financial transaction data or give access to funds.
Facial Age Estimation
Facial analysis algorithms estimate a user’s age based on biometric features in a selfie or live video. These are converted into a mathematical map of the face. That is compared to thousands of maps of faces of users with a known age. This method provides an approximate age, and is becoming ever-more accurate.
It can be used to determine whether someone is clearly over (or under) a certain threshold (e.g. 18 or 25) by adding (deducting) a “buffer” e.g. to check someone is definitely over 18, the software may only pass people it estimates to be at least 21. In these cases, those who are in fact over 18 but do not appear over 21 are offered alternative age verification methods. For some use cases, an approximate age may be sufficient, so no buffer is applied.
Voice Age Estimation
This emerging method analyses vocal characteristics such as pitch, resonance and speech patterns. These are compared to thousands of voice records of users with a known age to estimate a person’s age. It is currently less exact than facial age estimation and typically used in lower-risk scenarios or combined with other signals.
Hand Gesture Estimation
Hand Gesture Estimation algorithms estimate a user’s age based a live video of the user moving their hand as instructed. This movement is compared to that of thousands of users with a known age. This method provides a reliable prediction about whether the user is above a defined age.
Open Banking
With the user’s consent, this method accesses verified information from their bank account using secure APIs regulated under the UK’s Open Banking framework. The date of birth on record with the bank can be used to confirm the user’s claimed age. This method does not share any financial transaction data or give access to funds.
Age Inference
This is another artificial intelligence solution which assesses the likely age of a user based on their online behaviour. Estimates are based on a user’s online public profile and how they interact with an online service – their interests, their friends, their school etc. It is limited by access to personal data, which for a new user will not exist on the service they are accessing.
Physical Check
This is where a user is enrolled into an age verification scheme in person. They may be asked to produce a physical proof of age which is checked by a trained member of staff when doing so, or it could be left to the judgement of staff based on a “Challenge 25” approach, with users closer to the age they are claiming required to provide some additional proof.
Professional Vouching/Vouching
A recognised professional, such as a teacher, GP or solicitor, confirms the age or age-range of an individual, usually through an online reference. This method is rarely used at scale but can be appropriate in specific contexts where other age assurance routes are unavailable, and guarantees accessibility and inclusivity.
Account holder confirmation (verified parental consent in the USA)
Parental Consent services enable compliance with laws requiring a parent or legal guardian to give verifiable consent before a child can access certain digital services, such as games or social media. These services are designed to ensure that permission is obtained before children engage with platforms that may collect or use their personal data, under regulations such as GDPR in Europe and COPPA in the USA. Typically, methods seek to confirm that the person giving consent is both an adult and legally entitled to do so.
Attestation / self-declaration
This is not considered a method of age verification, but can provide a starting point for the process, and in some cases where there is no risk in believing the answer given is accurate, it may still be fit-for-purpose.
Self declaration is simply asking users to tick a box, or enter their age or date of birth – without any additional checking against other data sources.
Technical measures can reduce the risk slightly – for example, allowing any year of birth to be entered, not only a year from before which the user would meet the site’s minimum age requirement, or preventing users applying trial and error by repeatedly amending their age until they are admitted.
Reusable Digital ID
This approach allows the user to create a secure digital identity or age credential on their own device. Once set up, the user can choose to share their age or age-range with a digital service. To confirm the identity matches the original record, the user may be required to authenticate using a PIN, password or biometric method such as facial recognition or a fingerprint.
Electoral Registration
Where permitted, this method checks details provided by the user against the public electoral roll. This can confirm name, address and date of birth. Authentication is not directly feasible, but this method may be sufficient for some use-cases e.g. delivery of age-restricted goods to the address associated with the user on the electoral roll.
Email Age Estimation
This method estimates the age of a user by analysing the other online services where that user’s provided email address has been used. It can suggest whether a user is likely to be over or under certain ages with a high degree of accuracy. The user may be asked to enter a code emailed to the inbox to prove it is under their control.
Liveness Check
This is not a method in its own right, but is an additional safeguard against fraud, where a user is asked to take a photo or a video of themselves, and may be asked to say some specific words or phrases, so this can be compared with identity documents, or previously recorded data to ensure a match. It prevents the use of still images and other ways users may try to circumvent age checks.
How accurate are these methods?
Each of these, alone or in combination, verify age to a different ‘level of assurance’. Regulators can determine the level of assurance they require for each use. So to view an 18 rated film, it might be deemed sufficient to rely on a credit reference agency based check. But to buy a knife online, the requirement may be for a government issued identification document to be used, its chip interrogated and facial recognition software applied to ensure that the person making the purchase at that time is the same person to whom the ID document was issued. For details on standards and levels of assurance, click here.