As demand for age assurance grows rapidly around the world, attention is increasingly turning to how this can be delivered more conveniently and cost-effectively, through interoperability, making a single age-check re-usable across multiple platforms.
In this article, we provide an introduction to the main options that have emerged so far. We will endeavour to keep this page updated and invite those behind each solution to propose any edits to ensure a neutral, fair and accurate depiction of these different approaches.
There are seven options with which we are familiar (but we welcome additions if we have missed any)
- AgeAware from euCONSENT ASBL
- AgeConnect from Yoti
- AgeGraph from KWS
- OpenAge Initiative from k-ID
- Apple App Store
- Google Wallet
- EU AV Solution
These differ in terms of the technology used, the commercial model, the standards applied, and how liability is allocated (or avoided).
There is a comparison table at the end of this article, although it is only a summary so it is essential to read the detail below, and to refer to each network directly for the latest, comprehensive information, so links are also provided.
AgeAware from euCONSENT ASBL
AgeAware is an interoperability network developed by euCONSENT ASBL, a non-profit association based in Brussels, to allow verified age checks from one provider to be recognised by others in a privacy-preserving way. It was initially conceived with support from the European Commission and further developed with funding from the Safe Online initiative.
When a user completes an age check with a provider participating in the network (or using a method offered by other participating providers), the user can accept an AgeAware token which is signed and verifiable from known trusted issuers that confirms their age status (for example, 18+) without revealing personal information. Other participating providers can accept this token as evidence of age, reducing the need for repeated verification across different platforms and services.
The network operates on a “double-blind” chain of trust: platforms never see the user’s identity, and verification providers do not know which websites or apps are accepting the tokens. Each transaction is cryptographically signed and auditable, but no personal data is shared.
Participation is open to any certified age-assurance provider that meets euCONSENT’s accuracy, interoperability and privacy requirements, derived from international standards and local regulatory requirements. Liability and assurance are managed through euCONSENT’s governance framework and independent certification of members.
Platforms continue to contract with one or more age assurance providers, and the providers pay commission to one another for the re-use of their age checks, with a tallying service supplying the volume data required. Pricing is set through an open and competitive market, completely independent of euCONSENT.
For further information: https://euconsent.eu/interoperability-through-ageaware-from-euconsent/
Age Connect from Yoti
Yoti acts as a network facilitator enabling proof of age from certified* third-party providers to be stored securely on a user’s device using “Yoti Keys”. This leverages standard technologies such as passkeys to bind an anonymous age token directly to a user’s device, allowing the credential to be reused across different apps and websites without repeating the verification process.
This allows a relying party that needs to check a user’s age to send a request and set criteria for the credentials it will accept, such as the minimum age threshold (e.g., over 18), the specific verification method used, and how recently the check was performed. If the user consents by unlocking their passkey, the device shares the anonymous token. The response is returned in a standardized format, allowing the relying party to verify its authenticity and ensure it was generated by a trusted issuer.
Because the solution is double-blind, the relying party receives only a confirmation that the age condition is met, without ever learning the user’s identity or receiving personal data. Furthermore, the token issuer cannot see which specific service the user is accessing. Yoti’s network allows multiple certified Age Assurance Service Providers to mint and consume these tokens, creating an open marketplace where issuers can independently set the price for their token’s reuse.
Certification can include:
- internationally recognised standards such as (but not restricted to) ISO 27566, 27001, 9001
- levels of assurance for digital ID, IDV, PAD, IAD independently tested by NIST approved testing agencies
All age providers joining the network are required to be certified to ISO 27566 within 3 months of applying to join the network, to facilitate trust for relying parties and end users issued age tokens.
For further information: https://www.yoti.com/business
OpenAge Initiative from k-ID
The OpenAge Initiative, launched by k-ID, provides an interoperable framework for reusing age assurance results across multiple websites and apps. At the core of the framework is the AgeKey, a privacy-preserving digital credential that lets users prove that they meet an age threshold without revealing their identity.
Users obtain an AgeKey primarily after completing an age assurance process directly on an age-restricted service or with a participating age assurance provider. When a platform or provider performs an age check using any approved method, it may offer the user the option to save the successful result as an AgeKey. Alternatively, AgeKeys can be created on AgeKey.org, where users can complete a verification independently if they wish. Additional issuance pathways, including mobile driver licences and wallets, are planned. AgeKeys are stored locally on the user’s device using passkey-based technology, leveraging the security and seamlessness of a very broadly adopted standard.
When a user already has an AgeKey and chooses to use it on a participating platform, the service requests the required age threshold and any filters it needs to apply to the underlying age signals e.g. method, age-range, issuer. The user then confirms their AgeKey on their device using their usual screen lock through a standard passkey WebAuthn ceremony. A privacy-preserving confirmation is returned stating that the user meets the required age. This yes/no confirmation includes no identity data and cannot be used for tracking or matching one user across multiple services.
The double-blind design ensures that the service cannot see which provider performed the original age check or recognize a returning user, and the provider cannot see where the user later reuses their AgeKey. This prevents any tracking of the user’s activity. Each service chooses which types of AgeKey to accept by applying the appropriate filters. Pricing follows a transparent cost-recovery model.
For further information: https://openageinitiative.org/
Apple App Store
Apple’s solution operates primarily as a form of parental control rather than a recognised method of age assurance under international standards such as ISO 27566-1. It relies on a parent or guardian setting up a child’s device and providing the child’s age.
Assuming this information is accurate, different protections are then applied according to the child’s age, using the Family Organizer functionality. Apps can use the “Declared Age Range” API to request the user’s age range, which users (or their parents) can choose to share automatically, share on request, or not share at all.
For younger children, typically those under 13 — though the threshold varies by jurisdiction — Apple requires a “Child Account”. This gives parents greater oversight of their child’s activities, including whether the age range is shared and which apps have requested it, along with when and how it was used.
Participation by developers is optional. Apps that adopt this system can then tailor their features or content based on the age information provided.
There is no fee to the relying party for accessing this age-range information.
For further information: https://developer.apple.com/kids/
Google Wallet
Google has taken the role of facilitator, not verifier, enabling age information contained in credentials stored in its digital wallet to be shared by the user with apps and websites through a privacy-enhancing technology called Zero-Knowledge Proof (ZKP).
This allows a relying party that needs to check a user’s age to send a request to the wallet, and set criteria for which credentials it will accept e.g. which issuers, formats and types of credential. If the user consents, the wallet generates a proof that the relevant age condition is met (for example, over 18). The response is returned in a standardised, digitally-signed format that lets the relying party verify its authenticity using the public key published by the credential’s issuer.
Because the solution is double-blind – the relying party cannot learn the user’s identity, and the issuer cannot see which relying party is verifying age – the issuer has no visibility of where or how often the credential is used. As a result, the issuer cannot bill the relying party for individual checks, and there is no direct contractual relationship or shared liability between them for the accuracy of the age data.
For further information: https://blog.google/products/google-pay/google-wallet-age-identity-verifications/
EU AV Solution
The EU Age Verification App (EU AV App) is being developed by the European Commission as part of the European Digital Identity (EUDI) Wallet programme. It provides a standard mechanism for users to prove their age online or in person without disclosing their identity, using verifiable credentials issued under the eIDAS 2.0 trust framework.
The app acts as a secure intermediary between the user, the credential issuer, and the relying party. When a website or service requests an age check, the app retrieves the relevant attribute from the user’s digital identity credential — for example, a national eID or an age-verification certificate issued by an accredited provider — and generates a proof that satisfies the requested condition (such as over 18 or under 16). The proof is transmitted in a standardised, digitally signed format defined by the EUDI technical architecture, and the relying party verifies its authenticity using the issuer’s public key obtained from the EU Trusted List.
The system will support privacy-enhancing techniques, including Zero-Knowledge Proofs and selective disclosure, ensuring that only the required age attribute is revealed. It is designed to be interoperable across all EU Member States and to meet the assurance and audit requirements of international standards such as ISO/IEC 27566-1 and IEEE 2089.1.
Because the exchange follows a double-blind model — the relying party cannot identify the user, and the issuer cannot see where the proof is being used — issuers do not have visibility of individual transactions. There is therefore no per-use billing model or direct contractual relationship between issuers and relying parties; but this is effectively a government-operated solution so it is expected that European regulators will consider it sufficient to meet legal responsibilities.
There is no fee to the relying party for requesting or verifying an age attribute, although accredited issuers could charge for credential issuance or certification services. As credentials are currently only expected to be issued by government, fees to users are not expected.
For further information: https://ageverification.dev/
Summary
Each of the approaches described above offers relative merits for different use-cases. In some situations, digital services will want a clear contractual relationship with every provider of age data on which they rely for legal compliance, conducting due diligence on the processes that confirm age, and backed by warranties and guarantees. In others, an age probably submitted by a parent or guardian may be fit-for-purpose. More than one interoperability solution is likely to emerge as successful, just as there are multiple global networks in the payments industry.
This page was last updated on 9 March 2025, and relies on the providers of the solutions to validate and update its content.
The AVPA cannot offer legal or compliance advice. Digital services should seek professional legal advice in each jurisdiction where they are subject to law.