Age assurance methods for worldwide compliance
Age-based regulations are evolving worldwide. While many people are already familiar with self-attestation forms for accessing adult content, the scope and approved methods of age assurance continue to expand due to evolving regulations worldwide. These regulations include the UK's Online Safety Act, which was accompanied by a set of highly effective methods to gauge age, and Australia's Social Media Minimum Age Act that places guardrails around what digital content children have access to.
Companies need to continuously evaluate what age assurance methods work best for their users.
What is successive validation?
Successive validation is a layered approach to age assurance where multiple verification methods are presented sequentially to balance user experience with confidence levels. Putting it another way, it offers users different options to present evidence of age.
How successive validation improves access to age-restricted services
There's no single age assurance method that is guaranteed to work for your entire audience.
Let's use government documentation as an example. While it may be the most common form of certification to prove that someone is an adult in person, government documentation alone isn’t sufficient for this new wave of regulations. These reasons include:
Having recently moved to a new country and not having gotten a valid government ID yet
Not being of sufficient age to qualify for particular forms of government ID (e.g., driver’s license)
Some regulatory guidelines, such as those provided by AU’s Social Media Minimum Act, state that government ID cannot be relied on by providers as the sole options for end-users, to curb unfair discrimination
To maximize the number of users who can verify their eligibility for age-restricted services, implement successive validation (a waterfall approach), where multiple age-assurance methods are offered in sequence to establish an age-assurance outcome.
Example of a waterfall approach to age assurance
Consider a social media platform that needs to check if a user is 16 or over. Here's how they could apply two age assurance methods, with one being a fallback if the first one presents an indeterminate result:
Start with selfie age estimation: Selfie age estimation analyzes a user's selfie to determine if they appear over 16 as the first step. While most adult users will pass quickly, some users may appear to be close (e.g. within 3 years) of 16.
Escalate to government ID/documentation: To achieve a higher assurance level that a user is over 16, you may request a government-issued ID that contains a photo for face matching and a birthdate that allows you to determine the user’s age.
Using these two approaches in succession improves the social media platform’s ability to meet compliance regulations while minimizing user friction where possible.
Understanding the different age-assurance methods and their considerations will help you curate the best end-user experience.
Types of age assurance methods
| Method | Description |
|---|---|
| ConnectID | Fetches verified age information from a user-selected bank, with secure authentication facilitated via ConnectID. |
| Credit-card based age verification | Confirms ownership of a valid credit card. |
| Database age verification | Cross-verifies existence and birth date of users through official authoritative, issuing, and source databases. |
| Email-based age inference | Infers age using an evidence-weight model to assess the likelihood of an email owner's age. |
| Government ID / document verification | Calculates age through birthdate extracted from submitted documentation. Persona recommends pairing this with selfie verification for increased assurance. |
| Phone number-based age assurance | Uses records provided by mobile network operators to verify whether a user is over 18. |
| Reusable Persona | Simplifies reverification across vendors using a portable proprietary digital identity created by Persona. |
| Selfie age estimation | Estimates age through a user-provided selfie image with built-in fraud (e.g. deepfake) prevention. |
Age assurance methods detailed overview
ConnectID
ConnectID is a secure data-sharing framework that enables users to extract and share information from their bank accounts, particularly their birth date and name, for age verification purposes. The system uses financial institution records to confirm age without requiring government ID presentation.
Who it works for: Individuals who have Australian bank accounts
Considerations
Coverage may vary for 16 to 17 year olds based on bank account penetration
This is only primarily applicable in Australia where ConnectID infrastructure exists
Excludes users who don't have active bank accounts
Credit-card based age verification
Credit card-based age verification confirms whether a user is over 18 by validating that they possess a legitimate credit card from a country where credit card ownership requires being 18 or older. The system verifies the card is genuine by applying a temporary charge, confirms it's a credit card (not a debit card), and validates the card’s origination from an eligible country.
Who it works for: This method may verify any adult who is over 18 in a country that requires credit card owners to be 18 or older. While this method may verify any adult who is over 18 in a country that requires credit card owners to be 18 or older, it may not be applicable to every regulation
Considerations
Geographic limitation: Credit-card based verifications may not be available in all jurisdictions.
Excludes populations without credit cards (e.g., younger adults, unbanked individuals)
Temporary charge may cause friction for some users
Database verification
Database verification cross-references user-provided information (name, date of birth, address, phone number, email) against authoritative or issuing databases, such as government records, credit bureau databases, or public records, to confirm the user's age.
Who it works for: Individuals with established records, such as those with credit history or long-term residency in a given country.
Considerations
Databases available in each country may vary
Some users (young adults, recent immigrants, individuals without credit history) may not be available in credit databases
Requires collection and processing of multiple PII data points (e.g., name, date of birth, address, identification number)
Email-based age inference
Email-based age inference analyzes digital signals associated with a user's email address — such as email account age, online activity patterns, digital footprint, and behavioral metadata — to assess the likelihood that a user exceeds specific age thresholds (e.g., 16 or older, 18 or older).
Who it works for: Users with established email accounts that have sufficient digital history and activity patterns to generate reliable age signals.
Considerations
Coverage varies dramatically based on email quality (newly created emails or disposable addresses yield poor results)
Requires two-factor authentication (2FA) to ensure email ownership
Government ID / document verification
Government ID verification extracts the date of birth from a valid government-issued document (e.g., a driver's license, passport, or national ID card) to confirm the user's age.
Who it works for: Individuals who possess valid government-issued identification documents. However, ownership eligibility ages vary by document. Passports, for instance, are often available much earlier than driver's licenses.
Considerations
Variable coverage for younger audiences who may not yet have government IDs
Some jurisdictions require government document verification NOT be the only available method (e.g., Australia)
Comes with the risk of minors using stolen or borrowed IDs if not paired with selfie verification
Excludes users without government IDs
Phone-number based age assurance
Phone-based age verification uses subscriber data associated with a phone number from mobile network operators (MNOs) to verify whether a user is over the age threshold.
Who it works for: Individuals 18 or older with mobile phone contracts in countries (e.g., the UK) where MNOs maintain age records on every phone number holder.
Considerations
Geographic coverage depends on country regulations. For example, this works in the UK, where per-line data is availabl, but is limited in the US, where only account holder information is accessible.
Does not cover voice over IP (VOIP), prepaid, or temporary phone numbers due to registration visibility from MNOs
Requires two-factor authentication (2FA) to ensure phone ownership
Reusable Persona
A Reusable Persona is a secure, passkey-protected digital credential that stores a user's previously verified identity information (such as age status). After initial verification, users can re-authenticate using device passkeys (e.g., Face ID, Touch ID) without re-submitting documents.
Who it works for: Users who have previously completed age verification through Persona and want simplified reverification for future interactions.
Considerations
Does not provide initial age assurance, but can streamline subsequent checks
Depends on device capabilities (passkey support, biometric hardware) which may be limited based on age of device
May require users who clear device data or switch devices to reverify
Selfie age estimation
Selfie age estimation analyzes facial features from user-submitted selfies to estimate whether the individual meets specific age requirements. Strong systems also check for spoofing, presentation attacks, and AI-generated images to ensure authenticity.
Who it works for: Any user with a smartphone camera or webcam.
Considerations
May need to provide fallback options for users close to age thresholds to minimize the risk of false positives and false negatives
Facial data collection creates an additional aspect of privacy data to redact
Considerations for choosing the right age assurance method
The best age assurance strategy depends on your user base, use case, and relevant regulatory requirements. Consider these factors when building your approach:
Regulatory requirements: Different regulations have different standards for acceptable methods, which are partially dependent on age requirements.
User demographics: Younger users may not have government IDs or credit cards, making methods like selfie age estimation or email-based inference more appropriate as first steps.
Geographic coverage: Some methods only work in specific countries. In countries like the UK, credit card ownership implies the holder is 18 or older. This inference is invalid in the US, where there is no minimum age requirement for ownership.
User experience: Some methods may be seen as adding more friction to the age assurance process compared to others.
Persona — a trusted partner in age assurance
Persona has already helped customers such as Reddit and OpenAI implement age assurance methods to address regulations, such as the UK Online Safety Act and Australia's Social Media Minimum Age Act.
Our age assurance technology is independently certified by several globally recognized auditors, including:
iBeta (ISO 30107-3 Levels 1 & 2)
Germany's KJM (Kommission für Jugendmedienschutz)
UK's Age Check Certification Scheme (ACCS)
Ranked top two in Australia's Age Assurance Technology Trial
These validations enable product teams to build compliant experiences while providing compliance teams with defensible audit trails for ISO 27566-1 and regulatory standards.
We'd love to share how organizations across different industries have approached implementing age assurance methods tailored to their unique user bases, and how you can do the same for your users.
