Over recent months, there’s been growing buzz in the industry about privacy-preserving ways to prove age online. Device-bound age tokens, passkey-binding and cryptographic signals that confirm someone is “over 18” without sharing any identity details are increasingly being discussed as if they’re brand new ideas.
It’s great to see this conversation picking up. The online world needs ways for people to prove their age in seconds, with minimal data and maximum privacy.
But it’s worth adding a bit of context.
Yoti age tokens have been around since 2019
We introduced Yoti age tokens back in 2019. These are lightweight, privacy-preserving proofs that someone has passed an age check using Yoti. Once a successful age check takes place via our Age Verification Service (AVS), an age token can then be created and stored locally on a browser or device.
We offer over 10 different age-checking methods, with the most popular being facial age estimation, identity document verification and Yoti Digital ID. Since launch, millions of people every month have generated Yoti age tokens to prove their age around the world.
Today, those tokens are accepted by regulated adult platforms, social media sites and even some retailers. We issue them at scale alongside the 1 billion age and identity checks we’ve now completed globally.
So the idea of a reusable, privacy-preserving age token that can be used across multiple sites is neither theoretical nor new. It’s been quietly operating in the real world for years.
Binding age tokens to passkeys
Age tokens work well on their own, but we can also allow people to anchor them to a passkey on their device. A passkey is a secure, device-based sign-in method that replaces passwords, using biometrics or a PIN. When this happens, the token becomes a Yoti Key, cryptographically tied to the device and fully controlled by the user.
This binding step is important. It keeps the age proof persistent even when someone uses private browsing modes that normally clear local storage. It also ensures the individual – not Yoti, not a third party – remains in control of the credential.
It’s encouraging to see industry discussion starting to catch up. Passkey binding is a powerful way to make privacy-preserving age proofs practical and usable at scale.
Privacy by Design
Our tokens are deliberately privacy-preserving, to a degree that might feel counterintuitive. Once a token is issued, we can’t track it. We don’t know where it goes, how often it’s reused, whether it’s still present or if it’s ever presented again.
If someone browses in incognito mode, the token disappears at the end of the session. If they bind it to their passkey, it persists on their device. But even then, we never see that chain of events. Not knowing is the point.
At Yoti, we don’t see this as a limitation. It’s a deliberate design choice to maximise privacy. If the industry is serious about data minimisation, anonymity and preventing cross-site profiling, verifiers shouldn’t track where tokens are used.
We verify once. The user chooses how to reuse.
Businesses can choose the ‘type’ of age token or Yoti Key to accept
Alongside giving users control over how they reuse their age token or Yoti Key, businesses can also decide which type of age token or Yoti Key they’re happy to accept in order to ensure they meet the minimum effective standard for an age check.
For example, some businesses may decide to only accept age tokens created through identity document verification and matched to a live selfie with face matching, document authentication and injection attack detection. Others may choose not to accept age tokens created from inference approaches like email age estimation.
This flexibility lets businesses balance regulatory compliance with user privacy, giving them confidence in the age proof whilst respecting minimal data use. We’ve made our Age Verification Service as configurable as possible, so businesses can meet the regulatory requirements of each jurisdiction where they operate.
Scale beats theory
One of the challenges in this space is that many privacy-centric models sound great in a white paper, but behave very differently at real-world scale. Operating Yoti age tokens for six years across millions of users, heavily-regulated sectors and multiple countries has taught us a lot:
- Online platforms subject to regulation use them today.
- Hundreds of thousands of people create them daily.
- Millions of people per month generate them as part of their age verification journey.
One challenge we’ve overcome at scale is ensuring tokens remain secure and usable across multiple devices and browsers, while keeping verification instantaneous.
The Yoti Age Network also includes the Yoti Digital ID wallet, with 21 million downloads
Alongside our age tokens and Yoti Keys, there’s a growing network of people who have chosen to download the Yoti Digital ID app to prove their age. Users confirm their age by either scanning an identity document or using facial age estimation. When it comes to proving their age, they then simply share their ‘age over’ attribute (like 18+).
Over 21 million people globally have downloaded the Yoti Digital ID app, with many using it regularly to prove their age online. This shows that adoption is widespread, and people are comfortable using secure, privacy-preserving methods across multiple platforms.
Where this goes next
Our company vision since 2014 has been simple: people should be able to prove who they are simply by being themselves.
We’ve already completed over a billion checks and continue to perform millions more every week to support age-appropriate design and access for services around the world. At the same time, we recognise that an increasing number of countries are exploring this space as they consider restricting access to a broader range of goods and services.
We’re ready to support this growing demand, helping governments, businesses, regulators and users adopt privacy-first age checks at scale. If you’d like to find out more, get in touch.
