Effective Age Verification: Going beyond reading a date of birth on an ID

profile picture Amba Karsondas 6 min read

Regulators around the world are recognising that more needs to be done to protect children from harmful content online. From the Age Appropriate Design Code and the Digital Services Act to the upcoming Online Safety Bill and California Age Appropriate Design Code, businesses are being required to have age-appropriate controls in place. But to do this, they need to know the age of those accessing their services. After all, if they don’t know someone’s age, they can’t protect them.

This raises some important questions. How should companies verify the ages of their users? How can they ensure age verification is effective? Should they just read the date of birth on an identity document?


Reading a date of birth is not effective age verification

It’s commonly thought that the best way to check age online is to ask people to use an identity document, like a passport or driving licence. Whilst this might sound like a sensible approach, simply reading the date of birth on a document isn’t effective as it doesn’t provide a high level of assurance. 

There are several reasons why this approach falls down:

  • A child could easily get hold of their parent’s driving licence and use this to pass an age check 
  • Someone could easily buy a fake ID on the internet
  • Someone might tamper with a real document and edit the date of birth
  • Someone might use a lost or stolen ID

Age verification against an identity document can give a high level of assurance, but only when it’s done effectively. This involves more than only reading the date of birth.

Here are some of the steps required for effective age verification using an identity document:

infographic detailing the stages of doing effective age verification with ID documents

Document authenticity checks

To verify someone’s age against an identity document, companies must conduct various checks on the document itself. These are known as ‘document authenticity checks’.

These determine if the document:

  • is a government-issued identity document
  • is valid 
  • is in date
  • has been tampered with
  • is a counterfeit
  • is a known lost or stolen document

Without this step, people could upload anything that looks vaguely like an identity document and it would be accepted. It’s relatively easy to buy a ‘novelty’ or fake document, tamper with a sample or genuine document, obtain a document from the dark web, or create a synthetic fraud.

Therefore, organisations must check various security features on documents when verifying someone’s age. On some passports, this could include checking that the information on the page matches the relevant data stored in the passport’s NFC chip. Checks can be done manually or by automated technology such as optical character recognition (OCR). This is a technology that can recognise text from a physical document, such as a passport, and make it readable electronically. There are differences in the quality of this technology though. Poor quality OCR software could misread a document. For instance, a misread date of birth can result in very high errors (such as misreading 5 as 6, 3 as 8 or 1 as 7).

In addition, some companies offer a manual review process depending on the use case and risk profile. To do this effectively, document reviewers must be continually up to date with the thousands of official documents used worldwide.


Face matching

Face matching is a very important step in the verification process. It assesses if the person presenting the document matches the photo of the person on the document. Without this step, a 10-year-old could very easily use their parent’s ID.

This step is done in the real world too. Whether it’s a bouncer at a nightclub, a bartender or a supermarket worker, someone checking an ID will look to see if the person in front of them is the one photographed on the document. It would be obvious to them if a 10-year-old was attempting to purchase alcohol with their parent’s ID.

Face matching can be done by automated technology or by trained experts known as super recognisers. Most people can match a selfie to a face in a very recent identity document. However, most individuals would struggle to correctly match a current selfie with a photo in a nine-year-old document. As such, super recognisers must undergo thorough screening and have access to continuous training. Companies should also undertake ongoing quality reviews and internal audits.


Liveness detection

Alongside face matching, businesses must be sure that the person presenting the document is a real person. This is known as a liveness check and is an essential part of an effective verification process. Without this step, someone could show a photo, video or AI-generated deepfake which matches the face on the identity document – despite it not being their own. 

There are several approaches to checking liveness, and their effectiveness and cost vary significantly. NIST provides a framework for testing performance levels of liveness. A good benchmark is NIST Level 2, which involves testing against specialist attacks such as latex face masks or 3D printers. To pass NIST Level 2, companies must detect 99% of attacks and limit false negatives to less than 15%.


So what does this all mean?

Effective online age verification is more complicated than simply asking someone to upload a document or reading the date of birth on an ID. Document authenticity checks, face matching and liveness are all needed to provide a much higher level of assurance. Without these checks, underage users could easily access age-restricted or inappropriate content using a fake or fraudulent document. Or adults could access spaces made exclusively for young people.

To find out more about effective age verification and how it may be useful for your business, please get in touch.

Keep reading

An image of a person holding smart phone in their left hand. On the phone's display is a Yoti Digital ID showing their verified credentials. In the person's right hand is their physical UK driving licence. The person is holding the two forms of ID next to each other.

From physical to digital: how we transform your ID

There can be hidden beauty in things taking on new forms. A caterpillar becoming a butterfly, water turning into wine, a physical ID transforming into a Digital ID. If you’ve ever wondered how we do it, wonder no more. As we continue to shape the future of digital identity, we’ll continue sharing our methods with you. After all, the Digital ID app is created for you, so it’s only right we let you in on the magic.   What is a Digital ID? A Digital ID is your ID on your phone and your data in your hands. It gives

5 min read
An image of a person's smartphone. The person is using Yoti's facial age estimation technology. Next to this image, the text reads: "externally audited, over 600 million age checks, used by leading brands". Underneath this list are the logos of Instagram, Aldi, SuperAwesome and Only Fans.

Age assurance: What makes for the maturity of a technology or an industry?

Last week, the Australian government decided against the eSafety Commissioner’s recommendation of a pilot before requiring adult sites to verify the ages of visitors. They said this was due to concerns about the privacy of people’s data and the maturity of age assurance technology. So what exactly would constitute a mature technology? Is it something comparable to NASA’s Technology Readiness level? This suggests the technology needs to have gone through a thorough process of research and prototyping, before testing in a live environment and then ultimately rolling it out. If that’s the case, we can say that Yoti and other

7 min read
An illustration of a padlock with the Yoti logo sitting at the centre. Alongside this are three smaller icons showing that the app is free (represented by a crossed out pound sign), cannot be hacked (represented by a crossed out pickaxe) or seen by any third parties (represented by a crossed out eye)

How we keep your Digital ID private and secure

We’re committed to making the digital world safer for everyone. Yoti was created as we wanted to give every person a secure way of proving their age or identity. It’s quite literally why we exist. So it only made sense that we’ve built our Digital ID app with privacy and security at its core. We’re building technology that makes it easier and safer for you to go about your business, but that doesn’t mean we have to know your business. Just as the right to an identity is a fundamental human right, so is the right to privacy. And we’ll

6 min read