Jun 23, 2026

The State of Age Verification in 2026

In the name of keeping children away from adult content, governments are pushing platforms to collect identity data on everyone using the internet. Platforms touching adult content, social media, gambling, and increasingly, any user-generated content now have to verify age, and the method each picks decides how much data it holds, where it sits, and how big a target it becomes.

Most of the solutions on offer today have fundamental flaws.

Why now

The honour system (self-policed "check the box" verification methods) held previously because the alternative meant friction and lost users, and regulators were content to let platforms self-police. Over the last several years, the societal impact of social media and seemingly more press coverage of the internet's darkest corners pushed a change of heart for regulators across the world. Age verification became a legal mandate in many places, with many more fast following.

In the UK, the Online Safety Act 2023 requires highly effective age assurance for adult content and a widening list of social features, enforced by Ofcom with real financial penalties. In the EU, the Digital Services Act obliges platforms to protect minors, and the eIDAS 2.0 framework has put the European Digital Identity Wallet on the critical path, with age verification as a cornerstone use case.

In the US, a patchwork of state laws now covers Texas, Louisiana, Utah and more than a dozen others, and in June 2025 the Supreme Court upheld Texas's age verification law. Australia has legislated a social media ban for under 16s. France, Germany and others are moving at different speeds, but in the same direction.

The result is the same across much of the world. Platforms that could previously ignore the age question can now be held legally responsible for not answering it appropriately.

Legacy age verification techniques

Three approaches dominate production today. Each one has major flaws, either failing to work correctly or collecting far more private information than the question requires.

Self-declaration

The checkbox is still everywhere. It is legally insufficient in most jurisdictions. No modern regulator accepts it on its own.

ID upload and manual review

Users photograph a passport or driving licence and a human or automated system checks it. Accuracy is high, but the byproduct is toxic. These systems result in centralised databases of verified government IDs, immense honeypots that are there for the taking.

As just one example of a digital platform that should never have held private information on its users: in October 2025, government ID photographs belonging to around 70,000 Discord users were exposed in a breach. Storing identity documents at scale has become a standing liability, with GDPR penalties for serious processing failures running into the hundreds of millions of euros.

Third-party identity platforms

Services like ID.me in the US, or national platforms like DigiLocker in India and BankID in the Nordics make verification fast once a user is onboarded. The real cost is data concentration and vulnerability. One platform holds verified identity for many organisations at once, so a single breach exposes all of them.

The 2024 National Public Data breach is a cautionary case. A US background check provider aggregating personal data from many sources was breached, exposing roughly 2.9 billion records including names, addresses, dates of birth and social security numbers. None of the businesses relying on that provider were hacked themselves. Their users were exposed anyway.

The common thread is collection. Every store of identity data is a target, and across enough platforms and enough years, the odds that none of them is ever breached fall to zero. Most of these companies are competent. It does not matter. When one person hands the same identity data to hundreds of services over decades, a breach somewhere becomes essentially guaranteed.

New types of age verification

The legacy model comes down to one bargain: hand over your ID and trust the platform to keep it safe. Its shared flaw is disclosure, forcing the user to reveal far more than the age question requires. The newer approaches refuse that bargain. Their shared aim is to answer the age question while learning nothing else. Two of these approaches have moved from concept into real deployment, and they take opposite routes to arrive there.

Biometric age estimation

Biometric age estimation skips documents entirely. A vendor like Yoti, VerifyMy or Incode takes a short selfie and returns an estimated age range, with no government ID and no account required. Ofcom has explicitly certified facial age estimation as highly effective age assurance under the Online Safety Act. It is the most widely deployed of the new methods in UK adult content compliance today.

The convenience of this method is high, but its limits are just as real. Yoti, one of the leading providers in the space, publishes its own accuracy figures: for the 18-to-24 age group, they report a Mean Absolute Error of 2.1 years, a meaningful margin when the question is whether someone is 16 or 18. Some users also object to having their face processed at all, even when the image is claimed to be discarded afterwards.

Zero-knowledge proofs

Zero-knowledge proofs take the opposite route. Rather than estimate age, they prove a fact from a genuine document while revealing nothing else. Users can prove that they are over 18 without disclosing date of birth, name, or anything else the document holds. The platform receives a yes or no, and that is all it ever sees.

In practice, this works because it runs directly on the user's device rather than on an external server. An app such as ZKPassport reads the chip inside a passport or national ID, confirms the document is genuine using the same standard as airport eGates, and generates a proof that answers only the question of whether the user is over 18 with a binary yes or no. Only this proof leaves the phone; the underlying data never does.

The practical constraint is coverage: the method requires a government-issued document with an NFC chip. Not every user holds one, and that ceiling on who can use it today is the most concrete adoption friction, though it narrows as chipped passports and national IDs become more widespread.

The strongest signal of adoption here is the EU. The European Digital Identity Wallet, the reference implementation of eIDAS 2.0, is being built with proof of age as a cornerstone, and a public subcomponent applies zero-knowledge circuits directly to passport and national ID data, the same pattern open source projects including ZKPassport already run in production. Recognition elsewhere is still in progress. It works today. What it lacks, outside the EU, is formal regulatory certification, which is the real open question for the method rather than whether the cryptography holds.

Comparing age verification approaches

Biometric age estimation has the lightest user journey and the clearest regulatory acceptance today. Its weakness is accuracy at the threshold, and the fact that it provides a probabilistic answer rather than a definite one.

Third-party identity platforms are fast once a user is enrolled and work well for adults who already hold an account. However, the same concentration that makes them convenient makes them a single point of failure.

Zero-knowledge proofs from government-issued IDs offer the strongest privacy position, government-backed credentials, and a scan-once-prove-anywhere model. The costs are document coverage (it only works for users who hold an NFC-chipped government ID), integration on the verifier's side, a credential ecosystem that is still early, and formal regulatory recognition that exists in the EU but not yet much beyond it.

Where this is heading

The direction of travel is consistent across both tracks. Regulatory pressure keeps rising, and the bar for acceptable age assurance rises with it. Over the long run, the methods that store the least data will win, because the alternative: a centralised database of verified IDs behind every service a person uses, is both a security liability and politically fragile once people grasp what it involves.

For anyone building this year, the decision that matters is which underlying approach the web converges on. Individual vendors come and go on top of that. The clearest institutional signal is the EU: the European Digital Identity Wallet specification incorporates zero-knowledge proof components for age verification, a pattern ZKPassport already runs in production. That is not yet a mandate, but it is the most significant public commitment to this approach so far. Whatever you ship, ship it expecting that to be the baseline it has to interoperate with.

If you are building age verification into your platform, ZKPassport is the production version of what the EU is standardising around. To talk through how it might fit for your use case, reach us at company@zkpassport.id.