There are five main approaches to verifying a person's age online: facial age estimation, document upload, credit bureau database checks, mobile network operator checks, and bank-verified identity.
Each method meets the same regulatory objective, confirming whether a user is above a required age threshold, but they differ substantially in what they ask the person being verified to do, what data they collect, how accurate they are, and how they affect the business deploying them.
Ofcom's guidance on highly effective age assurance, published under the UK Online Safety Act, lists all five approaches as capable of meeting the required standard. The choice between them is not primarily a compliance decision. It is a commercial decision about what experience a business wants its customers to have.
Before examining each method in detail, the table below summarises the key differences across the dimensions that matter most: what the user has to do, what data is collected, and what the commercial implications are.
|
Facial Age Estimation |
Document Upload |
Credit Bureau Check |
Mobile Network Operator |
Bank-Verified Identity |
|
|
What the user does |
Takes a selfie or enables camera |
Photographs and uploads passport or driving licence |
Provides name and address (often invisible to user) |
Provides mobile number and gives consent |
Selects bank, logs in, gives consent |
|
Time to complete |
10-30 seconds |
1-5 minutes (longer if image fails) |
Near-instant (background check) |
10-30 seconds |
Under 30 seconds |
|
Documents required |
None |
Passport or driving licence |
None |
None |
None |
|
Biometric data captured |
Yes (facial photograph) |
Yes (document photo, sometimes selfie match) |
No |
No |
No |
|
Result type |
Probability estimate (approximate age) |
Binary confirmation (verified date of birth) |
Binary confirmation (from database) |
Binary confirmation (from MNO records) |
Binary confirmation (from bank records) |
|
Accuracy at boundary ages |
Variable (buffers required) |
High (confirmed DOB) |
High (confirmed DOB) |
High (confirmed from account data) |
High (confirmed DOB from bank) |
|
Data stored by provider |
Varies (image processed, policies differ) |
Document copy (must be stored/processed) |
Minimal (database query) |
None (yes/no response only) |
None (yes/no response only) |
|
Regulatory framework |
Ofcom listed |
Ofcom listed |
Ofcom listed |
Ofcom listed |
Ofcom listed, FCA regulated, DIATF certified |
|
User familiarity |
Low (new process) |
Medium (known concept, unfamiliar execution) |
Low (invisible process) |
High (simple) |
High (uses existing bank login) |
Facial age estimation uses AI to analyse a photograph or live video of a person's face and predict their approximate age. The user takes a selfie or enables their camera, the image is processed by an algorithm, and an estimated age is returned.
How it works for the user: The person is asked to position their face in front of a camera, usually within a frame guide on screen. Some systems use a single photograph; others require a short video for liveness detection, which confirms the camera is pointed at a real person rather than a photograph or screen. The process takes between 10 and 30 seconds when it works on the first attempt.
Accuracy: NIST's Face Analysis Technology Evaluation, the most authoritative independent assessment of facial age estimation algorithms, has tested submissions from providers worldwide. The evaluation found that even leading algorithms have a mean absolute error of 1.88 to 2.7 years for people aged 13 to 24, depending on the image source and algorithm tested. Yoti's own white paper, published in July 2025, reported that with a threshold set to 25 years (seven years above the legal age of 18), their current error rate for 13 to 17 year olds is 0.1%. With a lower threshold of 22, the error rate increases.
This is the fundamental trade-off with estimation. To reduce the risk of a minor being incorrectly estimated as an adult, systems set the threshold well above 18. Ofcom's guidance references the "challenge age" approach, where the estimation threshold is set higher than the legal restriction age. But a higher threshold means more legitimate adults are incorrectly refused. A 21 year old who is estimated as 20 would fail a challenge-25 threshold and need to verify through an alternative method. NIST's evaluation framework explicitly tracks this as "inconvenience": the rate at which adults are incorrectly challenged.
Privacy: Facial age estimation requires capturing a photograph of the user's face, which constitutes biometric data under data protection law. Providers vary in their data handling. Some state that images are processed in real time and immediately deleted. Others process on-device to avoid transmitting the image. Regardless of the specific approach, the user must present their face to a camera, which creates both a data processing event and, for many users, an uncomfortable moment. The Ipsos survey referenced in the DSIT Digital Identity Sectoral Analysis found that 61% of the UK public believed the Online Safety Act would lead to personal data being compromised.
User response at scale: When Discord announced mandatory age verification in February 2026, including facial age estimation as a primary method, the backlash was immediate and severe. Within 48 hours, users cancelled paid subscriptions in large numbers, searches for alternative platforms surged dramatically, and Discord was forced to issue a public clarification. This was not a marginal response from a small number of privacy-conscious users. It was a mainstream reaction from a platform with 200 million monthly active users.
Commercial implications: Facial age estimation offers a fast check for users who are clearly above the threshold age. However, it creates three commercial risks. First, users in the 18-24 age range, often the most commercially valuable demographic for digital platforms, are the most likely to be incorrectly challenged and redirected to a secondary verification method. Second, user resistance to face scanning is well documented and growing. Third, accuracy varies by demographic, which creates fairness concerns that regulators are increasingly attentive to.
Document upload verification requires the user to photograph a government-issued identity document, typically a passport or driving licence, and upload the image for processing. Some systems also require a selfie for face-matching, comparing the live image to the photograph on the document.
How it works for the user: The person locates their passport or driving licence, photographs it (usually via their phone camera), uploads the image, and waits for it to be processed. If the image is blurry, poorly lit, partially obscured, or the document is expired, the check fails and the user must repeat the process. Processing times vary from near-instant to several minutes depending on the provider and the complexity of the document.
Accuracy: When the document is genuine, readable, and the image is clear, document verification is highly accurate. It confirms the person's actual date of birth from an authoritative government-issued source. However, accuracy is dependent on image quality, which is dependent on the user's device, lighting conditions, and ability to photograph a document flat without glare. Failed image captures are a significant source of abandonment.
Privacy: Document upload is the most data-intensive age verification method. The business or its verification provider receives a copy of the user's passport or driving licence, which contains their full name, date of birth, photograph, document number, and potentially their address. This data must be stored, even temporarily, which creates liability. In October 2025, a third-party vendor handling identity verification for a major platform experienced a breach that exposed 70,000 government-issued IDs. The documents were held because the verification method required them.
User response at scale: Signicat's Battle to Onboard research, surveying 7,600 consumers across 14 European markets, found that 38% of people who abandoned an onboarding process did so because they did not have the required identity documents available at the time. A further 21% abandoned because the process took too long, and 21% because too much personal information was required. Document upload triggers all three of these abandonment drivers simultaneously.
The average time before abandonment, according to Signicat, was 18 minutes and 53 seconds. That is seven minutes faster than in 2020, suggesting that consumer tolerance for lengthy processes is decreasing, not increasing.
This is compounded by the fact that millions of people simply do not have the documents these methods require. Electoral Commission research found that 11 million people in the UK do not hold either a passport or a driving licence. Cabinet Office research confirmed that while 91% of adults hold a passport and 81% hold a driving licence, ownership drops significantly among younger adults, lower-income households, and people who have recently moved to the country. For these groups, document-based verification is not just inconvenient. It is impossible. Bank-verified identity sidesteps this entirely: over 98% of UK adults hold a bank account, and the verification requires no documents at all.
Commercial implications: Document verification provides high accuracy but at significant cost. Abandonment rates are the highest of any method because the user must have a physical document to hand, photograph it successfully, and wait for processing. The data liability is also the highest: every document collected is a potential breach exposure. For businesses where conversion matters, document upload at the point of sign-up or checkout represents a measurable risk to revenue.
Credit bureau checks query the records held by credit reference agencies such as Experian or TransUnion. The user provides identifying details (typically name, date of birth, and address), and the system checks those details against the agency's database.
How it works for the user: In many implementations, the credit check runs in the background with minimal user interaction. The user may enter their name and address, or the information may already be available from the sign-up form. The check returns a confirmation of whether the person's age can be verified from the database records. Some implementations leave a soft footprint on the user's credit file; others do not, depending on the type of search conducted.
Accuracy: High for users who have an established credit history. The credit bureau holds verified date of birth data sourced from financial applications. However, coverage is not universal. Young adults who have not yet built a credit file, people who have recently moved to the UK, and individuals with thin credit histories may not be verifiable through this method. There is also a fundamental limitation: credit bureau checks verify that the information entered is correct, but they do not verify that the person entering it is who they claim to be. A child could enter a parent's name and date of birth and pass the check. This is a critical distinction. Bank-verified identity through Open Banking requires the individual to authenticate into their own bank account, using the bank's own security credentials. This confirms not just the data, but the person behind it.
Privacy: Credit bureau checks process relatively little user-visible data, but they operate by querying a large centralised database of personal financial information. Some users are uncomfortable with the idea of a credit check being run in connection with age verification, particularly if they are not aware that it is happening. The distinction between a "soft search" (invisible to other lenders) and a "hard search" (visible on the credit file) is important but rarely communicated clearly to the user.
Commercial implications: Credit bureau checks are fast and low-friction for users who have established credit profiles. They are a pragmatic choice for financial services businesses where the user already expects some form of identity check. However, the demographic gaps, particularly among younger users, limit their effectiveness as a standalone method. Both Experian and TransUnion are AVPA members and position age checks as an extension of their existing identity and fraud platforms.
Mobile network operator checks verify age by querying the records held by the user's mobile phone provider. UK mobile networks apply content restriction filters to accounts, and the presence or absence of these filters can indicate whether the account holder is over 18.
How it works for the user: The user provides their mobile phone number and gives consent for the age-check service to query their mobile network. The network confirms whether the account is flagged as belonging to someone over or under 18, and the user is then sent an SMS to confirm they are the phone holder. The entire process typically completes in under 30 seconds, with no app downloads, no document uploads, and no biometric data required.
Accuracy: High for users whose mobile account accurately reflects their age. The method draws on records already held and verified by the network operator, making it one of the least intrusive verification methods available. As with any single method, there are edge cases: pay-as-you-go SIMs may not have age-verified account holders, family plans may be registered under a parent's name, and users who have recently switched networks may have incomplete records. For this reason, MNO checks work well both as a standalone method for lower-risk use cases and as part of a layered verification approach for higher assurance requirements.
Privacy: MNO checks are among the most privacy-preserving methods in the market. The network returns a simple yes-or-no response about the user's age status without transmitting their date of birth, name, or account details. No biometric data is collected, no documents are uploaded, and no personal information is stored by the verification provider.
Commercial implications: MNO checks offer one of the strongest combinations of speed, simplicity, and coverage available. With near-universal mobile phone ownership in the UK, demographic reach is broad, and the method avoids the accessibility gaps that affect document-based and biometric approaches. The user experience is fast and familiar: enter a phone number, confirm via SMS, done. While the method is less widely recognised by consumers than document verification or face scanning, the simplicity of the process means adoption friction is minimal. For businesses prioritising conversion and completion rates, MNO checking removes several of the most common abandonment triggers identified in onboarding research.
Bank-verified identity confirms age through the UK's Open Banking framework. The user selects their bank, logs in through the bank's secure authentication, and gives consent for a single data point to be confirmed: whether they are over the required age.
How it works for the user: The experience is effectively identical to logging into online banking. The user selects their bank from a list, is redirected to their bank's secure login page, authenticates as they normally would, and gives consent. The bank sends a yes-or-no confirmation. The user is returned to the original site or app, verified. The entire process typically completes in under 30 seconds.
Accuracy: Bank-verified identity confirms actual date of birth from the records of a regulated financial institution. Banks are required to verify the identity and age of account holders when the account is opened, as part of their own KYC obligations. The result is binary and precise: the person is confirmed to be above or below the required age. There is no estimation, no probability range, and no buffer threshold.
Privacy: Bank-verified identity collects no documents, captures no biometric data, and does not photograph the user. The bank confirms a yes-or-no response. No date of birth, financial data, transaction history, or account details are transmitted to the business or the verification provider. The Open Banking framework is regulated by the FCA under the Payment Services Regulations 2017, and consent is explicit and revocable.
The DSIT Digital Identity Sectoral Analysis, surveying 3,561 UK consumers, found that 79% ranked privacy and security as their top consideration when choosing a verification method, and 75% reported that digital identity verification was faster than using physical ID.
User response at scale: Bank-verified identity benefits from a dynamic that no other method has: the user is not being asked to trust a new system. They are logging into their own bank, through an interface they already recognise and already trust. The familiarity removes the resistance that drives abandonment and circumvention with other methods. When the UK Online Safety Act enforcement triggered a 1,400 to 1,800 percent surge in VPN downloads as users sought to avoid face scans and document uploads, the underlying message was clear: users will resist unfamiliar verification processes. Bank login is not unfamiliar.
Commercial implications: Bank-verified identity eliminates the three most common abandonment triggers identified in Signicat's research: process length, personal information requirements, and lack of required documents. No documents are needed. No biometric data is requested. The process completes in seconds through a trusted interface. For businesses where verification sits in the customer journey, whether at sign-up, checkout, or account access, the method that the highest proportion of users will actually complete is the method that protects the most revenue.
Ofcom's guidance is deliberately technology-neutral. It lists multiple methods as capable of being highly effective and requires businesses to evaluate which approach meets four criteria for their specific context: technical accuracy, robustness against circumvention, reliability, and fairness.
In practice, the choice is rarely between one method and another in isolation. Many businesses deploy a layered approach, offering users a choice of verification methods so that different preferences and circumstances are accommodated. What matters is that the primary method, the one most users encounter first, does not become the point at which customers leave.
The evidence from Signicat, from the DSIT consumer research, from the Discord and Online Safety Act case studies, and from the no-KYC search behaviour documented across crypto and fintech markets all points in the same direction: the method that works best is the one that asks the least of the person being verified while still confirming the fact that matters.
For businesses evaluating their options, the questions worth asking are not just "does this method meet the regulatory standard?" but "what will my customer experience when they encounter this step?" and "how many of them will complete it?"
Methods that confirm age from a verified data source, such as bank-verified identity, document upload, or credit bureau checks, deliver binary accuracy: the person is confirmed to be above or below the required age. Facial age estimation produces a probability range rather than a confirmed fact. NIST's Face Analysis Technology Evaluation found that even leading algorithms have a mean absolute error of 1.88 to 2.7 years for ages 13 to 24, depending on the image source. Estimation systems add buffers, typically only passing someone as over 18 if they are estimated at 25 or above, which means adults aged 18 to 24 may be incorrectly refused.
Completion rates vary significantly by method. Signicat's research across 7,600 European consumers found that 68% have abandoned a digital onboarding process, with 38% citing a lack of required documents as the reason. Methods that require document uploads or complex biometric captures consistently produce higher drop-off. Bank-verified identity removes the most common abandonment triggers by requiring no documents, no photographs, and no app downloads, completing through a familiar bank login in under 30 seconds.
Facial age estimation requires capturing a photograph or live video of the user's face, which constitutes biometric data. Providers vary in how they handle this data. By contrast, bank-verified identity does not capture any biometric data at all. The bank confirms a yes-or-no response without transmitting the user's photograph, date of birth, or financial details. The DSIT Digital Identity Sectoral Analysis found that 79% of consumers rank privacy and security as their top consideration when choosing a verification method.
Yes. Ofcom's guidance on highly effective age assurance, published in January 2025 and updated in April 2025, lists Open Banking as a method capable of being highly effective at determining whether a user is a child. The guidance requires age assurance methods to be technically accurate, robust against circumvention, reliable, and fair. Bank-verified identity meets these criteria by confirming actual age from a regulated financial institution rather than estimating it.
Document-based age verification has three principal disadvantages. First, it creates high abandonment: 38% of users who drop out of onboarding do so because they lack the required documents at the time. Second, it creates data liability: every document collected must be stored, processed, and secured, and breaches have exposed tens of thousands of government IDs. Third, it is slow: users must locate their document, photograph it in adequate conditions, upload it, and wait for processing, which adds minutes of friction to what could be a sub-30-second check.
The Online Safety Act 2023 places a duty on online services to protect children from harmful content. Se...
.png)
Two out of three people have completely abandoned a digital sign-up process because the identity check w...
Bank-verified identity is an age and identity verification method that confirms a person's details throu...
