Age verification is the process of confirming that a person is old enough to access a product, service or piece of content. It checks a person’s age against a trusted record, such as a bank or a passport, and returns a yes or no answer at the point they try to get in. This guide explains what age verification is, how it works for the person and the business, the main methods available, where it is required in the UK, and how to choose one.
The person being verified experiences the short version. Someone buying age-restricted goods or opening an adult-content site taps into their bank app for a moment, or holds still for a quick face capture, and a few seconds later they are through. There is no hunting for a passport, and no document photographed twice because the first shot was blurred. For a business, that difference in effort often decides whether a genuine customer finishes or gives up at the gate.
Age verification confirms that a person meets an age requirement by checking their age against an authoritative source, such as a bank record, a passport chip or a government-issued credential. It returns a clear pass or fail against a threshold, most often 18, at the moment a person tries to access something age-restricted.
Age verification sits inside a wider practice called age assurance. Age assurance is the umbrella term for any method that works out or confirms a person’s age online. It has two broad forms. Age verification confirms an age against an authoritative record. Age estimation infers an age band from data such as a facial image, without confirming exactly who the person is. Both are forms of age assurance, and a well-designed service often uses them together.
For the person, an age verification check is a short step inside a sign-up, a purchase or a login. They choose a method, confirm their age through it, and pass or are asked to try another route. For the business, a provider runs the check against a trusted source, returns the result, and produces a record that the check was done.
End to end, the flow is consistent whatever the method. The person is asked to prove their age at the point of access. They confirm through a source that already holds or can establish their age, a bank, a mobile network, a document or a stored credential. The provider checks that source, returns a pass or fail, and keeps evidence of the decision. The business acts on the result and holds the record in case a regulator asks how the age gate is run. The person only ever sees the part that touches them, which good design keeps to a few seconds.
Several methods can perform age checks to a high standard. Ofcom lists a range of them as capable of being highly effective age assurance under the Online Safety Act. The list is not exhaustive, and Ofcom does not approve or certify individual products. The methods it names include the following.
To count as highly effective, Ofcom says a method must be, in its own words, “technically accurate, robust, reliable and fair”. Ofcom sets no fixed numerical accuracy figure. It judges a method against those four criteria and against how it is implemented, which means the same technology can be highly effective in one deployment and weak in another.
Some common approaches do not meet the standard on their own. Ofcom is clear that self-declaration, a bare date-of-birth field, and general payment methods that do not require the payer to be over 18 are not highly effective age assurance.
A real check tests the claim against a source the person cannot simply assert. If a method relies only on the person’s unverified word, it is a formality.
These three do different jobs. Age verification confirms an exact age or date of birth against an authoritative record. Age estimation infers an approximate age band, usually from a facial image, without confirming who the person is. Identity verification confirms a named individual is who they claim to be, with their date of birth as one of several attributes established.
The right one depends on what the rule and the risk require. Where you only need to keep under-18s out of an adult space, age estimation can carry most of the traffic, with a stronger method as the fallback near the boundary. Where you must know exactly who someone is, for a regulated account or a high-value action, identity verification is the route. Age verification against a trusted record sits between the two, confirming the age without building a full identity profile. Many services combine them, using the lightest method that satisfies the requirement.
Since 25 July 2025, services that publish or allow pornographic content must use highly effective age assurance under the Online Safety Act. Ofcom oversees the duty and expects a method configured to meet its four criteria. A self-declared age gate does not qualify. The Act is the reason many UK sites added a real age check during 2025.
Other age-restricted goods and services, for example alcohol, tobacco and vapes, gambling and knives, are covered by their own rules rather than the Online Safety Act. Those sector rules predate the Act and vary by product, so a business selling age-restricted goods online should check the specific regime that applies to it. For the online-safety duty and how it decides who must check age and when, see the UK Online Safety Act age verification guide.
Online age verification can be run in a way that collects very little about the person. What is gathered depends on the method. A bank or wallet route can confirm an age threshold without handing the business a copy of a document. Facial age estimation can run on the person’s own device and return only an age band. A document route captures more, because it reads an identity record.
Data minimisation is the principle that matters here. A well-designed check collects only what the age decision needs and keeps as little as possible afterwards. For the person being verified, that means proving they are old enough without surrendering more of their identity than the gate requires. When you assess a method, ask what it captures, where the check runs, and what is retained once the result is returned. Those answers decide how easy the check is to defend to a regulator and to the person passing through it.
Start from your audience and your risk. Match the method to the people you serve and the rule you must meet, then look for a provider that can run more than one method so a check can fall back to a stronger route when it needs to. The table sets out where the common methods fit.
|
Method |
What it establishes |
When it fits |
|
Open banking or bank-verified age |
A confirmed age from a trusted bank record |
Adult audiences with UK bank accounts, cleared without a document |
|
Mobile network operator age check |
An age signal held by the mobile network |
Users on a contract or verified mobile account, as a document-free route |
|
Facial age estimation |
An estimated age band, with no identity attached |
High-volume age gates where you need to clear a threshold rather than identify the person |
|
Digital identity wallet credential |
A reusable, pre-verified age claim |
Returning customers who verified once and can confirm in a tap |
|
Photo-ID or bank-verified identity |
An exact identity and date of birth |
Regulated accounts, high-value actions, or anyone near an estimation boundary |
Weigh certification, the range of methods on offer, how well each is evidenced, and how many of your customers actually finish the check. A provider certified under the UK’s Digital Verification Services Trust Framework, and regulated in its own right, carries more weight when a check is questioned. For the method that suits high-volume gates, see how facial age estimation works and when to use it. For adding a check to a site, see age verification for your website.
OneID is one provider built around these criteria. It offers age verification across several methods, including bank-verified age, mobile number age checks and on-device facial age estimation, so a check can match the audience and fall back to a stronger route near the boundary. OneID is certified under the UK’s Digital Verification Services Trust Framework and FCA-regulated (FRN 928911). Five of the methods Ofcom lists as capable of being highly effective age assurance are available through it. [
What is age verification? Age verification is the process of confirming that a person is old enough to access a product, service or content by checking their age against an authoritative source, such as a bank, a passport or a government-issued credential. It returns a pass or fail against an age threshold, most often 18.
How does online age verification work? The person is asked to prove their age at the point of access. They confirm through a trusted source, for example their bank, mobile network, a document or a stored credential. A provider checks that source, returns a pass or fail in seconds, and keeps a record that the check was done, which the business retains.
What are the main age verification methods? Ofcom lists open banking, mobile network operator age checks, credit card checks, digital identity services and wallets, facial age estimation, photo-ID matching and email-based age estimation as methods capable of being highly effective. The list is not exhaustive, and Ofcom does not approve or certify individual products.
What is the difference between age verification and age estimation? Age verification confirms an exact age or date of birth against an authoritative record. Age estimation infers an approximate age band, usually from a facial image, without confirming who the person is. Both are forms of age assurance, and services often use estimation first with verification as a fallback near the threshold.
Is age verification a legal requirement in the UK? For some services, yes. Since 25 July 2025, services publishing or allowing pornographic content must use highly effective age assurance under the Online Safety Act. Other age-restricted goods, such as alcohol, tobacco, vapes and gambling, are covered by their own separate sector rules rather than the Act.
Is online age verification safe, and what data is collected? It can be run to collect very little. What is gathered depends on the method: a bank or wallet route can confirm an age without sharing a document, and facial age estimation can run on the person’s own device and return only an age band. Ask any provider what it captures, where the check runs and what is retained.
Does a date-of-birth box count as age verification? No. Asking a person to type or tick their age with no check against a trusted source is self-declaration, which Ofcom does not treat as highly effective age assurance. A real check tests the age claim against a source the person cannot simply assert.
The UK digital driving licence is a version of your driving licence held on your phone rather than on a ...
UK government digital ID refers to the government’s own tools for proving who you are online. In the UK,...
Customer onboarding breaks most often at the identity check. A person has chosen your product, entered t...