OneID® | News and Events

What is age verification, and how does it work?

Written by The OneID Team® | 05/07/26 17:22

Age verification is the process of confirming that a person is old enough to access a product, service or piece of content. It checks a person’s age against a trusted record, such as a bank or a passport, and returns a yes or no answer at the point they try to get in. This guide explains what age verification is, how it works for the person and the business, the main methods available, where it is required in the UK, and how to choose one.

The person being verified experiences the short version. Someone buying age-restricted goods or opening an adult-content site taps into their bank app for a moment, or holds still for a quick face capture, and a few seconds later they are through. There is no hunting for a passport, and no document photographed twice because the first shot was blurred. For a business, that difference in effort often decides whether a genuine customer finishes or gives up at the gate.

What is age verification?

Age verification confirms that a person meets an age requirement by checking their age against an authoritative source, such as a bank record, a passport chip or a government-issued credential. It returns a clear pass or fail against a threshold, most often 18, at the moment a person tries to access something age-restricted.

Age verification sits inside a wider practice called age assurance. Age assurance is the umbrella term for any method that works out or confirms a person’s age online. It has two broad forms. Age verification confirms an age against an authoritative record. Age estimation infers an age band from data such as a facial image, without confirming exactly who the person is. Both are forms of age assurance, and a well-designed service often uses them together.

How does age verification work?

For the person, an age verification check is a short step inside a sign-up, a purchase or a login. They choose a method, confirm their age through it, and pass or are asked to try another route. For the business, a provider runs the check against a trusted source, returns the result, and produces a record that the check was done.

End to end, the flow is consistent whatever the method. The person is asked to prove their age at the point of access. They confirm through a source that already holds or can establish their age, a bank, a mobile network, a document or a stored credential. The provider checks that source, returns a pass or fail, and keeps evidence of the decision. The business acts on the result and holds the record in case a regulator asks how the age gate is run. The person only ever sees the part that touches them, which good design keeps to a few seconds.

The main age verification methods, and what Ofcom says about them

Several methods can perform age checks to a high standard. Ofcom lists a range of them as capable of being highly effective age assurance under the Online Safety Act. The list is not exhaustive, and Ofcom does not approve or certify individual products. The methods it names include the following.

  • Open banking. The person confirms their age through their bank, which already holds a verified date of birth.
  • Mobile network operator age checks. The mobile network confirms whether the account holder is registered as over 18.
  • Credit card checks. A valid UK credit card indicates the holder is over 18, since these cards are not issued to under-18s.
  • Digital identity services and wallets. A reusable, verified credential held on the person’s device and released with their consent.
  • Facial age estimation. A model infers an age band from a facial image, without identifying the person.
  • Photo-ID matching. A person’s photo identity document is checked for validity and matched to a live image of them.
  • Email-based age estimation. Signals tied to an email address are analysed to estimate whether the person is likely to be an adult.
  • Self-declaration. Ticking a box to say you are over 18, with nothing behind it, is not a check.
  • A date-of-birth field. Asking a person to type a date with no verification against any source proves nothing about their real age.
  • General payment methods. Taking a payment that a person of any age could make does not confirm the payer is an adult.

To count as highly effective, Ofcom says a method must be, in its own words, “technically accurate, robust, reliable and fair”. Ofcom sets no fixed numerical accuracy figure. It judges a method against those four criteria and against how it is implemented, which means the same technology can be highly effective in one deployment and weak in another.

What does not count as age verification

Some common approaches do not meet the standard on their own. Ofcom is clear that self-declaration, a bare date-of-birth field, and general payment methods that do not require the payer to be over 18 are not highly effective age assurance.

A real check tests the claim against a source the person cannot simply assert. If a method relies only on the person’s unverified word, it is a formality.

Age verification vs age estimation vs identity verification

These three do different jobs. Age verification confirms an exact age or date of birth against an authoritative record. Age estimation infers an approximate age band, usually from a facial image, without confirming who the person is. Identity verification confirms a named individual is who they claim to be, with their date of birth as one of several attributes established.

The right one depends on what the rule and the risk require. Where you only need to keep under-18s out of an adult space, age estimation can carry most of the traffic, with a stronger method as the fallback near the boundary. Where you must know exactly who someone is, for a regulated account or a high-value action, identity verification is the route. Age verification against a trusted record sits between the two, confirming the age without building a full identity profile. Many services combine them, using the lightest method that satisfies the requirement.

Where is age verification required in the UK?

Since 25 July 2025, services that publish or allow pornographic content must use highly effective age assurance under the Online Safety Act. Ofcom oversees the duty and expects a method configured to meet its four criteria. A self-declared age gate does not qualify. The Act is the reason many UK sites added a real age check during 2025.

Other age-restricted goods and services, for example alcohol, tobacco and vapes, gambling and knives, are covered by their own rules rather than the Online Safety Act. Those sector rules predate the Act and vary by product, so a business selling age-restricted goods online should check the specific regime that applies to it. For the online-safety duty and how it decides who must check age and when, see the UK Online Safety Act age verification guide.

Is online age verification safe, and what data is collected?

Online age verification can be run in a way that collects very little about the person. What is gathered depends on the method. A bank or wallet route can confirm an age threshold without handing the business a copy of a document. Facial age estimation can run on the person’s own device and return only an age band. A document route captures more, because it reads an identity record.

Data minimisation is the principle that matters here. A well-designed check collects only what the age decision needs and keeps as little as possible afterwards. For the person being verified, that means proving they are old enough without surrendering more of their identity than the gate requires. When you assess a method, ask what it captures, where the check runs, and what is retained once the result is returned. Those answers decide how easy the check is to defend to a regulator and to the person passing through it.

How to choose an age verification method or provider

Start from your audience and your risk. Match the method to the people you serve and the rule you must meet, then look for a provider that can run more than one method so a check can fall back to a stronger route when it needs to. The table sets out where the common methods fit.

Method

What it establishes

When it fits

Open banking or bank-verified age

A confirmed age from a trusted bank record

Adult audiences with UK bank accounts, cleared without a document

Mobile network operator age check

An age signal held by the mobile network

Users on a contract or verified mobile account, as a document-free route

Facial age estimation

An estimated age band, with no identity attached

High-volume age gates where you need to clear a threshold rather than identify the person

Digital identity wallet credential

A reusable, pre-verified age claim

Returning customers who verified once and can confirm in a tap

Photo-ID or bank-verified identity

An exact identity and date of birth

Regulated accounts, high-value actions, or anyone near an estimation boundary

Weigh certification, the range of methods on offer, how well each is evidenced, and how many of your customers actually finish the check. A provider certified under the UK’s Digital Verification Services Trust Framework, and regulated in its own right, carries more weight when a check is questioned. For the method that suits high-volume gates, see how facial age estimation works and when to use it. For adding a check to a site, see age verification for your website.

OneID is one provider built around these criteria. It offers age verification across several methods, including bank-verified age, mobile number age checks and on-device facial age estimation, so a check can match the audience and fall back to a stronger route near the boundary. OneID is certified under the UK’s Digital Verification Services Trust Framework and FCA-regulated (FRN 928911). Five of the methods Ofcom lists as capable of being highly effective age assurance are available through it. [

Frequently asked questions

What is age verification? Age verification is the process of confirming that a person is old enough to access a product, service or content by checking their age against an authoritative source, such as a bank, a passport or a government-issued credential. It returns a pass or fail against an age threshold, most often 18.

How does online age verification work? The person is asked to prove their age at the point of access. They confirm through a trusted source, for example their bank, mobile network, a document or a stored credential. A provider checks that source, returns a pass or fail in seconds, and keeps a record that the check was done, which the business retains.

What are the main age verification methods? Ofcom lists open banking, mobile network operator age checks, credit card checks, digital identity services and wallets, facial age estimation, photo-ID matching and email-based age estimation as methods capable of being highly effective. The list is not exhaustive, and Ofcom does not approve or certify individual products.

What is the difference between age verification and age estimation? Age verification confirms an exact age or date of birth against an authoritative record. Age estimation infers an approximate age band, usually from a facial image, without confirming who the person is. Both are forms of age assurance, and services often use estimation first with verification as a fallback near the threshold.

Is age verification a legal requirement in the UK? For some services, yes. Since 25 July 2025, services publishing or allowing pornographic content must use highly effective age assurance under the Online Safety Act. Other age-restricted goods, such as alcohol, tobacco, vapes and gambling, are covered by their own separate sector rules rather than the Act.

Is online age verification safe, and what data is collected? It can be run to collect very little. What is gathered depends on the method: a bank or wallet route can confirm an age without sharing a document, and facial age estimation can run on the person’s own device and return only an age band. Ask any provider what it captures, where the check runs and what is retained.

Does a date-of-birth box count as age verification? No. Asking a person to type or tick their age with no check against a trusted source is self-declaration, which Ofcom does not treat as highly effective age assurance. A real check tests the age claim against a source the person cannot simply assert.