Age verification with ID Wallets: confirm your users are age-appropriate and nothing else

Age verification online often boils down to a basic question: "Are you over 18?" asked via a pop-up on the website. However, this method has a significant flaw—it relies entirely on trust. Underage users can easily lie, making it an unreliable method for ensuring compliance and protecting minors.

Effective age verification systems must prevent minors from circumventing security measures and accessing the platform, all while providing a simple and private user experience for adults.

In this context, let’s see why ID wallets are emerging indisputably as the best method for age verification, offering strong compliance and protection for children, along with exceptional privacy, security, and ease of use.

What is an age verification system?

An age verification system acts like a gatekeeper, ensuring that only individuals of a certain age can access specific services or purchase age-restricted items.

This system is commonly implemented on platforms that offer content, products, or services intended for adults, not only to comply with legal requirements but also to protect minors.

They involve users providing proof of their age through various means to confirm their eligibility to access the platform's content or services.

When should you use an age verification system for your business?

Your organization should use age verification in the following situations:

1. Legally mandated:

If the law requires a minimum age for buying or using your products/services as they could harm a child's development. This includes alcohol, tobacco, gaming, adult content streaming, and dating websites.

When verifying age is needed to make contracts legally valid. For example, if the minimum age for contract validity is generally 18, parental permission might be required in digital services when minors accept a contract (i.e. an in-app purchase) for the contract to be legally valid.

2. Duty of care to protect children:

When there's a responsibility to safeguard children from accessing content that, while not highly risky, could still be harmful.

3. Contractual obligation:

When there's a contractual stipulation (i.e. in your Terms & Conditions) to provide your products/services to individuals within a specific age range.

For regulated sectors like banking, age verification often intersects with Know Your Customer (KYC) procedures. In these cases, verifying an individual's age is just one part of a broader identity verification process.

On top of this, platforms that operate in the EU or if there is a “substantial connection” to the EU must comply with the Digital Services Act (DSA), which states that online platforms accessible to minors must implement measures to ensure a high level of privacy, safety, and security for underage users, including age verification.

The DSA rules applied since August 2023 to the first designated Very Large Online Platforms (VLOPs) and Very Large Online Search Engines (VLOSEs), such as Instagram or Google, and since 17 February 2024 to all listed platforms.

Age verification challenges

Online age verification has its complexities primarily due to the need to balance reliability, user privacy, and usability.

Age verification systems need to be accurate and reliable to prevent minors from accessing age-restricted products or services. But with children getting better at finding ways to get past age restrictions, robust systems for detecting fraudulent attempts are essential to preventing unauthorized access and adhering to regulatory standards.

In the UK, the Advertising Standards Authority uncovered that 83% of the 11 to 15 year olds registered on a social media site with a false age.

However, a big challenge of age verification is to ensure reliability without infringing the user’s privacy. Users provide personal details during age verification, raising concerns about data breach risks and usage beyond age verification purposes.

A clear example is adult content streaming websites. Age gating is not a reliable method. However, users would think twice before providing their ID documents or scanning their faces to access these websites. It raises the question, “Why do they need my name to know I’m an adult?“.

It is time to end the continuous and massive capture of users' personal data, minors or not. Effective age verification systems should prevent minors from being located through the internet, guarantee the anonymity of adult users, and minimize the data processed or disclosed to third parties.

Additionally, another challenge is user experience. Age verification processes should be intuitive, simple, and seamlessly integrated into the user journey to minimize friction and maximize completion rates. Lengthy or complicated verification procedures, such as scanning multiple times an ID or performing facial analysis, can lead to abandoned transactions or frustrated customers.

With these challenges in mind, what methods do organizations have available to provide a safer digital environment for children?

Common age verification methods online

Many age verification methods exist today, and while each has its pros and cons, none offers a solution to all three challenges (privacy, reliability, and user experience). These are the most common methods:

• Self-declaration or age gating: It is the most common of all methods and involves users honestly telling their age before proceeding. It could be as simple as clicking "yes" to a "Are you over 18 years of age?" prompt, adding a birthdate, or selecting an age from a drop-down menu.

While easy to implement, it mainly serves as legal protection for businesses rather than effective minor protection since users can easily lie. Therefore, age gating is not a compliant method for reliable age verification.

• Credit card: Users input their credit card details to prove their age by assuming possession indicates legal age. However, apart from the privacy and security concerns that are present in providing such financial information, children can bypass this verification by obtaining an adult’s credit card, as it is not possible to confirm that the person using the card is the legitimate owner.

A quick search on this topic reveals multiple questions from people on Reddit and other forums wondering why they need to share this sensitive information for age verification or even how to obtain a fake credit card, not to provide their real information.

• ID verification: Users upload a scanned copy of their government-issued identification. This is a reliable but data-sensitive method as it raises questions regarding the need for extensive personal information beyond age verification.

• Facial age estimation: Users take a selfie or complete a liveness check, and artificial intelligence (AI) is used to analyze their facial features and estimate their age. However, this method can be tedious and prone to errors, and it raises privacy issues because they may use special categories of personal data.

Moreover, using these applications to estimate a child's age can also lead to excessive data processing and profiling.

ID Wallets for age verification: Why are they the best method?

A digital ID wallet, such as the Gataca Wallet, is a phone or website app allowing users to identify and prove facts about themselves via verifiable credentials, which are digital documents containing information about a person.

Imagine it as the digital wallets you use for payments on your phone, such as Apple Pay or Google Pay, but going one step further, storing credentials like national IDs, passports, diplomas, health records, and more.

But why is this relevant for age verification? ID Wallets allow users to prove their age without disclosing other personal data. This can be done through selective disclosure, choosing only to share their birth date, or by providing an “Age Over 18“ credential, which would not provide any other unnecessary information than what age verification systems require.

So, let’s analyze why ID Wallets outshine traditional methods:

• Security: ID wallets use in-device biometrics, strong encryption, and self-storage (information is stored on the user's device), ensuring the highest level of security for sensitive personal information and minimizing the risk of data breaches.
• Safety: Only authorized users can access your services as you can automatically verify the authenticity of the data, protecting underage users from accessing inadequate content, products, or services.
• Privacy and Control: Using an ID wallet, users gain greater control over their personal information by choosing what data to share and with whom, with the option to revoke consent anytime. Moreover, verifiable credentials allow granular consent to share only what’s needed and nothing else.
• User Experience: With ID wallets, individuals have immediate access to their verifiable credentials from their mobile devices, and they can share them with just one click.

For EU organizations, it is important to mention that ID Wallets are aligned with the recently approved eIDAS 2.0 regulation. This directive stipulates that member states and impacted organizations will have to accept ID Wallets as an authentication method.

Gataca Vouch: Privacy-first Age Verification

Gataca Vouch is an Identity Provider (IdP) solution designed to make age verification easy and secure by interacting with ID Wallets.

With Gataca Vouch, users can prove they are of legal age with just a tap on their phone, without revealing any personal information. This ensures complete anonymity for adults and minimizes any impact on platform traffic.

How it works?

Users scan a QR code with their ID Wallet before accessing restricted content, share a credential confirming they are above the required age with a single click, and gain instant access—no personal information is shared, not even their exact age or birthdate.

The credential shared is an "Age Over 18" (or the required age) verifiable credential obtained within the Gataca Wallet.

What Sets Gataca Vouch Apart?

Unlike federated identity systems like "Sign in with Google" or Facebook, Gataca Vouch doesn't store user information. Instead, users manage and store their data in their ID Wallets, ensuring privacy and control.

Gataca Vouch is also adaptable for various identity verification needs, making it a versatile solution and opening new business opportunities for organizations beyond age verification as demand for ID Wallets and verifiable credentials continues to grow.