The Online Safety Act is now law, and age verification is coming for a growing list of websites. The government says this is about protecting children. Nobody serious disputes that goal. What is worth disputing is whether the way it’s being implemented is the only way — or just the most convenient way for the companies doing the verifying.
There’s a difference between proving your age and proving your identity. The Act, and the industry that has grown up around it, treats them as the same thing. They aren’t.
What happens today when you verify your age
When a website asks you to verify your age under the current system, you’re typically handed off to a third-party company. You might recognise names like Yoti, Veriff, or Jumio. You might not. Most people don’t read the small print.
What you hand over varies by provider, but typically includes a scan of your passport or driving licence, a selfie or live video feed for face-matching, your IP address and browser fingerprints, and a timestamp recording which site you were verifying for and when.
That data — your face, your documents, your destination — sits with a company you didn’t choose and have no ongoing relationship with. Veriff is Estonian. Jumio is Delaware-incorporated and has changed private equity owners multiple times. AU10TIX, used by major platforms including TikTok, Uber, and X, left administrative credentials exposed for roughly 18 months — credentials that provided access to a logging platform containing users’ passport scans, facial images, and identity document data. The exposure was discovered and reported in June 2024.
This is not a fringe concern. It is the routine operation of the system as designed.
The age verification company now knows who you are and where you went. The website knows you passed verification. And because the verification company sits in the middle of every transaction, a breach, a subpoena, or a change of ownership at any one of these companies becomes a breach of your entire verification history.
What the government says about this
Ofcom, which oversees the Act, has published guidance on what counts as “robust” age assurance. It lists credit card checks, document upload, and face-scanning services as acceptable methods. It does not specify what happens to the data after verification. It does not require that verification be unlinkable from identity. It defines the outcome it wants — confirm the user is an adult — and leaves the architecture to the market.
The market has obliged by building the most data-hungry architecture possible, because data is the business model.
The Information Commissioner’s Office has said the right things about data minimisation in principle. Whether it will use its enforcement powers against Ofcom-approved providers is a question that hasn’t been answered yet.
How it could work instead
Here is a different design. It uses no technology that doesn’t already exist. None of this is new — security specialists have known about these tools for years. The point of this post is to explain them in plain language, and to ask why we aren’t using them.
Step one: Your bank verifies your age once.
Your bank already knows how old you are. They checked when you opened your account — more thoroughly, in fact, than any age verification company does. They are UK-regulated. They are not going anywhere. They have no interest in your browsing habits.
You open your banking app, go through a one-time setup, and your bank issues you a digital credential. Not a document. Not a token that gets sent anywhere. A cryptographic object that lives in the secure part of your phone — the same place your phone already stores your passkeys and payment credentials. It says one thing: the holder of this is an adult.
The bank does not need to be involved again after this point.
Step two: The website asks a question, not for your details.
When you visit a website that requires age verification, it shows you a QR code. You scan it with your phone. Your phone generates a response — a mathematical proof that you hold a valid bank-issued adult credential — and sends it back to the website.
The proof is different every time. Two websites cannot compare notes and establish that the same person visited both. The bank cannot see which websites you are visiting, because it is not involved in the transaction at all. The website cannot see who you are, because the proof contains no identifying information. All it contains is a cryptographically verified answer to the question: is this person an adult? Yes.
The website already knows your IP address from the moment you loaded the page. Your phone sends its response directly to the callback address in the QR code, which may have a different IP — but you were already carrying two connected devices before you started. If that concerns you, a VPN on your phone reduces it to nothing.
What each party learns:
| Current system | Proposed system | |
|---|---|---|
| The verification company | Your identity, your documents, which site you visited, when | Nothing — not involved |
| The website | That you passed verification | That an adult credential holder is present |
| Your bank | Nothing (you verified directly) | That you set up a credential once |
| Anyone who breaches the verifier | Everything above, for every user | Nothing — there is no central database |
Why this hasn’t been built
Not because it’s technically difficult. The cryptographic methods involved — specifically a scheme called BBS+ signatures, and a related standard called Privacy Pass — are documented, standardised, and already implemented in other contexts. Apple uses a variant of this approach to let servers verify a device is legitimate without tracking which server it’s talking to.
The W3C, which sets web standards, has been working on Verifiable Credentials using exactly this approach. The EU’s eIDAS 2.0 framework explicitly supports it for identity use cases.
The reason it hasn’t been built for age verification in the UK is simpler: nobody with procurement power has required it. Ofcom’s standards describe what they want the output to be, not how the system should be designed. That gap has been filled by commercial verification companies whose revenue depends on being the persistent, data-holding layer in every transaction. A system that cuts them out of the data entirely removes their incentive to build it.
The government credential infrastructure that could issue root credentials for this system — GOV.UK Verify — was shut down in 2023. Its replacement, One Login, uses a conventional identity architecture that does not support this approach.
So the barrier is not the mathematics. The mathematics is solved. The barrier is that Ofcom has not required privacy-preserving verification, the FCA has not defined age attestation as a permissible activity for banks, and nobody in government appears to have asked why the two are being treated as the same problem when they aren’t.
What this actually means
If you object to current age verification, you are not objecting to age verification. You are objecting to identity surveillance that has been sold to you as age verification. That is a reasonable thing to object to.
The choice being presented — verify your identity or don’t access the site — is not the only technically available choice. It is the choice that suits the verification industry. A system in which your bank confirms you are an adult, your phone generates a one-time proof, and nobody collects your data is not a fantasy. It is an engineering decision that hasn’t been made.
The Online Safety Act does not require the current architecture. Ofcom chose not to require anything better.