Age Assurance: How Persona can help determine an individual's age

Persona provides flexible methods to meet global age assurance regulations, such as the UK’s Online Safety Act and Australia’s Social Media Minimum Age Bill. We support the full spectrum of regulator-recommended approaches:

• Age estimation: Age is estimated using inherent features or behaviours related to an individual that vary with age.
• Age inference: Age is inferred from evidence that allows the age of the individual to be implied
• Age verification: Age is verified using identity information from an identity document that includes the individual's date of birth

As an age assurance provider, Persona understands the potential sensitivity of processed data and is built with strict privacy and security controls by design.

An overview of Persona’s age assurance methods

1. Age estimation

• Selfie age estimation: Estimates age by analyzing facial features from a user's selfie. Also checks for spoofing and presentation attacks.

2. Age inference

• Email-based age inference: Uses data points (e.g., email age, digital footprint) to assess the likelihood a user is over specified age thresholds (13, 16, 18).

3. Age verification

• Phone-based age verification: Verifies a user is over 18 by checking mobile network operator (ie MNO) records.
• Credit card-based age verification: Verifies card validity, leveraging the common legal requirement that cardholders are 18+.
• Government ID verification: Verifies a document's authenticity and extracts the date of birth to confirm age. Can be combined with a selfie check to match the user to the ID.
• Database verification: Cross-references user information against authoritative and issuing databases (e.g., credit bureaus, public records) to confirm age.

4. Reusable age token

• Reusable Persona: Allows users to store and reuse their verified age attribute (e.g., 18+) for future access.

How It Works

Your specific setup will vary based on regional regulations and your desired user experience. The steps below outline one example of layering multiple age assurance methods (known as successive validation, per ISO 27566).

1. Use existing information

• Infer or verify age using the email or phone provided at signup. We recommend confirming ownership with 2FA. This method helps meet compliance requirements with minimal user friction.

2. Estimate age

• If existing information is insufficient (e.g., a newly created email), use selfie age estimation as a fallback.

3. Government ID verification

• If the age estimate is ambiguous or near a threshold (e.g., estimated 18.1 for an 18+ gate), escalate to Government ID verification. This can be paired with a selfie check to confirm the user matches the ID document.

4. Simplify future verifications

• End users may setup a Reusable Persona. This enables simple re-verification using digital passkeys (e.g., FaceID) for sensitive actions, like updating login details.

Persona’s approach to assuring age helps your organization stay:

1. Compliant - Meet global regulatory requirements with flexible age assurance options.
2. Scalable - Support user growth without scaling your own infrastructure or operations.
3. Flexible - Configure user experiences and apply location-based restrictions.