Skip to main content
CybersecurityPrivacy & Surveillance

Biometric Age Verification Shifts to On-Device Processing

Smartphone on a neutral surface with blank screen and hint of a hand nearby.

The U.S. recorded 3,322 data compromises last year — a record high, and a 79% increase over five years, according to the Identity Theft Resource Center.

Regulatory pressure: UK, Australia, Brazil, and U.S. states

Age assurance is moving from recommendation to requirement. The piece records more than 30 age assurance laws now in force worldwide. The UK is enforcing the Online Safety Act's "highly effective" age check requirement and has restrictions on under-16 access to social media planned for spring 2027. Australia's under-16 rules took effect in December, and the government has signaled its intent to double maximum fines to $99 million after early waves of non-compliance. Brazil's Digital ECA became enforceable in March 2026, and half of U.S. states now mandate some form of age verification. Regulators are actively deciding which age assurance methods count as effective — a moment the article describes as when the standard gets set.

The privacy problem with server-based facial age estimation

Facial age estimation has become one of the most accessible compliance tools because it requires no government ID or database lookup. But implementations that capture faces and send them to servers carry significant exposure. The Identity Theft Resource Center reports supply-chain breaches doubled over five years, and 63% of consumers have expressed serious concern over biometric data collection. At the same time, fraud is changing: across more than 7 billion identity verifications processed on Incode's platform, agentic fraud rose from 3% of attempts in 2024 to 40% in the first quarter of 2026, and Incode estimates it will exceed 90% within the next 18 months. Against that backdrop, a written privacy promise — "privacy by policy" — is presented as inadequate; it can assign liability after a breach but cannot prevent interception, insider access, or a compromised vendor.

On-Device Age Estimation: the technical claim

Incode announced a product called On-Device Age Estimation, launched in July, that runs two models locally on the user's phone, tablet, or laptop: facial age estimation and passive liveness detection. The company says the face is analyzed on the user's device and is neither transmitted nor stored; what travels onward is only the outcome — whether the user meets the platform's required age threshold. If the check cannot be completed, the user is offered another verification method chosen by the platform. To make local execution feasible, Incode compressed both models to roughly a tenth of their original size using knowledge distillation so they can run inside an ordinary browser or app without special hardware. The vendor frames this as "privacy by architecture": build the system so sensitive data never becomes accessible in the first place.

Session telemetry, spoof protections, and server-side defenses

Even with on-device analysis, the company retains a server-side layer for session integrity. The server analyzes session metadata — timing, device and connection characteristics — to detect injected camera feeds, manipulated devices, and other tampering. Incode stresses that this telemetry contains no facial or biometric information and exists solely for fraud detection and session integrity. The firm's security layer is presented with specific performance claims: 99% spoof detection across deepfakes, injection attacks, replay attacks, and physical spoofing, described as "the same anti-impersonation standard trusted by eight of the top ten U.S. banks." Incode also reports it has flagged more than 1 million face attacks across its platform in 2026.

Identiq acquisition and fraud intelligence without central data lakes

Incode committed $100 million to advancing privacy-preserving identity infrastructure and acquired Identiq, a company that spent nearly a decade and more than $50 million developing patented privacy-enhancing cryptographic solutions for peer-to-peer anti-fraud collaboration. Identiq's approach, as described, enables organizations to share fraud signals without exposing customer data to any third party — "no central data lakes. No data brokerage." Integrated into Incode's platform, that technology is projected to reach billions of verifications annually, adding network fraud intelligence while avoiding pooled customer data. "Every institution shared the same concern with us: how do we fight fraud together without giving up control of our customers' data," said Itay Levy, Co-Founder and CEO of Identiq.

What this means for technologists, regulators, and end users

  • Technologists and security teams: Expect design trade-offs between local model performance and remote telemetry for session integrity; Incode's approach compresses models to about a tenth of their original size and pairs on-device checks with server-side metadata analysis.
  • Policymakers and regulators: The record shows regulators are actively deciding which methods count as effective for age assurance; the article frames this period as when the standard gets set and notes jurisdictions tightening requirements and penalties.
  • End users and platforms: The proposed benefit is a workflow where a user's face "never leaves the device" while platforms receive a yes/no age outcome and fallback verification options; users concerned about biometric collection are cited as a substantial constituency — 63% in the Identity Theft Resource Center finding.

Incode casts its new offering and its $100 million investment as a response to simultaneous pressure from regulators and rising fraud: a compliance program spanning SOC 2 Type 2, ISO/IEC 27001, HIPAA Attestation of Compliance, FedRAMP Ready, the Age Check Certification Scheme (ACCS), and the Kantara IAL2 Component Services Trust Mark is cited alongside the company's record of more than 7 billion trust checks processed. Founder and CEO Ricardo Amper summed the company's posture: "We have always believed that privacy and fraud prevention are not a tradeoff, but part of the same problem -- solved together or not at all. Age checks are becoming law around the world. Our job is to do what we can so that proving your age asks as little of the user as possible."

Regulators, platforms, and privacy-minded users will now test whether an architecture that keeps faces on devices while sharing only session outcomes and cryptographically protected fraud signals satisfies both legal standards and operational needs. The record the company points to is precise; the regulatory and market judgments that follow will determine whether on-device age checks become the benchmark.

Source: The Future of Age Verification: Your Face Never Leaves Your Device — BleepingComputer