ACCS says reusable age check systems must establish provenance

The Age Check Certification Scheme (ACCS) has released a statement clarifying its position on reusable age checks.

As the age assurance sector has expanded globally in response to regulations, providers of age checks have been joined by orchestrators, tokenization schemes and other startups working with interoperability mechanisms like passkeys.

But these latter firms, says ACCS, cannot bear the burden of trust in any given age assurance transaction, according to the guidelines set out in the ISO/IEC 27566-1 standard on age assurance systems.

“One of the emerging risks in age assurance interoperability is the assumption that trust in the carrier of an age signal automatically transfers to trust in the underlying age assurance mechanism,” says the statement from ACCS. “It does not.”

“Under the principles established in ISO/IEC 27566-1:2025, indicators of effectiveness relate to the method and efficacy by which age assurance was originally established – not merely to the entity transporting, storing or relaying the signal.”

In effect, systems that serve as containers, conduits or aggregators of age checks can’t magically make them more trusted by proxy. “An interoperability layer, wallet, token exchange, passkey infrastructure, verifiable credential framework or trusted intermediary cannot ‘upgrade’ the effectiveness of an age assurance outcome simply through association with its brand, architecture or reputation.”

Trusted age check must be proven, measured, transparent

So, what qualifies as a legitimate age check in the eyes of the ACCS? The confidence level, it says, derives from “the original evidence and methodology used to establish age, the assessed indicators of effectiveness of that mechanism, the operational controls surrounding it, and the certification or conformity assessment status attached to that process.”

Parsing that, an age check only offers assurance if one knows how it was done, and can be confident that the entity responsible is qualified, with the certifications to back up its work.

In this, the ACCS’ call echoes the one coming from other areas of the biometrics field, demanding verifiable, testable, auditable evidence of a product’s effectiveness and quality.

It also underlines the need for age check providers themselves to establish strong brands. The implication in the ACCS’ statement is that, in the age assurance gold rush, it is possible to piggy back on the proven reputation of a vendor by prioritizing visibility – so-called “trust by brand.”

Familiarity, after all, is a key element of trust. By that logic, every age assurance provider should want to showcase its public face, as a way to build trust with people who use the technology.

Show me the metadata

To ensure that reusable options like age tokens or verifiable credentials actually carry the trust they claim to, the ACCS believes interoperable age assurance signals must include metadata that ties them to the original source or provider of the age check. That metadata should also include “the applicable certification or conformity assessment status, the relevant indicator(s) of effectiveness associated with the originating age assurance process, and sufficient integrity protections to prevent loss or manipulation of that context.”

Only by establishing the provenance of an age check can an interoperable method be truly trusted. “Where this information is absent,” says ACCS, “the relying party cannot safely infer effectiveness.”

“In practical terms, an age signal without provenance and effectiveness metadata should be treated as an age assertion with zero established confidence.”

Not the name that matters, but what’s inside that counts

The statement from the ACCS is not directed at any specific organization. Rather, it expresses concern that age checks without preserved assurance context could weaken the integrity of the entire age assurance ecosystem. The expression about bad apples implies that one spoiled fruit can spread its rot to the whole barrel. With stable trust remaining key for the long-term survival of the industry, says the ACCS, it must be defended with evidence.

In a statement emailed to Biometric Update, Tony Allen, chief executive of the ACCS, does name names – just about all of them.

“The brand your age token comes from, be that Apple, Google, Meta, OpenAge, AgeAware or whatever is not, by itself, an indicator of whether the age token is established through a ‘highly effective’ mechanism,” Allen says. “If it simply comes as ‘18+’ with no context, it must be treated as zero confidence by a relying party even if that’s coming from a trusted App Store or established brand. Context is critical.”

Article Topics

Age Check Certification Scheme (ACCS)  |  age verification  |  biometric age estimation  |  reusable digital ID