Reusable digital credentials are becoming the tools of choice for online age verification, replacing the need to upload passports, selfies, and credit cards – but experts warn the technology could create new ways to track users across the internet.

Perhaps fearful of a public backlash, policymakers pushing for under-16 social media bans are starting to examine more secure, privacy-focused alternatives.

One solution is age tokens – digital credentials secured by advanced cryptography to prove a person meets an age threshold without sharing their actual date of birth or identity.

All people need to do is verify their age once through a trusted provider and receive a reusable digital token, typically stored in a digital wallet on their device, which can then be presented whenever proof of age is needed.

An industry moving fast

As territories such as the UK introduce age bans on social media – often working towards tight deadlines – age verification companies have been heavily investing in these tokens.

Yoti, used by Meta, OnlyFans, and Sony PlayStation, has already processed more than a billion age checks and is now working on reusable age credentials.

OpenAge, also backed by Meta, is attempting to build broad interoperable ecosystems around reusable age keys that work across multiple platforms.

But behind the commercial momentum, security researchers and privacy specialists are raising concerns about what these systems actually do with user data – and whether their privacy benefits are as robust as vendors claim.

The surveillance problem

In a widely shared post on X, a user by the name of Potato Ruster posted that the public was being misled by the language surrounding backend token systems.

“A cryptographic token isn’t a magic, anonymous poker chip,” the post claimed.

“To work, a token has to be anchored to something verified.”

If tokens are linked to a person's device, mobile contract, or digital identity, and a central third-party provider is involved each time they are used, a record of where users move across the internet could be created, the poster claims.

"It's a digital passport that tracks an adult's every move across the internet."

Kwangyun Keum, a red-team specialist who stress-tests age-verification systems for a major social media platform, says the claim is well-founded.

The key question, he explains, is whether the issuer remains involved after a credential is issued. In some systems, a central provider participates in every age check – potentially logging a user's activity across multiple platforms.

"A breach would expose cross-platform activities."

Kwangyun Keum, red-team specialist.

The ideal setup, according to Keum, is that the provider verifies age once, issues a credential stored on the user's device, and plays no further role. Future checks then take place without the issuer ever seeing where the credential is used.

What is a zero-knowledge proof – and does it solve this?

The technology most often cited as the answer is zero-knowledge proof (ZKP). Rather than reveal a person's name, exact age, or identity document, it allows them to prove a single fact: that they are above the required age threshold.

The website receives a simple yes or no, without learning anything else.

"It can prove 'over 16' while revealing nothing else," explains Richard Kersey, founder of invite-only social platform Chirpper, which is designed to fight bot farms.

"Not your name, not your birth date, and crucially, without letting different sites link your visits together."

In theory, that is a genuine privacy advance. In practice, Kersey warns, the architecture is only as good as the decisions made around it. Who issues the credential? Who controls the wallet? Who sees the verification requests? Who keeps the logs?

"'Token-based' on its own tells you almost nothing until you know what it's anchored to and what gets logged."

Richard Kersey, Chirpper founder.

"A backend token sounds less intrusive than uploading your face or your credit card – but that's mostly marketing."

Breached in 2 minutes

The gap between theory and implementation was made concrete in April, when security researcher Paul Moore hacked into the EU’s age verification app – a process he claims took all of 2 minutes.

The EU is currently the biggest public-sector advocate of cryptographic age verification, describing its system as privacy-preserving, user-friendly, and interoperable with future EU Digital Identity Wallets.

Moore accessed a demo of the app and found that it stored key security settings – PIN and biometric controls – in editable local files. By modifying those files, he reset the app's protections and accessed stored credentials without needing to break the underlying cryptography at all.

A fierce privacy advocate, Telegram co-founder and CEO Pavel Durov weighed in: “Their age verification app was hackable by design – it trusted the device,” he posted on X, calling it “instant game over” from a security standpoint.

The breach illustrated what critics had been warning about: that even a well-designed token architecture fails if the implementation is careless. The cryptography was sound, but the system around it wasn’t.

Writing about the implementation of ZKPs, Potato Rustler points out that, if a system relies on a database during setup, “It's just a prettier digital passport. It’s like changing the lock on your door but giving the gov a master key anyway.”

The right questions aren’t being asked

Genuine privacy-preserving age tokens do exist, but Kersey fears that these are the type that won’t be designed by governments in a hurry to deliver on an age-gated internet.

“What’s in danger of being built is a version that binds a real identity to a device, and that version is an identity honeypot,” he says.

Without clearer regulatory requirements for issuance, logging, and data retention, critics say the label "token-based" offers people little real protection, and there’s a danger that systems are being built that don’t truly protect users – they just shift surveillance to a less visible place.

---

Unlock more exclusive Cybernews content on YouTube.