Red teamers warn that Discord’s push toward stricter safety controls is colliding with a familiar truth: when platforms build barriers, users look for ways around them, and attackers look for ways in.
As Nic Adams, CEO of 0rcus, a specialist in non-attributable operations and offensive system design, warns: “Every platform adopting mandatory age verification is building a centralized identity honey pot. It’s not a question of if these systems get targeted again, but when.”
His comments follow Discord’s Monday announcement that it would begin rolling out “teen-by-default” settings in March, part of a global safety push that will require adults to prove their age to access sensitive content and adult-only spaces.
The instant messaging and Voice-over-IP app, which boasts over 200 million monthly active users, said verification would be done through facial age estimation or government-issued ID checks.
And yet the move comes after a breach last autumn tied to one of Discord’s third-party age-verification vendors, which exposed the risks of outsourcing identity checks and sparked a renewed debate over whether age-verification systems introduce a new attack surface.
How age verification works, and what Discord is choosing
There are three primary methods platforms use to verify age: document checks paired with selfies, AI-based age estimation, and database or card-based verification. In simple terms, each method sits on a spectrum:
- ID and selfie: highest security, lowest privacy (data stored), moderate convenience.
- AI estimation: high security, high privacy (no ID stored), highest convenience.
- Database/card checks: moderate-to-high security, moderate privacy, high convenience.
According to Ricardo Amper, founder and CEO of digital identity company Incode Technologies, age estimation is often used as a lightweight “routing layer,” allowing users clearly above an age threshold to proceed with minimal friction, while those near the boundary are pushed into stronger verification.
Full verification — validating a document, matching it to the person, and confirming the interaction is genuine — becomes the higher-assurance path.
According to the press statement that Discord issued on Tuesday, it appears to be leaning heavily on AI inference (estimation). The company said the “vast majority” of people will not be asked to complete facial scans or upload ID, and that it can “confirm your age group using information we already have.”
The platform stated that it uses “an advanced machine learning model… based on patterns of user behavior and several other signals associated with their account,” only prompting users for additional verification when confidence is low.
Facial scans, Discord added, “never leave your device,” while IDs are used to determine age and then deleted. The company stressed it only receives a user’s age, not their identity.
But reliance on behavioral inference raises questions about effectiveness and privacy.
Workarounds: from trivial spoofing to organized bypasses
Security researchers say age verification systems are often built for compliance rather than adversarial resistance.
Kwangyun Keum, an offensive security engineer specializing in privacy and adversary simulation (with experience on several youth-skewing platforms), said many implementations assume rule-abiding users rather than determined ones.
“From an attacker’s perspective, I think these age verification systems are more compliance driven, but not really adversary resistant,” he said.
“The threat model… assumes the adversaries are just casual underage users who will follow the rules. But in the real world, that's not the case… the target here… are determined teenagers who are curious and who have access to the internet to various forums where there are a lot of bypass techniques," Keum added.
Discord confirmed this month that it was using Singapore-headquartered start up k-ID for facial age estimation or ID checks, which was founded in 2023 by a team with experience from tech companies like Google, Meta, and Tencent.
Nic Adams, CEO of 0rcus, a specialist in non-attributable operations and offensive system design, is blunt about the efficacy of such estimation tools.
“Facial age estimation is trivially defeatable. Kids have been spoofing these systems since they first rolled out. A ‘still’ photo held to a camera, an older sibling’s face, or a $5 app that modifies perceived facial structure all clear the check.”
Nic Adams, CEO, 0rcus
Many digital identity and age verification services however, would contend that using a still photo to bypass a check no longer works, thanks to advances in ‘liveness’ technology.
Liveness detection utilizes AI and machine learning to analyze biometric inputs for signs of life that are difficult to replicate, such as skin texture, blood flow, 3D depth, and micro-movements. They also require user interactions, such as blinking, smiling, or turning their head in real-time.
Tools like Yoti’s MyFace — which is not currently being used by Discord — have passed ISO/ IEC standards for liveness checks. CEO Robin Tombs argues that age assurance can be done "highly effectively ...stopping fraudsters from reusing photos, stealing identities, accessing funds and creating fake accounts at scale."
And yet even advances in AI have not stopped canny Aussie teens from finding ways of bypassing social media age restrictions — and that was before the country's stricter rules were introduced towards the end of last year. A study by Australia’s eSafety Commission found that 80% of children under 13 regularly bypass social media age restrictions, and 95% of under-16s had used at least one major platform, underscoring how easily determined young users already navigate existing safeguards.
Garry's Mod, Sib’s ID, VPNs…and other bypass techniques
Keum outlined multiple technical and non-technical bypass methods. The simplest fall under what security professionals call “presentation attacks,” where a fake identity is shown to a camera.
One example circulating online is the “Garry's Mod” bypass, in which users display a highly realistic game character performing facial movements in response to prompts.
“They simply show the Discord age verification video to their PC screen of the game… change the expression of their game characters… and because they have really high pixels, Garry's Mod is a really well-known famous bypass that still works."
Kwangyun Keum, offensive security engineer specializing in privacy and adversary simulation
Other workarounds require little technical skill: scrunching your face up to look older (laughable, but apparently still works on some models), using VPNs to access regions where age checks are not enforced, borrowing IDs from older siblings or parents, or buying pre-verified accounts through Telegram groups.
Another low-tech method is through purchasing pre-verified accounts from leaked IDs on the dark web or from “verification-as-a-service” providers that are mainly based in developing countries, where the rules are more lax.
And, of course, all of the above techniques and more are widely documented on chat forums such as YouTube, TikTok, and yes, Discord itself.
Chris Linnell, associate director of privacy at security firm Bridewell, notes that most of these workarounds typically emerge as soon as systems go live. Verified accounts are also reused or transferred when verification is treated as a one-time hurdle.
“None of this renders age verification ineffective,” Linnell says.
“But it reinforces that these systems are about raising the barrier to access, not eliminating misuse entirely.”
Adams pointed to another dimension: behavioral inference.
“Discord’s ‘age inference model’… is behavioral analysis on account tenure and activity patterns,” he says.
“Any kid who’s had an account for over one year sails through without being prompted.”
Even when bypasses are not attempted, biometric and document checks are far from perfect. According to Nik Kale, principal engineer at Cisco, biometric age estimation is fundamentally probabilistic.
“These systems work reasonably well at the population level but struggle at the edges: younger-looking adults get flagged, older-looking minors pass through,” he notes.
“The uncomfortable truth is that biometric age verification gives platforms plausible deniability more than it gives them actual certainty. It lets a platform say ‘we checked’ without being able to guarantee ‘we know'," he adds.
Age verification as an attack surface
As age checks expand, security experts warn they are also creating new opportunities for attackers.
In October 2025, Discord’s third-party vendor 5CA was breached, compromising 70,000 government ID photos submitted for verification. The incident exposed the risks of supply-chain security and the handling of highly sensitive personal data.
Keum confirms that third-party vendors are often the weakest link.
“The security focus is on Discord itself and not on the vendors… so if they get compromised, it means that data that they're storing gets compromised as well,” he says, noting the risk of supply-chain attacks and poor account-to-ID binding.
Adams argues the scale of Discord’s upcoming deployment increases the stakes.
“You’re scaling the same architecture that already failed, to 200x the volume,” he says, referring to the upcoming rollout across hundreds of millions of users.
As age detection scales and integrates more deeply into user profiles, the honeypot risk increases significantly, warns Fraser Edwards co-founder and CEO of identity network vendor cheqd.
"Linking legal identity to detailed behavioral data materially raises breach impact, and that structural risk hasn’t really been unpacked yet.
“We’ve seen with breaches like Coupang in South Korea how large-scale identity exposure can escalate into national-level fallout, regulatory fines, and long-term trust damage.”
The impact of attackers gaining access to ID and passport data could be severe — from identity theft to long-term surveillance and fraud.
Nik Kale, a principle engineer at Cisco, emphasizes the permanence of biometric compromise.
“A breached password can be reset. A breached faceprint is compromised forever – you can’t rotate your face.”
Nik Kale, a principle engineer at Cisco
Making age verification stronger
Security experts say the solution is not abandoning age checks, but redesigning them.
According to Keum, stress testing should begin with gathering all known bypass techniques and ensuring they fail – the “Priority 0” items.
From there, systems should be tested for rate limits (whether one ID can verify multiple accounts), client-side manipulation, and API interception.
“If there is no rate limiting, one leaked ID becomes like a skeleton key,” Keum adds.
The Red Teamer also emphasized the need for randomness in liveness prompts to prevent pre-recorded deepfakes, and ongoing monitoring of what data is collected and how it informs classification decisions.
Roger Grimes, CISO advisor at KnowBe4, argues the broader issue is the absence of a consistent global approach.
“The multi-decade-long history of companies storing other personal information… is not a good one. There is no reason to expect age verification data to be treated any differently.”
Grimes calls for “a globally-accepted Internet standard that allows age verification to be achieved without having to share as much personal information as is shared today,” potentially through trusted digital IDs that answer only the key question: whether someone is over a certain age.
Cisco's Nik Kale, claims that architectural choices are critical.
“The moment you collect biometric data… you’ve created a dataset that’s far more sensitive than the problem you were trying to solve,” he said, adding that on-device processing is fundamentally different from server-side storage – and that most users lack visibility into which model is being used.
A privacy hornets' nest
Discord’s latest statement, intended to reassure users, also appears to have created new concerns. By saying many adults will not need to verify because of “information we already have,” the company effectively acknowledged the existence of an extensive behavioral profiling system.
According to Adams, that raises deeper questions. The same model that “already knows” a user is an adult also “already knows everything about you” and your behavior on the platform, he said.
“They’re telling users to feel relieved about skipping the ID check, while subtly confirming they've been profiling every action for years.”
Nic Adams, CEO, 0rcus
“Age verification isn't new surveillance,” Adams adds.
“Rather, it’s the first time they are admitting surveillance already exists.”
Unlock exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked