Age assurance has moved from a niche technical topic to a board‑level concern almost overnight. Regulators around the world are tightening expectations on how online and offline services prevent under‑age access to harmful or restricted content. The UK’s Online Safety Act, Australia’s Online Safety reforms, and most recently regulatory and legislative developments in Spain all point in the same direction: knowing your user’s age is no longer optional for many services and use cases. Against that backdrop, ISO 27566-1 (ISO/IEC 27566‑1:2025) arrives at a critical moment. Rather than mandating a single technology or approach, the standard provides a shared vocabulary and structured framework for thinking clearly about age assurance systems: what they are, what they are not, and how they should be evaluated across functionality, performance, privacy, security, and user acceptability.

This post breaks down what ISO 27566-1 covers, the key terminology it introduces, and why it matters for anyone building, buying, or regulating age assurance systems.

A noteworthy signal of the importance of this work is how it is being distributed. Unlike most ISO standards, ISO 27566-1 is being made available online for free. That is an uncommon and intentional move, reflecting the broad societal impact of age assurance and the need for regulators, platforms, technology providers, and civil society to align around common definitions and expectations.

What ISO 27566-1 is, and what it isn’t

At its core, ISO 27566-1 establishes a framework for age assurance systems. It defines concepts, actors, system characteristics, and evaluation metrics so that different stakeholders can reason about age assurance in a consistent way.

Just as importantly, the standard is explicit about its boundaries. It does not:

  • Prescribe which age assurance method should be used for a given use case;
  • Set age thresholds (e.g., 13, 16, 18) for any content or service;
  • Mandate performance thresholds or pass/fail criteria;
  • Define a test protocol for certification or regulatory compliance.

Those decisions remain with policy makers and regulators. ISO 27566-1 gives them (and the industry more broadly) a common language to specify requirements clearly, without prematurely locking into specific technologies.

Core terminology: decoding age assurance vocabulary

One of the most valuable contributions of ISO 27566-1 is that it clears up persistent confusion around terminology, notably distinguishing between age assurance, age verification, and age estimation.

Age assurance

Age assurance is the umbrella concept. It refers to the set of processes and methods used to verify, estimate, or infer an individual’s age or age range, enabling an organization to make an age‑related eligibility decision with some degree of certainty.

Crucially, age assurance does not necessarily require full identity verification. Age is treated as an attribute that can sometimes be established independently of a person’s full identity.

Age verification

Age verification determines age by calculating the difference between a verified date (or year) of birth and a reference date. This typically relies on authoritative credentials such as passports, ID cards, or digitally issued equivalents.

From a product perspective, age verification often delivers high certainty, but at the cost of increased friction and higher data sensitivity.

Age estimation

Age estimation uses biological or behavioral characteristics that correlate with age. Examples include facial analysis (like Paravision Age Estimation), voice characteristics, or other human features that vary over time. These approaches often rely on AI‑based analysis.

The standard is careful to note that age estimation does not uniquely identify an individual. That distinction matters for privacy, data minimization, and regulatory classification. 

For more information, see An Introduction to Age Estimation

Age inference

Age inference derives age information indirectly, based on verified facts that imply age. Holding a credit card, possessing a marriage certificate, or meeting other age‑gated prerequisites can allow a system to infer that someone is over (or under) a certain threshold.

Inference trades precision for reduced data exposure, which is a recurring theme in privacy‑preserving system design.

Successive validation

The standard also introduces successive validation, where multiple age assurance methods are applied sequentially. For example, a low‑friction age estimation step might be followed by age verification only when confidence is insufficient.

This layered approach is especially relevant for balancing user experience, cost, and risk.

Stakeholders and roles in an age assurance ecosystem

ISO 27566-1 distinguishes clearly between different actors, each with distinct responsibilities:

  • Policy makers define age‑related eligibility requirements. They may be regulators, governments, or internal governance bodies within an organization.
  • Relying parties make the actual eligibility decision. For example, a platform deciding whether to allow access to content.
  • Age assurance providers generate age assurance results on behalf of relying parties, often acting as privacy‑preserving intermediaries.
  • Intermediaries facilitate data exchange, orchestration, or credential validation between parties, often working to support privacy, trust, and interoperability.

This role separation is intentional. It enables modular system design, clearer accountability, and reduced unnecessary data exposure.

Performance characteristics and metrics

Rather than mandating thresholds, the standard defines how performance should be characterized and reported.

Key concepts include:

  • Classification accuracy: the proportion of correct age decisions.
  • False positives and false negatives: granting access incorrectly versus denying access incorrectly.
  • Outcome error parity: consistency of error rates across demographic groups.
  • Efficiency metrics: latency, throughput, scalability, and completion rates.

The absence of fixed thresholds is deliberate. It allows regulators to set context‑specific requirements while keeping vendors and platforms aligned on how results are measured and compared.

Attack vectors and resilience in age assurance systems

A critical contribution of ISO 27566-1 is that it treats age assurance systems as adversarial systems by default. In other words, it assumes that motivated users will attempt to bypass controls, and that systems must be evaluated not only on accuracy, but on their resistance to circumvention.

Biometric presentation attacks

For systems that rely on biometric data for age estimation or age verification, biometric presentation attacks deserve special attention.

A biometric presentation attack occurs when a user presents something other than their live, genuine biometric to the system in order to manipulate the result. Common examples include:

  • Static images or screenshots shown to a camera,
  • Replayed or pre-recorded videos,
  • Masks, prosthetics, or printed artifacts,
  • Digitally injected or manipulated sensor inputs.

Liveness detection as a core control

ISO 27566-1 highlights liveness detection as a foundational mitigation against biometric presentation attacks. Liveness detection (enabled by products like Paravision Liveness and Paravision Deepfake Detection) aims to establish that the biometric sample is being captured from a living person physically present at the point of capture.

The standard recognizes two broad approaches:

  • Passive liveness detection, which analyzes involuntary or contextual signals such as skin texture, blood flow cues, micro-movements, or optical artifacts—without requiring explicit user actions.
  • Active liveness detection, which asks users to perform prompted actions (e.g., blinking, head turns, expressions) that change unpredictably between sessions.

From a product and UX standpoint, this distinction matters. Passive approaches – like those offered by Paravision – tend to reduce friction, while active approaches can increase drop-off and accessibility challenges. 

For more information about liveness and deepfake detection, see An Introduction to Presentation Attack Detection and A Practical Guide to Deepfake Detection.  

Spoofing and counterfeiting beyond biometrics

The standard also distinguishes biometric presentation attacks from other common vectors:

  • Spoofing attacks, where users attempt to influence outcomes by altering appearance (e.g., makeup, facial hair, accessories).
  • Counterfeiting attacks, where non-genuine or unverifiable identity documents are presented during age verification.

ISO 27566-1 does not mandate specific countermeasures, but it requires systems to be designed, tested, and operated with these risks in mind—and to fail safely when confidence cannot be established.

Privacy and data handling: minimizing harm by design

Privacy is a core pillar of ISO 27566-1. The standard emphasizes:

  • Privacy by design and by default;
  • Strict data minimization and purpose limitation;
  • Non‑disclosure of unnecessary age‑related data (e.g., date of birth);
  • Avoidance of expanding an individual’s digital footprint;
  • Clear user awareness through published practice statements.

For many organizations, this reframes the conversation from “How do we prove age?” to “How do we prove age while collecting the least possible information?”

Security and resilience

Age assurance systems are expected to be resistant to replay, spoofing, counterfeiting, and biometric presentation attacks. The standard also requires fail‑safe behavior: when systems fail, they should fail closed, not open.

This aligns closely with regulatory expectations around child safety and fraud prevention, particularly in high‑risk environments.

Acceptability and user experience

Finally, ISO 27566-1 recognizes that a system that is accurate but unusable will not succeed. Acceptability covers:

  • Inclusivity across demographics and abilities;
  • Accessibility and cultural sensitivity;
  • User assistance and complaint handling;
  • Minimizing undue barriers to lawful access.

For product leaders, this section reinforces that age assurance should be considered as a core part of the user journey, not simply a compliance checkbox.

Why ISO 27566-1 matters

ISO 27566-1 does something subtle but powerful: it creates a neutral, shared framework in a space that has been fragmented by marketing claims, regulatory uncertainty, and inconsistent terminology.

By clarifying definitions, roles, metrics, and design principles without prescribing technologies or thresholds, it enables better policy, better products, and more constructive conversations between regulators, platforms, and solution providers.

For anyone building, buying, or selling age assurance technology, understanding this standard is quickly becoming table stakes.