Veriff on Age Verification With Birth Certificates

In the past, if you needed to check the age of a younger teenager or a child who didn’t have a driver’s license, you had two options:

  • Estimate their age.
  • Hope they had a passport.

While many (not all) people have a birth certificate, Veriff reminds us that digital age verification with a birth certificate is difficult.

“Processing civil documents at scale was once a legitimate operational nightmare. Birth certificates vary dramatically in format across states and countries, making manual extraction slow, inconsistent, and error-prone.”

Why the nightmare?

To examine the reasons for the birth certificate operational nightmare, let’s limit ourselves to the United States for the moment.

Driver’s licenses and similar IDs are challenging enough because they are issued by over 50 separate states and territories, and in several different formats (different driver license categories, non driver license IDs, plus special formats for minors and people below legal drinking age). So you’re talking about potentially thousands of formats.

But at least those are renewed every few years.


Birth certificate of a B.H. Obama II. From https://obamawhitehouse.archives.gov/sites/default/files/rss_viewer/birth-certificate-long-form.pdf

Birth certificates are often NOT renewed (although you could conceivably request a new copy). So as a state changes its birth certificate formats over the decades, it could go through multiple different formats. And in a few cities such as New York City, they issued their own birth certificates independently of the state.

To complicate things further, the security on birth certificates is rudimentary, or perhaps non-existent for older birth certificates. Compare to driver’s licenses which are always incorporating new security features. (And older driver’s licenses without those security features are no longer valid or accepted.)

In short, validating birth certificates is significantly harder than validating driver’s licenses, which is hard enough.

Can we verify birth certificates today?

Veriff says it’s becoming possible.

“Modern automated extraction technology changes that reality. What was once a processing bottleneck is now a scalable, deployable component of a serious compliance strategy.”

How?

“Unlike a standardized driver’s license with a predictable layout and a scannable barcode, birth certificates are heavily unstructured….Modern unstructured document technology eliminates this bottleneck. Advanced extraction tools use intelligent models to read and pull key details from complex civil documents, regardless of the layout. By accurately capturing the date of birth, parent or guardian information, and place of birth, these tools turn a clunky manual review process into a fast, scalable verification workflow.”

Apply enough processing power and enough smarts and you can solve anything.

Determining the Wheres

This is a half-baked thought about three aspects of “where” we are,,.but that’s what blogging is for.

My seven questions include three interrogatives: why, how, and what. Where is not among them.

Where IS among my six factors of identity verification and authentication, but only in a very specific sense of geolocation.

What about residence…and nationality?

You could ask Fable 5 and Mythos 5 this question…except that you can’t.

Where is our geolocation?

Google Gemini.

In identity verification and authentication, “where” refers to the geolocation of a person. Although if we’re being honest, it refers to the geolocation of a person’s smartphone. Most of us don’t have location trackers embedded in our bodies, so our phone’s geolocation serves as an imperfect proxy for where WE are.

But there are two other “wheres” associated with each of us.

Where is our residence?

Google Gemini.

Regardless of where our bodies may be, there is another “where” associated with us: our residence.

Our legal domicile dictates many things about us. It sometimes determines where we get our mail. It also determines where we can vote. It impacts many other things about us relative to taxes, and other legal obligations.

Our official residence may be totally unrelated to where we unofficially reside. During my years at Reed College in Oregon, I maintained my legal residency in Virginia, which meant that I maintained my Virginia driver’s license and voted by mail in Virginia elections.

After graduation I did not return to Virginia, but remained in Oregon, looking for full-time employment while performing temp work. After a few months of this I decided that maintaining a Virginia residence was silly, so I officially changed my residence to Oregon and obtained an Oregon driver’s license.

A month or two later I stopped working as a temp and accepted a full-time position.

In California.

Which meant that I had to change my legal residency…again.

Where is our nationality?

Google Gemini.

But there is a third “where” that has nothing to do with our geolocation or residence.

Our nationality.

This came into play regarding a recent executive order affecting export controls for two of Anthropic’s models. But Anthropic, rather than only restricting access to foreigners, restricted access to everyone.

The US government, citing national security authorities, has issued an export control directive to suspend all access to Fable 5 and Mythos 5 by any foreign national, whether inside or outside the United States, including foreign national Anthropic employees. The net effect of this order is that we must abruptly disable Fable 5 and Mythos 5 for all our customers to ensure compliance.

Why?

Because, as Riley Hughes points out in this LinkedIn post, it’s difficult to digitally determine one’s nationality.

[T]here is no scalable way to verify nationality online.

Foreign nationals lawfully in the US are eligible for:

  • Driver’s licenses
  • State IDs
  • Mobile IDs (New York mID, Arizona Mobile ID, others)
  • Veteran and military ID cards
  • Social Security numbers and full credit histories

The only document that can reliably prove nationality is a passport—and unless you’re reading the NFC chip, a passport photo is one of the easiest documents to deepfake.

Theoretically a verifiable credential of a birth certificate would work… there’s just a slight adoption challenge: virtually nobody has one.

And of course it’s possible to change one’s nationality after birth.

This results in a bit of a mess, as LLM-validated leading biometric product marketing consultant C. Maxine Most observed.

Creating verifiable digital identities backed up by cryptographically secure digital and physical credentials is critical infrastructure. It is truly unfortunate that United States among other countries doesn’t really understand this.

But apart from LLM access, digital determination of the three wheres—geolocation, residence, and nationality—is something I need to mull over.

“Determining the Wheres.” Includes “The Rite Revealed,” Google Lyria, Public Domain.

Third/Fourth Party Risk Management and Age Verification

Let’s say a bar wants to check the ages of its patrons, but does not want to use the patron’s physical ID card (in my country, usually a driver’s license).

But a bar cannot perform digital age verification on its own. The bar has to contract with some other entity that knows how to do this.

This freaks some people out…massively.

“New cybersecurity research indicates that one of the world’s leading age verification providers collects and shares highly sensitive personal data—including facial photos and device fingerprints—with third parties.”

The research, conducted by the Georgia Institute of Technology and UC Irvine, focused on one of the big age verification vendors, Yoti.

“The research team determined that the process Yoti uses to verify a person’s age broadcasts the person’s personal information to third- and fourth-party companies….

“According to the researchers, the data is…sent to credit card companies, IP geolocation services, and data brokers. The researchers found that the information being shared can be used to identify and track devices. For example, a single verification attempt may transmit a user’s facial image, IP address, and device fingerprint to credit card companies.”

Yet to my knowledge the researchers did not propose an alternative.

Other than having each entity develop its own age verification system. Perhaps someone like Meta could do that, but Frank’s Bar certainly couldn’t.

Age verification is not unique in terms of data sharing. Third Party and Fourth Party Risk Management vendors encounter these issues all the time. And yes, sometimes companies that have other companies’ data are hacked. That’s why they use TPRM in the first place.

And don’t forget that if you don’t use digital age verification, you’re going to use physical age verification, where the guy behind the bar learns EVERYTHING about you. I don’t think that’s necessarily better.

It’s time to think through the consequences of abandoning technology.

TSA ConfirmID is NOT $18

Remember when people were told that REAL ID would be mandatory? Beginning on whatever date REAL ID became mandatory…it became mandatory. If you didn’t have REAL ID, or another acceptable form of identification (AFOID), you weren’t getting on that plane. (Among other things.)

Well, that was a lie.

As I noted in December, the Transportation Security Administration was officially allowing an alternative acceptable form of identification (AAFOID???). An item ran in the Federal Register with this text:

“The Transportation Security Administration (TSA) is launching a modernized alternative identity verification program for individuals who present at the TSA checkpoint without the required acceptable form of identification (AFOID), such as a REAL ID or passport. This modernized program provides an alternative that may allow these individuals to gain access to the sterile area of an airport if TSA is able to establish their identity.”

But there was going to be a fee.

“To address the government-incurred costs, individuals who choose to use TSA’s modernized alternative identity verification program will be required to pay an $18 fee.”

Well, that was a lie. (Yes, “Lyin’ Eyes” is still on my mind.)

Here’s a quote from TSA’s February 5 press release:

“Passengers without REAL IDs or other acceptable forms of identification have the option to use TSA ConfirmID by paying a $45 fee for a 10-day travel period.”

For those who are math-challenged, $45 is over twice as much as $18.

TSA’s hope of course is that if the law won’t force you to get a REAL ID, money will.

Identity Document Validation is a Toxic Dumpster Fire

I may have misjudged Biometric Update.

Most technology publications, with the notable exception of IPVM, are at least partially funded by the companies they cover. Therefore there’s an unavoidable tension between keeping the advertisers happy and casting a critical eye on the industry.

I accept this tension because it applies to Bredemarket itself. Although my clients are absolutely wonderful, there may emerge a future situation where they may be less than perfect. So naturally I have to watch my tongue.

As does Biometric Update.

Remember when IDloop asserted it offered “the world’s first FBI-certified 3D contactless fingerprint scanner,” and Biometric Update reported the claim with no comment? I said at the time:

“Biometric Update reports news as reported, and I don’t think it’s Biometric Update’s purpose to poke holes in vendor claims.”

But then Biometric Update ran a more recent story.

They said that?

Bear in mind that Biometric Update’s advertisers include vendors who offer identity document validation solutions: either their own, or from a third party.

And Biometric Update’s recent story basically said that these solutions are a toxic dumpster fire.

OK, not in those words. Biometric Update is Canadian owned, and if the publication used the words “toxic dumpster fire” it would never stop apologizing.

Google Gemini.

But the true title is eye-catching in context:

DHS RIVR results suggest most ID document validation disastrously ineffective

Not just ineffective, DISASTROUSLY ineffective. Ouch.

For those not up in their acronyms, the Department of Homeland Security’s (DHS) latest annual round of tests was called the Remote Identity Validation Rally (RIVR).

DHS set performance goals for the submitted entries and publicized the (anonymous) results.

“Four of the seven subsystems tested met the goal for system error rate. Four did not meet the threshold for FRR, and five fell short in FAR. In other words, most systems let too few legitimate IDs through, even more passed too many fraudulent IDs, and six of seven fell short on one or both sides of the assessment.”

Google Gemini.

Biometric Update didn’t reveal the…um…identity of the one vendor that performed acceptably. But that vendor may self-reveal soon enough.

On anonymity

Why do testing entities sometimes allow participants to remain anonymous?

Because they want participants.

Some biometric tests are NOT designed to identify the best algorithms, but are instead designed to view the state of the industry. And that’s what this test performed with document validation.

Presumably a future test—POND, or Performance Of Notable Documents—will measure the future state-of-the-art of identity document validation.

Hopefully the results won’t be disastrous.

Government Anti-Fraud Efforts: They’re Still Siloed

When the United States was attacked on September 11, 2001—an attack that caused NATO to invoke Article 5, but I digress—Congress and the President decided that the proper response was to reorganize the government and place homeland security efforts under a single Cabinet secretary. While we may question the practical wisdom of that move, the intent was to ensure that the U.S. Government mounted a coordinated response to that specific threat.

Today Americans face the threat of fraud. Granted it isn’t as showy as burning buildings, but fraud clearly impacts many if not most of us. My financial identity has been compromised multiple times in the last several years, and yours probably has also.

But don’t expect Congress and the President to create a single Department of Anti-Fraud any time soon.

Stop Identity Fraud and Identity Theft Bill

As Biometric Update reported, Congresspeople Bill Foster (D-IL) and Pete Sessions (R-TX) recently introduced H.R. 7270, “To establish a government-wide approach to stopping identity fraud and theft in the financial services industry, and for other purposes.”

Because this is government-wide and necessarily complex, the bill will be referred to at least THREE House Committees:

“Referred to the Committee on Oversight and Government Reform, and in addition to the Committees on Financial Services, and Energy and Commerce, for a period to be subsequently determined by the Speaker, in each case for consideration of such provisions as fall within the jurisdiction of the committee concerned.”

Why? As I type this the bill text is not available at congress.gov, but Foster’s press release links to a preliminary (un-numbered) copy of the bill. Here are some excerpts:

“9 (9) The National Institute of Standards and
10 Technology (NIST) was directed in the CHIPS and
11 Science Act of 2022 to launch new work to develop
12 a framework of common definitions and voluntary
13 guidance for digital identity management systems,
14 including identity and attribute validation services
15 provided by Federal, State, and local governments,
16 and work is underway at NIST to create this guid
17 ance. However, State and local agencies lack re
18 sources to implement this new guidance, and if this
19 does not change, it will take decades to harden defi
20 ciencies in identity infrastructure.”

Even in the preamble the bill mentions NIST, part of the U.S. Department of Commerce, and the individual states, after mentioning the U.S. Department of the Treasury (FinCEN) earlier in the bill.

But let’s get to the meat of the bill:

“3 SEC. 3. IDENTITY FRAUD PREVENTION INNOVATION
4 GRANTS.
5 (a) IN GENERAL.—The Secretary of the Treasury
6 shall, not later than 1 year after the date of the enactment
7 of this section, establish a grant program to provide iden
8 tity fraud prevention innovation grants to States.”

The specifics:

  • The states can use the grants to develop mobile driver’s licenses “and other identity credentials.”
  • They can also use the grants to protect individuals from deepfake attacks.
  • Another purpose is to develop “interoperable solutions.”
  • A fourth is to replace vulnerable legacy systems.
  • The final uses are to make sure the federal government gets its money, because that’s the important thing to Congress.

But there are some limitations in how the funds are spent.

  • They can’t be used to require mDLs or eliminate physical driver’s licenses.
  • They can’t be used to “support the issuance of drivers licenses or
    identity credentials to unauthorized immigrants.” (I could go off on a complete tangent here, but for now I’ll just say that this prevents a STATE from issuing such an identity credential.)

The bill is completely silent on REAL ID, therefore not mandating that everyone HAS to get a REAL ID.

And everything else

So although the bill claims to implement a government-wide solution, the only legislative changes to the federal government involve a single department, Treasury.

But Treasury (FinCEN plus IRS) and the tangentially-mentioned Commerce (NIST) aren’t the only Cabinet departments and independent agencies involved in anti-fraud efforts. Others include:

  • The Department of Justice, through the Federal Bureau of Investigation and the new Division for National Fraud Enforcement.
  • The Department of Homeland Security, through the Secret Service and every enforcement agency that checks identities at U.S. borders and other locations.
  • The Federal Trade Commission (FTC).
  • The Social Security Admistration. Not that SSNs are a national ID…but they de facto are.
  • The U.S. Postal Inspection Service.
  • The Consumer Financial Protection Bureau.

These agencies are not ignored, but are funded under mandates separate from H.R. 7270. Or maybe not; there’s an effort to move Consumer Financial Protection Bureau work to the Department of Justice so that the CFPB can be shut down.

And that’s just one example of how anti-fraud efforts are siloed. Much of this is unavoidable in our governmental system (regardless of political parties), in which states and federal government agencies constantly war against each other.

  • What happens, for example, if the Secret Service decides that the states (funded by Treasury) or the FBI (part of Justice) are impeding its anti-fraud efforts?
  • Or if someone complains about NIST listing evil Commie Chinese facial recognition algorithms that COULD fight fraud?

Despite what Biometric Update and the Congresspeople say, we do NOT have a government-wide anti-fraud solution.

(And yes, I know that the Capitol is not north of the Washington Monument…yet.)

Google Gemini. Results may not be accurate.

Catching Up On Alaska’s Mobile ID

Thales issued this press release recently:

“Thales is pleased to announce its continued partnership with the State of Alaska Department of Motor Vehicles (DMV) with the launch of the Alaska Mobile ID. Seen as an innovative digital identity solution, it empowers residents to manage the use of their identification credentials securely and conveniently through their mobile devices.

“The Alaska Mobile ID leverages Thales’ sophisticated digital ID technology to provide Alaskans with a secure method for digital verification of their identity, age, and/or driving privileges. With this ‘cybersecurity by design’ solutioncitizens benefit from a quick and secure way to digitally verify their identity while safeguarding their personal information. It also enables selective disclosure, meaning only some attributes of residents’ identities can be electronically verified. As an example, with Alaska Mobile ID, residents will be able to prove they are above 21 without revealing their exact age, which is impossible with physical ID.”

So this is a wonderful advance for Alaska…even though Thales is foreign-owned. The 2022 Alaska HB389 died without passage.

Commit Traffic Crimes in 50 States…Well, 7

How does California know whether an arrested intoxicated person has a drunk driving conviction in, say, Oklahoma?

Or better still, how does Oklahoma know whether a licensed driver also has a driver’s license in, say, California?

Answer: they don’t. Because privacy.

The American Association of Motor Vehicle Administrators (AAMVA) provides participating states with a system (S2S) to check such things.

“State-to-State (S2S) Verification Service is a means for a state to electronically check with all other participating states to determine if the applicant currently holds a driver license or identification card in another state. The platform that supports S2S, the State Pointer Exchange Services (SPEXS) was successfully implemented in July 2015. Participation in S2S does not commit a state to be in compliance with the federal REAL ID Act. However, if a state chooses to be REAL ID compliant, the Department of Homeland Security generally looks for S2S to be part of their compliance plan.”

Not all states participate. As it turns out, neither California nor Oklahoma are part of S2S. Oklahoma is slated to join, but this may not happen.

“Oklahoma lawmakers have asked the state Supreme Court to immediately block the transfer of driver’s license and identification card data to a national interstate data exchange run by the American Association of Motor Vehicle Administrators (AAMVA).

“The lawmakers argue that the planned transmission exceeds statutory authority, violates state privacy protections, and collapses a key distinction that Oklahoma law makes between REAL ID-compliant and noncompliant credentials.”

Based upon past history, it’s no surprise that some in Oklahoma oppose big guvmint and AAMVA S2S participation.

But why has California opted out of S2S?

Basically, the privacy of Social Security Numbers. The state doesn’t to share this personally identifiable information willy nilly.

(As an aside, take a moment to think about how a state in enforcing the privacy of Social Security Numbers, which are assigned at the federal level. And also think about how Social Security Numbers are NOT supposed to be a national ID number. The mind boggles.)

So what do the other states do if someone claims to have a California driver’s license, but California won’t confirm this because of privacy concerns? Here’s what Tennessee does.

“All states and jurisdictions in the United States participate in S2S, except for California, Connecticut, Illinois, Kentucky, Nevada, Oklahoma, and West Virginia. New or returning Tennessee residents transferring from these nine states must obtain a Motor Vehicle Record (MVR) from their former state. The MVR be issued within 30 days of applying for a Tennessee license or ID.”

Good to know if I ever move out of California.

ABI Research and Physical Credentials

Those of us embedded in the identity industry pay special attention to mobile credentials. Although I have wondered whether mobile ID adoption will decrease, we’ve assumed that digital identities will advance.

Just like the death of passwords.

You can see where this is going.

ABI Research has shared its predictions on 13 technology trends for 2026. I paid special attention to number 11.

“It is clear that digital-first identity systems are unlikely to become standard. Most governments will still rely heavily on physical credentials through 2026. Physical documents, such as diver’s licenses and passports, have long life spans. Physical security is already a proven technology, making it essential for continued trust and accessibility in the wake of ever-more sophisticated attack methods. ABI Research cybersecurity analysts view mobile ID as more of a companion to physical credentials.”

Oh, and number 12.

“Interest in biometric payment cards has waned due to high costs and complex onboarding. Zwipe’s bankruptcy in March 2025 is emblematic of this latest trend. To extract returns from their prior investments in biometrics, digital payment providers are pivoting to other markets like secure access and cold wallets. Going forward, the technology will shift from mainstream ambition to specialty use cases, with fewer launches expected in 2026.”

To see what these and the other 11 predictions mean, read the ABI Research article.