Tag Archives: yoti

Third/Fourth Party Risk Management and Age Verification

Let’s say a bar wants to check the ages of its patrons, but does not want to use the patron’s physical ID card (in my country, usually a driver’s license).

But a bar cannot perform digital age verification on its own. The bar has to contract with some other entity that knows how to do this.

This freaks some people out…massively.

“New cybersecurity research indicates that one of the world’s leading age verification providers collects and shares highly sensitive personal data—including facial photos and device fingerprints—with third parties.”

The research, conducted by the Georgia Institute of Technology and UC Irvine, focused on one of the big age verification vendors, Yoti.

“The research team determined that the process Yoti uses to verify a person’s age broadcasts the person’s personal information to third- and fourth-party companies….

“According to the researchers, the data is…sent to credit card companies, IP geolocation services, and data brokers. The researchers found that the information being shared can be used to identify and track devices. For example, a single verification attempt may transmit a user’s facial image, IP address, and device fingerprint to credit card companies.”

Yet to my knowledge the researchers did not propose an alternative.

Other than having each entity develop its own age verification system. Perhaps someone like Meta could do that, but Frank’s Bar certainly couldn’t.

Age verification is not unique in terms of data sharing. Third Party and Fourth Party Risk Management vendors encounter these issues all the time. And yes, sometimes companies that have other companies’ data are hacked. That’s why they use TPRM in the first place.

Image source: GET Group NA, https://apps.apple.com/us/app/get-mobile-verify/id1501552424.

And don’t forget that if you don’t use digital age verification, you’re going to use physical age verification, where the guy behind the bar learns EVERYTHING about you. I don’t think that’s necessarily better.

It’s time to think through the consequences of abandoning technology.

The May 6, 2026 List of PAD 3 Conforming Solutions

Update to the April 2 version. Added Shufti.

VendorModalityConfirming LabLink/Date
AwareFaceBixeLabNovember 2025
BioIDFaceTüvitAugust 2025 (1) (2)
FaceTecFaceBixeLabOctober 2025
IncodeFaceiBetaFebruary 2026
Oz ForensicsFaceBixeLabMarch 2026
ParavisionFaceIngeniumSeptember 2025
ShuftiFaceiBetaApril 2026
YotiFaceiBetaJanuary 2026

The April 2, 2026 List of PAD 3 Conforming Solutions

Update to the March 25 version. Added BioID.

VendorModalityConfirming LabLink/Date
AwareFaceBixeLabNovember 2025
BioIDFaceTüvitAugust 2025 (1) (2)
FaceTecFaceBixeLabOctober 2025
IncodeFaceiBetaFebruary 2026
Oz ForensicsFaceBixeLabMarch 2026
ParavisionFaceIngeniumSeptember 2025
YotiFaceiBetaJanuary 2026

I’m slowly finding these vendors. I won’t maintain this list forever, but as long as there are so few Level 3 solutions, I want to highlight them.

Coincidentally, I just reviewed an eBook by one of the vendors listed above, detailing things that you should seek in your liveness detection vendor.

  • The eBook listed several items.
  • To no one’s surprise, this particular vendor provided ALL of these items in its liveness detection solution.
  • Surprisingly, however, the vendor did NOT mention independent confirmation of PAD capabilities.

The March 25, 2026 List of PAD 3 Conforming Solutions

Update to the March 3 version. Added Oz Forensics.

VendorModalityConfirming LabLink/Date
AwareFaceBixeLabNovember 2025
FaceTecFaceBixeLabOctober 2025
IncodeFaceiBetaFebruary 2026
Oz ForensicsFaceBixeLabMarch 2026
ParavisionFaceIngeniumSeptember 2025
YotiFaceiBetaJanuary 2026

The March 3, 2026 List (Probably Still Inaccurate) of PAD 3 Conforming Solutions

Update to the February 27 version. Added Incode.

VendorModalityConfirming LabLink/Date
AwareFaceBixeLabNovember 2025
FaceTecFaceBixeLabOctober 2025
IncodeFaceiBetaFebruary 2026
ParavisionFaceIngeniumSeptember 2025
YotiFaceiBetaJanuary 2026

The Latest, Probably Still Inaccurate, List of PAD 3 Conforming Solutions

I remember when I was working in Anaheim and keeping track of the latest BIPA lawsuits, back when you could count them on one hand…then on two hands…then there were too many.

I feel the same way about my previous attempts to track the vendors that offer solutions that conform to ISO 30107-3 Presentation Attack Detection Level 3. I thought I’d found them all, then I’d find another one.

So here’s my current (Friday afternoon) list of the PAD 3 conforming solutions.

VendorModalityConfirming LabLink/Date
AwareFaceBixeLabNovember 2025
FaceTecFaceBixeLabOctober 2025
ParavisionFaceIngeniumSeptember 2025
YotiFaceiBetaJanuary 2026

While Google Gemini informed me that Veridas had also received Level 3 confirmation from iBeta, that turned out to be a hallucination. Veridas realizes the importance of Level 3, though, as do other selected vendors, so I suspect this table will be outdated soon.

Oh, and just to confuse things further, some of the other tests, such as CEN/TS 18099 injection attack detection tests, also may apply in some way to presentation attacks. Or maybe not. We’ll see.

Even More On Presentation Attack Detection Level 3

This morning’s post listed three companies with independently demonstrated conformance to ISO 30107-3 presentation attack detection level 3: Aware, FaceTec, and Yoti.

The independent evaluators were BixeLab and iBeta.

But Ingenium provides PAD level 3 conformance assessments also.

And Ingenium testified to Paravision’s conformance.

So that’s a total of four companies at PAD Level 3: Aware, FaceTec, Paravision, and Yoti.

Who else did I miss?

And I will revisit my earlier question. Will consumers perceive that THEIR data is valuable enough to warrant Level 3 liveness detection? And avoid the solutions with “only” Level 2 conformance?

Four companies (so far) are betting on it.

More On Presentation Attack Detection Level 3

If you needed any confirmation that Presentation Attack Detection Level 2 is so last year, you have it now.

Last month I talked about Yoti achieving confirmation of PAD Level 3 in iBeta testing.

But iBeta isn’t the only entity performing PAD Level 3 testing.

  • FaceTec’s algorithm received PAD Level 3 confirmation from BixeLab in October.
  • Aware received a similar confirmation in November.

Will PAD Level 3 become the new floor for liveness detection? It depends upon your needs. Here’s how Mantra explains the difference between levels 2 and 3.

Level 2 (L2):

More realistic spoofs-high-quality 3D masks, composite fingers, better materials. Harder to detect, but still lab-craft attacks.

Level 3 (L3):

Advanced adversary scenarios-custom molds, hyper-realistic masks, lab-grade fabrication. Represents attackers with serious resources.

The “serious resources” part is key. Fraudsters will only spend “serious resources” if the target is valuable enough.

But will consumers perceive that THEIR data is valuable enough to warrant Level 3 liveness detection? And avoid the solutions with “only” Level 2 conformance?

Three companies (so far) are betting on it.

(Actually four. See my update.)

(And yes, the three hands on the fraudster should have been a giveaway…)

Yoti iBeta Confirmation of Presentation Attack Detection Level 3

We’ve talked about Levels 1 and 2 of iBeta’s confirmation that particular biometric implementations meet the requirements of ISO 30107-3. But now with Yoti’s confirmation, we can talk about iBeta Level 3.

From iBeta:

“The test method was to apply 1 bona fide subject presentation that alternated with 3 artefact presentations such that the presentation of each species consisted of 150 Presentation Attacks (PAs) and 50 bona fide presentations, or until 56 hours had passed per species. The results were displayed for the tester on the device as “Liveness check: Passed” for a successful attempt or “Liveness check: Failed” for an unsuccessful attempt.

“iBeta was not able to gain a liveness classification with the presentation attacks (PAs) on the Apple iPhone 16 Pro. With 150 PAs for each of 3 species, the total number of attacks was 450, and the overall Attack Presentation Classification Error Rate (APCER) was 0%. The Bona Fide Presentation Classification Error Rate (BPCER) was also calculated and may be found in the final report.

“Yoti Limited’s myface12122025 application and supporting backend components were tested by iBeta to the ISO 30107-3 Biometric Presentation Attack Detection Standard and found to be in compliance with Level 3.”

More from Yoti itself.

“Yoti’s MyFace is the first passive, single-selfie liveness technology in the world to conform to iBeta’s Level 3 testing under ISO/IEC 30107-3 – their highest level for liveness checks.”

Also see Biometric Update and UK Tech.

After all, facial age estimation is of no meaning whatsoever if the face is fake. So it was important that Yoti receive this confirmation.

Federal Trade Commission Age Verification (and estimation?) Workshop January 28

A dizzying array of federal government agencies is interested in biometric verification and biometric classification, for example by age (either age verification or age estimation). As Biometric Update announced, we can add the Federal Trade Commission (FTC) to the list with an upcoming age verification workshop.

Rejecting age estimation in 2024

The FTC has a history with this, having rejected a proposed age estimation scheme in 2024.

“Re: Request from Entertainment Software Rating Board, Yoti Ltd., Yoti (USA) Inc., and Kids Web Services Ltd. for Commission Approval of Children’s Online Privacy Protection Rule Parental Consent Method (FTC Matter No. P235402)

“This letter is to inform you that the Federal Trade Commission has reviewed your group’s (“the ESRB group”) application for approval of a proposed verifiable parental consent (“VPC”) method under the Children’s Online Privacy Protection Rule (“COPPA” or “the Rule”). At this time, the Commission declines to approve the method, without prejudice to your refiling the application in the future….

“The ESRB group submitted a proposed VPC method for approval on June 2, 2023. The method involves the use of “Privacy-Protective Facial Age Estimation” technology, which analyzes the geometry of a user’s face to confirm that the user is an adult….The Commission received 354 comments regarding the application. Commenters opposed to the application raised concerns about privacy protections, accuracy, and deepfakes. Those in support of the application wrote that the VPC method is similar to those approved previously and that it had sufficient privacy guardrails….

“The Commission is aware that Yoti submitted a facial age estimation model to the National Institute of Standards and Technology (“NIST”) in September 2023, and Yoti has stated that it anticipates that a report reflecting NIST’s evaluation of the model is forthcoming. The Commission expects that this report will materially assist the Commission, and the public, in better understanding age verification technologies and the ESRB group’s application.”

You can see the current NIST age estimation results on NIST’s “Face Analysis Technology Evaluation (FATE) Age Estimation & Verification” page, not only for Yoti, but for many other vendors including my former employers IDEMIA and Incode.

But the FTC rejection was in 2024. Things may be different now.

Grok.

Revisiting age verification and age estimation in 2026?

The FTC has scheduled an in-person and online age verification workshop on January 28.

  • The in-person event will be at the Constitution Center at 400 7th St SW in Washington DC.
  • Details regarding online attendance will be published on this page in the coming weeks.

“The Age Verification Workshop will bring together a diverse group of stakeholders, including researchers, academics, industry representatives, consumer advocates, and government regulators, to discuss topics including:  why age verification matters, age verification and estimation tools, navigating the regulatory contours of age verification, how to deploy age verification more widely, and interplay between age verification technologies and the Children’s Online Privacy Protection Act (COPPA Rule).”

Will the participants reconsider age estimation in light of recent test results?