• 4 min read
Incode Keeps Faces Off the Server for Age Checks
Incode’s new age-estimation system analyzes faces locally, sending only an age-check result while servers handle session-integrity signals.

Image: BleepingComputer
More than 30 age-assurance laws are now in force worldwide, making age verification a regulatory requirement rather than an optional feature. The UK is enforcing the Online Safety Act’s “highly effective” age-check rule, with restrictions on under-16 access to social media planned for spring 2027. Australia’s under-16 rules took effect in December, Brazil’s Digital ECA became enforceable in March 2026, and half of U.S. states now require some form of age verification.
Facial age estimation is one of the most accessible approaches because it requires neither government ID nor a database lookup. Incode says users in regulated markets choose it eight out of 10 times over other age-assurance methods. The trade-off has traditionally been sending a person’s face to a server for analysis.
The risks of server-based age estimation
That architecture creates a significant privacy and security liability. The Identity Theft Resource Center recorded 3,322 data compromises in the U.S. last year, a record high and a 79% increase over five years. Supply-chain breaches doubled during the same period, while 63% of consumers expressed serious concern about biometric-data collection.
Incode also reports a sharp increase in “agentic fraud”—attempts carried out with help from AI agents. Across more than 7 billion identity verifications processed on its platform, the company says agentic fraud rose from 3% of attempts in 2024 to 40% in the first quarter of 2026. Incode estimates it will exceed 90% within the next 18 months.
The company argues that a privacy policy is not a security control. A policy can promise deletion and assign responsibility after an incident, but it cannot prevent a breach, insider access, or a compromised vendor. A privacy-by-architecture approach instead aims to ensure sensitive data never becomes accessible in the first place.

Recommended reading
Microsoft Warns of ACR Stealer Attack Surge
On-Device Age Estimation keeps faces local
Last month, Incode Technologies announced a $100 million commitment to privacy-preserving identity infrastructure, alongside its acquisition of Identiq, a company focused on privacy-enhancing cryptographic tools for peer-to-peer anti-fraud collaboration. The funding is intended for on-device processing, privacy-enhancing technology research, engineering, and global expansion.
Launched in July, On-Device Age Estimation runs Incode’s facial age-estimation and passive-liveness models directly on a user’s phone, tablet, or laptop. The liveness check is designed to distinguish a live person from a photo, deepfake, or replayed video. The face is analyzed locally and is neither transmitted nor stored; only the result—whether the user meets a platform’s age threshold—continues to the platform.
Incode reduced both models to roughly one-tenth of their original size using knowledge distillation. That allows them to run in an ordinary browser or app across a broad range of devices without special hardware. If the check cannot be completed, the platform can offer another verification method.
The server still receives session metadata, including when and how the session occurred and details about the device and connection. Incode says this information contains no facial or biometric data, but helps detect injected camera feeds, manipulated devices, and other tampering that local analysis cannot fully rule out.
The company says its security layer achieves 99% spoof detection across deepfakes, injection attacks, replay attacks, and physical spoofing. It is used by eight of the top 10 U.S. banks, and Incode says it flagged more than 1 million face attacks in 2026.
Identiq shares fraud signals without pooling data
The second part of the investment targets fraud intelligence. Identiq spent nearly a decade and more than $50 million developing technology that lets organizations share fraud signals without exposing customer data to a third party or creating a central data lake. Integrated into Incode’s platform, the system is projected to reach billions of verifications annually.
“Every institution shared the same concern with us: how do we fight fraud together without giving up control of our customers' data?”
Incode says its compliance program includes SOC 2 Type 2, ISO/IEC 27001, HIPAA Attestation of Compliance, FedRAMP Ready, ACCS, and the Kantara IAL2 Component Services Trust Mark. The company’s stated goal is to make age verification possible without requiring users to surrender their face to a server.
“Privacy and fraud prevention are not a tradeoff, but part of the same problem—solved together or not at all.”
Sponsored and written by Incode. Incode’s On-Device Age Estimation is available at incode.com/privacy.
Security Editor
Sophia unpacks the invisible wars happening on our networks. Covering cybersecurity, privacy legislation, and cryptography, she exposes how our data is weaponized and defended. Before joining for(geeks), she spent years as a penetration tester. She's the reason the rest of the team uses physical security keys.
via BleepingComputer


