✅ How the new online age verification works in Italy (starting November 12, 2025)

  

Starting from November 12, 2025, a new standard system for verifying the age of online users came into force in Italy (AGCOM Resolution 96/25/CONS). The goal is simple: prove that you are an adult without revealing your identity, in a secure, interoperable and privacy-friendly way.

The technology behind this mechanism is the same as the new EUDI Wallet and uses the OpenID for Verifiable Credential Issuance (OID4VCI) protocol, the most advanced standard for managing verifiable digital attestations.

In this article, we see, in a simple way, who does what, how the age verification (Proof of Age) is created and how it is used to access sites that require age verification.

🔗 Do you like Techelopment? Check out the site for all the details!

💻 The services involved

The system works thanks to three main services:

1. eID / Identity Provider (IdP)

This is the service that identifies the user (e.g., SPID, CIE, or other eIDAS systems). It does not provide personal data to the sites, but only a signed token needed to calculate the age.

2. Age Verification Issuer (issuer.ageverification.dev)

This is the service that receives the identity token (eID/IdP), calculates the user's age, and generates the proof of age. Important: It does not store the date of birth and does not expose any personal data.

3. Requesting Service

For example, the official European Commission app, or a website that requires age verification. It only receives the result: "over 18" or another Boolean value.

📜 How to obtain the "Proof of Age"

The "Proof of Age" is a digital certificate that says, for example, that you are over 18, without revealing who you are.

Let's look at the steps using the European Commission app.

Step 1 — Requesting the certificate

The user opens the European Commission app and asks to verify their age.

The flow is:

1. The app asks the user to authenticate with an eID/IdP (e.g., SPID).
2. Once authenticated, the app sends a signed token to issuer.ageverification.dev (Age Verification Issuer). This token contains only the strictly necessary attributes (no readable personal data).
3. The token is used by the Age Verification Issuer to reliably calculate the age.

Step 2 — Verification and Proof of Age Generation

The Age Verification Issuer (issuer.ageverification.dev):

1. Receives the signed token from the eIDAS node (via the European Commission app in Step 1).
2. It establishes the user's age with certainty without preserving their date of birth.
3. Generates a new cryptographic token, in the form of a JWT or mso_mdoc, containing only Boolean attributes, for example:

{
  "eu.europa.ec.av.1": {
     "age_over_13": true,
     "age_over_16": true,
     "age_over_18": true,
     "age_over_21": false
   }
}

These values:

• are digitally signed with the ES256 algorithm (Elliptic Curveand Digital Signature)
• can be verified by any receiving service
• do not contain personal data

The token is then transmitted via a secure OAuth2 Authorization Code with PKCE flow, using AES-GCM and RSA-OAEP encrypted channels.

Step 3 — Receiving the result

The European Commission app receives the signed token from the Age Verification Issuer (step 2).

If the value age_over_18 is true, the app displays a message such as “Age verified”.

At this point, the user has a valid Proof of Age. Ready for use on sites that require adult users.

Summary diagram of Step

📱 How to access sites that require age verification

Once you have obtained Proof of Age, you can use it to access sites that require you to be over 18.

The flow is very simple:

1. The site generates a QR code

When a user accesses a site that requires age verification, the site displays a QR code.

2. The user scans it with the European Commission app.

The app:

• reads the QR code
• creates a locally signed Verifiable Presentation (VP)
• includes only the strictly necessary attribute, for example:

{
  "age_over_18": true
}

3. The app sends the VP to the website.

Transmission occurs via a secure HTTPS connection.

4. The site verifies the signature

The site server:

• checks the ES256 signature
• verifies the validity of the issuer's public key
• confirms that the proof is authentic and unaltered
• verifies the age

If everything is valid, access is authorized.

The site never knows the user's name, surname, date of birth, SPID, or other personal data.

Why this system is a big step forward

• ✔ Complete privacy — No site receives personal information.
• ✔ Standard — It is based on standardized protocols.
• ✔ High security — ES256 digital signature, cryptographic tokens, OAuth2 + PKCE.
• ✔ User control — Only the user decides when to share the proof.
• ✔ Interoperability — Based on EUDI Wallet protocols.

Conclusion

The new age verification finally allows you to prove you are an adult without sacrificing privacy. Thanks to signed tokens, verifiable attestations, and advanced security protocols, users can access online services simply, securely, and respectfully.

References

• How age verification works from November 12: we tried it —https://www.ilsoftware.it/come-funziona-la-verifica-delleta-dal-12-novembre-labbiamo-provata/

Follow me #techelopment

Official site: www.techelopment.it
facebook: Techelopment
instagram: @techelopment
X: techelopment
Bluesky: @techelopment
telegram: @techelopment_channel
whatsapp: Techelopment
youtube: @techelopment