4 min read

Incode says age checks can stay on your device

Incode is pitching on-device age estimation as privacy pressure and age-check laws expand, with facial analysis kept off servers.

Image: BleepingComputer

As age-verification laws spread, Incode Technologies is arguing that platforms no longer need to send users' faces to remote servers to estimate age. In a sponsored post on BleepingComputer, Ricardo Amper, Incode’s founder and CEO, said the company’s new On-Device Age Estimation keeps facial analysis on the user’s phone, tablet, or laptop and only returns whether that person meets a platform’s age threshold.

The backdrop is tightening regulation. The post says more than 30 age assurance laws are now in force worldwide. The UK is enforcing the Online Safety Act’s “highly effective” age-check requirement, with restrictions on under-16 access to social media planned for spring 2027. Australia’s under-16 rules took effect in December, and the government has signaled plans to raise maximum fines to $99 million after early non-compliance. Brazil’s Digital ECA became enforceable in March 2026, while half of U.S. states now require some form of age verification.

Incode positions facial age estimation as a lower-friction option because it does not require a government ID or a database lookup. The company says users choose it eight out of ten times over other age-assurance methods in regulated markets. But it also acknowledges the privacy risk in conventional systems, where a face is captured and sent to a server for processing.

Citing the Identity Theft Resource Center’s 2025 Annual Data Breach Report, the post says the U.S. saw 3,322 data compromises last year, up 79% over five years, while supply-chain breaches doubled in the same period. It also says 63% of consumers have expressed serious concern about biometric data collection.

Recommended reading

Microsoft spots spike in ACR Stealer attacks

What runs on the device

According to Incode, the product runs two models locally: facial age estimation and passive liveness detection, meant to confirm a real person is in front of the camera rather than a photo, deepfake, or replayed clip. The face is not transmitted or stored, the company says.

To make that work on ordinary hardware, Incode says it compressed both models to about one-tenth of their original size using knowledge distillation. The company says the software runs in a standard browser or app without special hardware.

Some data still goes to Incode’s servers, but the company says that is limited to session metadata used to spot tampering, injected camera feeds, and manipulated devices. It says that layer contains no facial or biometric information.

Incode also claims its security layer delivers 99% spoof detection across deepfakes, injection attacks, replay attacks, and physical spoofing. The company says those anti-impersonation systems are trusted by eight of the top ten U.S. banks and have flagged more than 1 million face attacks across its platform in 2026.

$100 million push and the Identiq acquisition

The launch follows a $100 million commitment Incode announced last month for privacy-preserving identity infrastructure, alongside its acquisition of Identiq, which develops cryptographic tools for peer-to-peer anti-fraud collaboration. Incode says the funding will support on-device processing, privacy-focused R&D, engineering expansion, and its global footprint.

The company says Identiq’s technology, built over nearly a decade with more than $50 million invested, allows organizations to share fraud signals without pooling customer data in central repositories.

“Every institution shared the same concern with us: how do we fight fraud together without giving up control of our customers' data,” said Itay Levy, Co-Founder and CEO of Identiq. “Identiq built the answer to that very question. As part of Incode, that answer is now available to every organization that deals with massive amounts of user data.”

Itay Levy, Co-Founder and CEO of Identiq

Amper framed the rollout as part of a broader push to meet compliance demands without expanding biometric exposure. The company points to certifications and programs including SOC 2 Type 2, ISO/IEC 27001, HIPAA Attestation of Compliance, FedRAMP Ready, the Age Check Certification Scheme (ACCS), and the Kantara IAL2 Component Services Trust Mark, along with more than 7 billion trust checks processed.

“We have always believed that privacy and fraud prevention are not a tradeoff, but part of the same problem — solved together or not at all,” said Ricardo Amper, Founder and CEO of Incode. “Age checks are becoming law around the world. Our job is to do what we can so that proving your age asks as little of the user as possible.”

Ricardo Amper, Founder and CEO of Incode
Sophia Reynolds

Security Editor

Sophia unpacks the invisible wars happening on our networks. Covering cybersecurity, privacy legislation, and cryptography, she exposes how our data is weaponized and defended. Before joining for(geeks), she spent years as a penetration tester. She's the reason the rest of the team uses physical security keys.

via BleepingComputer

// Keep reading