Will Xbox's age verification system avoid Discord's security pitfalls? We investigate

As everyone predicted, the UK's dumb age verification laws are a total farce.

Designed in attempts to "protect children," the UK's now notorious age verification laws are supposedly designed to prevent underaged users from accessing adult content. In practice, they've unleashed a multi-pronged privacy nightmare. Major websites like Imgur are now blocked entirely in the UK, reducing the functionality of sites like reddit and Steam. And furthermore, the laws aren't even able to "protect muh kids" because free VPNs exist.

But, it is the law, for better or worse (worse). It also represents something of a trend across the world, as various U.S. states and other countries have either already adopted age verification systems, or are exploring it. As such, major players like Microsoft are scrambling to accommodate the legislation for Xbox and its other platforms, utilizing a variety of third-party services to make it work. At least, make it work in theory.

Over the past few weeks, it emerged that Discord, one of the earliest tech companies to implement these types of laws, was hacked. It failed to protect the data of users utilizing its age verification services. Indeed, Discord's third-party processor was hacked, and government IDs and selfies of users trying to get support were leaked to the public domain. It's almost as if anyone with a brain said something like this would happen.

I couldn't help but wonder what would stop Xbox running short of a situation like this, given that Xbox too, is planning to use a third-party company to handle its age verification systems. So, I thought I'd reach out and see how Xbox plans to handle things.

Microsoft is using a third-party company called Yoti for its age verification systems on Xbox, a company that is also leveraged by the UK government, sites like OnlyFans, as well as PlayStation.

The way Yoti and other similar platforms work generally revolves either around scanning a government ID, or using your device's camera to estimate the user's age. The "age estimation" via camera was notoriously beaten by Death Stranding's photo mode, but companies are always iterating on workarounds.

I already verified my Xbox account's age using the system, and found it to be quick and painless. You can verify your Xbox account's age via this link. From early in 2026, certain Xbox features and age-restricted games may become inaccessible for UK users if you don't verify soon. But, how does it work? Are your pictures stored? Yoti says no.

"Yoti provides highly effective age assurance options for Xbox, allowing users to prove their age without revealing unnecessary personal information," a Yoti spokesperson told us. "Yoti simply returns a yes/no response to [Microsoft], to confirm whether the user meets the required age threshold."

"Yoti's technology is highly robust and independently tested by the likes of NIST and others. Privacy and security are central to everything they do and solutions are built to minimise data collection and ensure user privacy. Any images taken for facial age estimation are instantly deleted, nothing is stored."

The reason Discord ended up leaking user data was because the support service it was using actually was storing people's data. Yoti says it immediately removes all personal data once it has satisfied the age requirement, and that's the only information that is eventually sent and then stored on your Microsoft account. Yoti also shared this Yoti Age Estimation White Paper for users who want to learn more.

Microsoft also sought to assure us that no actual data is stored, besides the "yes/no" age verifier.

"We are committed to making sure player data stays private and secure," a Microsoft spokesperson explained. "We are partnering with Yoti, a trusted third-party identity verification provider, to give UK players a menu of options to securely verify their age as 18 or over while minimizing the data needed. Yoti simply returns a yes/no response to Xbox, does not share any of the player's underlying information, and immediately deletes the data upon verification."

Given Yoti's government-grade contracts it's most likely a more secure solution than Discord's, but whether or not you feel reassured by the above depends on your mileage. It doesn't alleviate the fact that it's a silly, ineffectual law, but it is the law nonetheless, and Microsoft, PlayStation, and others, have to comply whether they like it or not.