This article highlights the major ID verification industry updates from summer 2025 and explains their global impact on businesses.
The summer of 2025 turned out to be scorching, but it wasn’t just the weather that heated up. Over the past three months, the ID verification (IDV) industry has experienced significant changes, particularly in the areas of regulation and technology deployment.
Among the most notable developments have been the introduction of stricter age verification requirements and steady progress in the adoption of digital ID systems. Together, these shifts have become the dominant themes of the season, accelerating the growth and practical application of next-generation ID verification technologies across markets worldwide.
In this article, we will take a close look at the most significant developments that have taken place in the ID verification (IDV) industry over the summer of 2025, examining not only what these changes are but also exploring their practical implications for businesses across the globe, spanning major markets from the United States all the way to China.
The UK’s Online Safety Act and digital ID advancements
This summer, the United Kingdom achieved not just one but two major milestones in the ID verification (IDV) landscape.
The first milestone came on June 19th, when the Data (Use and Access) Act 2025 received Royal Assent. This landmark legislation establishes a clear statutory framework for digital ID verification services, including the creation of a government-run register, a trust mark for certified services, and an information gateway designed to allow public bodies to share specific data with registered providers for identity or eligibility checks.
Government documents and legal briefs consistently point toward this new framework, and in August, the Information Commissioner’s Office (ICO) began the initial steps for commencement. With the enactment of this law, ID verification vendors operating in the UK are now required to be certified under the trust framework and appear on the official register before they can claim compliance.
At the same time, businesses that rely on ID verification for purposes such as right-to-work, right-to-rent, or DBS checks should now implement a strict requirement to confirm that their vendors are listed on the register, verifying each entry directly against the government-maintained list.
The second milestone arrived on July 25th, with the enactment of the Online Safety Act, which mandates that services hosting or publishing pornographic material must implement highly effective age verification systems for UK users. Ofcom, the UK regulator, provided detailed guidance on what constitutes adequate checks, established an enforcement program, and reminded providers that courts have the authority to order sites blocked if they fail to comply.
The immediate impact of these rules was evident, as network monitoring firms reported a sharp increase in VPN sign-ups the day the regulations took effect. For instance, Proton VPN publicly reported a staggering 1,400 percent jump over its baseline registrations.
It is worth noting that the requirement extends beyond adult content platforms. Social media companies have also adapted, as exemplified by Bluesky’s public rollout of UK-specific age verification options, including ID uploads, card checks, and facial age estimation. When configured correctly, these measures meet the criteria Ofcom labels as “highly effective,” and similar approaches are likely to be adopted by other mainstream platforms in the near future.”
China moves forward with Cyberspace ID
On July 15, a set of measures jointly issued by the Cyberspace Administration of China and other relevant ministries officially took effect, marking the launch of a state-run online identity service. Known as the National Online Identity Authentication Public Service, or more commonly as Cyberspace ID, this initiative provides registered users with a digital certificate that can be presented to websites and mobile applications for ID verification.
A key feature of the system is that platforms accepting this verification method are generally prohibited from storing the user’s actual identity information when the certificate is used. Instead, the platforms receive only a simple yes/no confirmation of verification, without access to raw ID attributes, unless explicitly required by law and consented to by the user. Additionally, the framework operates under a voluntary-use principle: platforms are encouraged to connect to the service, and users can choose to opt in, while existing registration methods remain available for those who prefer them.
According to the government, the system is designed to reduce the repeated submission of personal identity information and to minimize the dispersion of sensitive data across multiple private databases. Critics, however, caution that centralizing identity verification in this way could create risks of excessive monitoring and provide authorities with a single point of control that could potentially restrict access to numerous services if credentials are revoked.
Companies participating in the program should now consider implementing a new login option that calls the national service, verifies the provided token, and maps it to a local account. For global applications, it may also be necessary to design a modular integration that activates only for users in China and resides within the localized China infrastructure, ensuring compliance and smooth user experience.
EU makes progress with the EUDI Wallet
The European Commission spent the summer advancing critical legal and technical foundations for the European Digital Identity Wallet (EUDI Wallet), culminating in the adoption of a series of acts in May that have now officially entered into force. In parallel, the eIDAS Regulation (EU) 2024/1183 was amended to formally integrate the Wallet, establish rules for relying-party registration and security, and mandate that every Member State provide at least one official wallet option for its citizens.
With these measures now published in the Official Journal, they carry binding authority. This represents a significant shift: rather than speculating about evolving standards, wallet providers and national authorities now have a concrete regulatory framework to plan against, allowing them to begin real-world integration work.
One of the most consequential texts among the new measures is the Commission Implementing Regulation (EU) 2025/849, which outlines how Member States must supply data to the Commission in order to maintain a public list of certified wallets. Since this process is ongoing, there is currently no finalized list of certified wallets available as of September 2025, though the pipeline for applications is now in motion.
To complement the legal framework, the Commission also introduced a white-label “blueprint” for age verification, complete with reference code for both Android and iOS platforms. This interim solution is intended to cover the period before national wallets become widely available, while also being designed to integrate seamlessly into the broader wallet architecture once those wallets are issued. The blueprint illustrates how service providers can issue and validate a privacy-preserving ‘over-18’ claim without transmitting full date-of-birth information—reducing the amount of personal data handled by sites with age restrictions.
Beyond these concrete steps, the Commission also opened up three additional implementing acts for public consultation on 23 June. These texts focus on the trust framework underpinning the wallet ecosystem: accreditation processes for conformity assessment bodies, standards for risk management, and the role of qualified trust services within the architecture. The consultation window closed in July, and the feedback is now archived on the official EUDI Wallet pages.
Altogether, the summer’s progress signals a transition for the program. Procurement cycles are beginning to shift away from a ‘wait and see’ stance toward active efforts to ‘build to fit the regulations.’ That said, wallet deployment is expected to progress unevenly across the Union. Some Member States and organizations remain cautious, which means that physical ID documents and national eID login systems will continue to coexist alongside the Wallet during its gradual rollout.
The United States’ huge NIST update
Much like in Europe, the summer of 2025 gave digital identity implementers in the United States a concrete set of milestones to work with, replacing uncertainty with actionable guidance and real-world deployments. Among the most notable developments were the publication of a long-awaited federal reference standard from NIST, the live acceptance of mobile IDs at Transportation Security Administration (TSA) checkpoints, and a wave of state-level age-verification laws, some of which are now backed by a Supreme Court decision. Let’s break these down one by one.
The first major development came in early August, when the National Institute of Standards and Technology (NIST) released Special Publication 800-63-4, the updated Digital Identity Guidelines. This new version includes all four volumes—63-0 (overview), 63-A (identity proofing), 63-B (authentication), and 63-C (federation)—published simultaneously on the CSRC and NIST Publications pages. The release closes an eight-year gap since the previous full revision and reflects today’s realities, addressing mobile driver’s licenses, passkeys, synthetic and spoofed media, as well as injection-style cyberattacks.
For ID verification vendors, this means they can now align their control sets against a definitive federal document and present compliance evidence tied to specific sections. Auditors and examiners can be shown not only the mappings to 63-A and 63-B but also supporting lab test results and details of the anti-spoofing or liveness detection methods implemented. The guidelines explicitly elevate presentation attacks to a core problem in remote proofing, requiring vendors to treat advanced liveness checks as mandatory rather than optional safeguards.
The second key milestone was operational rather than regulatory. The TSA continued its steady rollout of mobile ID acceptance at U.S. airports, providing tangible proof that digital credentials are no longer just pilot projects but live infrastructure. On August 19th, the TSA announced that residents of Montana could now add their driver’s licenses to Apple Wallet and present them at TSA checkpoints. TSA maintains a running list of which states and which airport locations support this capability, while its public statements consistently stress that the aim is to improve verification security and passenger convenience at the same time.
The third and most legally charged development occurred on June 27th, when the U.S. Supreme Court allowed Texas to enforce its age-verification law for pornographic websites. This decision has nationwide implications, as other states are likely to adopt similar laws, using Texas as a model.
At the same time, the landscape remains uneven. Not every statute survives its first encounter with federal judges: for example, Georgia’s law requiring age proof for social media accounts was blocked before it could take effect, with a preliminary injunction citing free speech concerns. This illustrates that while momentum is building around digital age checks, the exact shape of enforceable law will vary and continue to be tested in the courts.
Taken together, these developments signal a turning point for digital identity in the United States. Federal standards are now final, mobile IDs are being accepted in live travel contexts, and courts are shaping the boundaries of state-level age verification. For implementers, the summer of 2025 replaced years of speculation with clearer rules, live deployments, and legal precedents that will define the next phase of identity verification in the U.S.
iBeta introduces Level 3 PAD testing
In June, iBeta announced the introduction of a new Level 3 tier for presentation attack detection (PAD) evaluations, expanding upon the existing framework defined by ISO/IEC 30107-3. This new level goes beyond the familiar Level 1 and Level 2 testing protocols by incorporating a broader and more challenging set of spoofing techniques, including highly realistic custom-made masks and other advanced artefacts designed to bypass traditional detection systems.
In addition to raising the bar for the types of attacks being tested, iBeta has also tightened its evaluation criteria. To achieve Level 3 certification, systems are now required not only to block every presentation attack included in the evaluation, but also to maintain stricter performance thresholds. Specifically, bona fide presentation classification error rates (BPCER) and false non-match rates (FNMR) must each remain at or below 10 percent during testing. These requirements ensure that a system is both resilient to sophisticated attacks and reliable in its handling of legitimate user interactions.
From a practical standpoint, reaching Level 3 compliance will require vendors to significantly enhance their detection strategies. This may include developing more advanced artefact recognition techniques, implementing robust checks on the integrity of camera hardware, and applying rigorous methods for handling edge cases where traditional PAD systems might struggle.
For the industry, the introduction of Level 3 represents not just a tougher certification bar but also a clear signal that attackers are evolving—and that defensive measures must evolve just as quickly.
Staying compliant with KBY-AI’s ID verification solutions
As legal and regulatory frameworks around identity verification continue to grow in complexity, organizations need tools that are not only powerful and accurate, but also fully compliant with international standards and regional requirements. Selecting the right ID verification technology partner can make the difference between seamless onboarding and costly compliance gaps.
KBY-AI provides such ID verification solutions through its industry-recognized ID Document Recognition SDK and Face SDK, both of which have been certified by leading organizations and successfully deployed in some of the most highly regulated markets worldwide.
The KBY-AI ID Document Reader SDK is a particularly robust option for ID verification. It is powered by the world’s largest template database, covering over 15,000 document types across 254 countries and territories. With this extensive coverage, businesses can rely on a single solution to handle a truly global customer base.
Key capabilities include:
-
Authentication of thousands of global ID documents with advanced accuracy.
-
Reading machine-readable zones (MRZs) and a wide range of barcodes.
-
RFID chip reading and authentication in line with ICAO Doc 9303 standards.
-
Verification of digital signatures embedded in barcodes, including Visible Digital Seals (VDS) defined by ICAO.
-
Document liveness checks by analyzing dynamic security features such as holograms and optically variable ink (OVI).
-
And much more.
Complementing this, the KBY-AI Face SDK provides instant and secure biometric ID verification with advanced liveness detection. It supports both passive and active methods, ensuring resilience against fraudulent presentation attacks, including the use of static images, printed photographs, video replays, video injection attempts, or even sophisticated masks.
Together, these solutions empower organizations to stay ahead of evolving compliance demands while delivering a smooth, secure, and trustworthy verification experience to end users worldwide.
Frequently Asked Questions (FAQ)
1. What is ID verification?
ID verification is the process of confirming that an individual’s identity document (such as a passport, driver’s license, or national ID card) is authentic and that the person presenting it is the rightful owner.
2. Why is ID verification important?
ID verification helps organizations prevent fraud, meet regulatory requirements (such as KYC and AML), and build trust by ensuring that users are who they claim to be.
3. What types of documents can be verified?
Most modern ID verification systems can authenticate passports, driver’s licenses, national ID cards, residence permits, and other government-issued documents from around the world.
4. How does digital ID verification work?
Typically, the ID verification system scans and analyzes security features of the ID document (like MRZs, barcodes, holograms, and chips), checks for forgery or tampering, and may use facial recognition with liveness detection to confirm the document matches the user.
5. Is digital ID verification secure and compliant with regulations?
Yes. Leading ID verification solutions are designed to comply with international standards (such as ICAO Doc 9303, GDPR, and AML regulations) and use encryption and advanced fraud detection to protect user data and maintain regulatory compliance.
Conclusion
ID verification is no longer just a security measure—it has become a critical part of building trust, meeting regulatory requirements, and protecting both businesses and users from fraud. By combining advanced document authentication, biometric checks, and compliance with international standards, modern ID verification solutions ensure that organizations can confidently onboard customers, safeguard sensitive data, and operate smoothly in an increasingly digital and regulated world.
