As age verification becomes mandatory in more places, a critical design question is what to do when a user comes back. Requiring a full ID upload and liveness check on every visit is secure but costly in friction, and users will look for workarounds or abandon the flow. The better approach is to distinguish first-time verification from returning users.

First time: the user proves identity and age (e.g. ID scan plus liveness). The system establishes that this person is over the required age and, in privacy-preserving setups, does not retain the document or face image. It may retain only a secure, non-reversible representation (e.g. an embedding) so the same person can be recognised later.

Returning users: instead of asking for the ID again, the service runs a quick check, for example a short liveness or face match against the earlier session. If it matches, a new signed token is issued. The user gets a fast, low-friction experience; the platform still gets a fresh verification and audit trail. In ecosystems where multiple sites share the same age-verification provider, the user may verify once and then re-prove age on any partner site with a single step (e.g. face-only), reducing repetition across the web.

Designing for this split, with full verification once and reverification when returning, improves conversion and compliance while keeping the bar high for initial proof of age.