Germany’s KJM (Kommission für Jugendmedienschutz) is widely regarded as the strictest age verification regulator in the world. They don’t just ask whether your system works — they tell you exactly what “works” means in numbers. And they maintain a list of approved providers. If your solution isn’t on the list, it doesn’t count.
Xident’s age estimation model doesn’t just meet the KJM bar. It exceeds it by a factor of 33. Here’s the full technical breakdown.
What KJM Requires
The Jugendmedienschutz-Staatsvertrag (JMStV) — Germany’s Interstate Treaty on the Protection of Minors in the Media — sets binding standards for platforms offering 18+ content to German users. The KJM is the joint commission that evaluates and certifies age verification systems.
Their requirements for ML-based age estimation systems:
- Challenge-21 methodology: For 18+ content, the system must estimate the user as at least 21 years old (a 3-year safety buffer, reduced from 5 years in September 2025)
- FPR below 1% for users aged 13–17 at Challenge-21, based on the Yoti benchmark (the first ML system to receive KJM approval)
- Reliability of at least 95% for age groups 13–18
- Liveness detection to prevent photo, video, and mask attacks
- GDPR compliance with data minimization — collect only what’s needed, delete the rest
- Formal KJM certification before deployment
The Challenge-Age Methodology Explained
Most people assume age verification means asking “is this person 18?” That’s not how it works in practice.
The challenge-age approach asks a deliberately harder question: “Does this person appear to be at least 21?” For an 18+ requirement, this builds in a 3-year buffer. A 17-year-old might plausibly look 18 — but looking 21 is significantly harder. The buffer absorbs the natural estimation error around the legal threshold.
When we evaluate our model, we test at Challenge-21 specifically. For each face in the test set, the model outputs a probability of being above 21. If that probability is 50% or higher, the system passes the user. For users aged 13–17, we measure how many incorrectly pass — that’s the false pass rate (FPR).
Xident’s Numbers vs. KJM Requirements
Here’s how Xident compares to the KJM threshold and the current KJM-approved benchmark:
| Metric | KJM Requirement | Yoti (KJM-approved) | Xident |
|---|---|---|---|
| FPR (ages 13–17) at Challenge-21 | <1% | 0.6% | 0.03% |
| Liveness detection | Required (passive accepted) | Passive | Active + anti-deepfake |
| Data minimization | Required | Server-side processing | Client-side (face never leaves browser) |
| GDPR compliance | Required | Yes | Yes |
| Reliability (ages 13–18) | ≥95% | Meets threshold | >99% |
Three things stand out. First, the FPR gap: Xident’s 0.03% is 20x better than Yoti’s 0.6% and 33x better than the KJM requirement. Second, liveness: Xident uses active challenges (head movement, eye tracking) with anti-spoofing detection, versus passive liveness. Third, privacy: Xident processes entirely client-side, which fundamentally exceeds KJM’s data minimization requirement.
Why 0.03% Matters
Numbers below 1% can feel abstract. Here’s what they mean in practice.
At the KJM threshold of 1% FPR: out of 10,000 underage users who attempt verification, 100 would incorrectly pass.
At Yoti’s 0.6% FPR: 60 out of 10,000 would pass.
At Xident’s 0.03% FPR: 3 out of 10,000 would pass.
That’s the difference between a system that lets dozens of minors through per day on a high-traffic site and one that lets a handful through per month. For a platform processing hundreds of thousands of verifications, this isn’t a rounding error — it’s the difference between a defensible compliance posture and a liability.
The 11% FRR Trade-Off
Xident’s model has a false rejection rate of 11% for adults. This means roughly 1 in 9 legitimate adults will not pass the ML-based fast path on their first attempt.
This is a deliberate design choice, not a limitation. The model is tuned to prioritize child safety over convenience. An 11% FRR means the system is being conservative — it would rather ask an adult to provide a document than risk letting a minor through.
KJM explicitly expects fallback mechanisms. Their evaluation criteria assume that no single technology is perfect and that age estimation systems should include secondary verification paths. Xident’s architecture does exactly this:
- Path A (ML Fast Path): The user’s face is analyzed client-side via ONNX. If the model is confident the user is 21+, they pass immediately.
- Path B (Document Fallback): If the model isn’t confident enough, the user is directed to upload an ID document. Server-side OCR extracts the date of birth and a face match confirms identity.
The 11% who take Path B aren’t blocked — they just take 60 seconds longer. And this is where the network effect kicks in.
The Network Effect: FRR Trends Toward Zero
Users who complete document verification via Path B are offered the option to create a Xident account. Once they do, future verifications on any Xident-enabled site are instant token lookups (Path D). The 11% FRR only applies to first-time, anonymous users.
As the Xident network grows:
- More users have Xident accounts
- More verifications use Path D (instant token lookup)
- The effective FRR across all verifications trends toward zero
- The cost per verification also trends toward zero
For platforms, this means the initial 11% friction is a one-time cost that diminishes over time. For users, it means “verify once, access everywhere.”
Privacy Architecture: Exceeding KJM’s Data Minimization
KJM requires data minimization. Xident doesn’t just minimize — it eliminates biometric data collection entirely for the fast path.
Here’s how the architecture works:
- Face analysis runs entirely in the browser using ONNX Runtime Web. The user’s camera feed is processed locally. No face images are transmitted to any server — not Xident’s, not the platform’s, not anyone’s.
- The platform receives only a pass/fail result via a secure token. It never sees the user’s face, age, or any biometric data.
- For document fallback (Path B), document images are processed server-side and deleted immediately after OCR extraction. Only the age bracket result is retained.
This architecture goes beyond data minimization. It achieves data elimination for the primary verification path. From a GDPR and KJM perspective, you can’t have a data breach for data you never collected.
The Path to KJM Certification
KJM certification is a formal process. Providers submit their system for technical evaluation, and KJM’s expert panel assesses it against their published criteria. The evaluation covers accuracy metrics, liveness detection, privacy practices, and GDPR compliance.
Xident’s technical profile — 0.03% FPR, active liveness, client-side processing, document fallback — is designed to exceed every criterion on the KJM evaluation checklist. The 33x improvement over the current approved benchmark provides substantial margin.
Conclusion
Germany’s KJM sets the highest bar for age verification in the world. The 1% FPR threshold at Challenge-21, combined with requirements for liveness detection, data minimization, and formal certification, creates a compliance standard that filters out most solutions.
Xident’s 0.03% FPR doesn’t just clear the bar — it resets expectations for what ML-based age estimation can achieve. Combined with client-side inference, active liveness detection, and a network effect that reduces friction over time, it’s a system built for the strictest regulatory environment and designed to exceed it.
Ready to implement KJM-compliant age verification? Join the waitlist to get early access when we launch.
