When a company best known for running one of the world’s largest adult platforms begins pitching a new model for online identity, the conversation quickly moves beyond content moderation.
Aylo, the parent company of Pornhub, has begun urging Apple, Google, and Microsoft to take over a task that has increasingly fallen to websites: verifying a user’s age before allowing access to adult material.
The company argues that the device or operating system should confirm someone’s age once, then provide a simple signal to any site that requests it.
The approach sounds like a housekeeping fix and could reduce the number of ID leaks that have been happening since the online digital ID age verification push.
However, it could also redraw the balance of power across the internet, and not in a good way.
California has already nudged the industry in this direction. Its the Digital Age Assurance Act, or Assembly Bill 1043, which requires operating systems to collect a user’s birth date or age during account creation and lets app developers request that information when an app is installed or opened.
In a conversation with WIRED, Alex Kekesi, Pornhub’s vice president of brand and community, described the law as “interesting because it gets it almost exactly right,” adding that the state’s approach could become a template for others.
Aylo says the current landscape of website-level checks has failed to do much of anything. Companies ask for government IDs, biometric scans, or third-party verification. Other sites skip verification entirely. The company writes that it “has found site-based age assurance approaches to be fundamentally flawed and counterproductive,” noting that every fresh request for personal data expands the number of companies handling sensitive information.
Aylo’s proposed model resembles a system-level “safety” feature rather than a web gatekeeper.
A user would confirm their age once on the device or operating system. Each site would then receive a simple yes-or-no signal through an API. That reduces friction. At least on paper, it also reduces the number of times someone sends a government ID into the void.
Apple and Google already maintain digital ID systems inside their wallet apps. Browser makers are adopting the Digital Credentials API. The pieces for a device-level approach are already present in the operating systems that most people use every day. The question is how they will be assembled and who will oversee the process.
Putting age checks inside the operating system brings some benefits, depending on how you look at it. But in the hands of companies that already shape much of our digital life, it also tightens their grip.
A system-level age flag becomes another point of control tied directly to the platforms that mediate how billions of people use software.
Open ecosystems would feel the pressure. Independent browsers, community distributions of Linux, and other user-driven projects could be pushed toward government-linked identity requirements simply to maintain compatibility.
Smaller developers often avoid handling identity data because the security burden is too heavy.
If OS-level age tools become a universal expectation, these communities may face a choice between integration and obsolescence.
The privacy stakes do not stop at confirming someone’s age. They extend to who verifies that information, how the data is stored, and which entities gain visibility into a person’s activity patterns.
Centralizing verification at the device level might reduce repetitive data exposure, but it also concentrates power in a handful of firms that already hold vast collections of behavioral data.
People should not be forced to use Big Tech tools to access the open internet.
A system-level confirmation signal sounds simple, yet any mechanism that ties identity signals to hardware inevitably increases the opportunities for tracking. Users would have fewer escape routes, and platform vendors would have more visibility into what people do online.
Modern computing does not end at the smartphone or laptop. Smart TVs, gaming consoles, streaming boxes, car dashboards, and household appliances all run complex software stacks with varying levels of security.
Requiring these devices to participate in age verification multiplies the engineering burden across industries that never planned to handle identity data.
Manufacturers update devices at different intervals. Some patch quickly, others do so rarely, and many never update at all. If age checks became a requirement, the results would be inconsistent. Some devices would adopt strict identity enforcement. Others might bolt on minimal features that expose new vulnerabilities.
The result could be a sprawling network of verification signals pushed through hardware that was never built for that kind of responsibility.
Aylo frames its proposal as a practical fix for a policy patchwork that protects few users and exposes too much personal data.
The idea of verifying age once, cleanly, on a trusted device has its appeal. Yet the broader ramifications point toward a slow consolidation of identity infrastructure under companies that already dominate software distribution.
This is about who gets to design the identity layer of the modern web and how much autonomy smaller players will retain.
