AGE ASSURANCE DESIGN RATIONALE
Service: RPMMO AEGIS Kingdoms
Operator: AEGIS Game Studios
Regulatory Context: UK Online Safety Act 2023 (User-to-User Service)
1. Purpose of This Document
This document explains the design, implementation, and justification of the age assurance measures deployed by AEGIS Game Studios for RPMMO AEGIS Kingdoms, consistent with the requirements of the UK Online Safety Act 2023 and Ofcom’s guidance on highly effective age assurance (HEAA). It demonstrates how the service’s controls ensure that children are not normally able to access age-restricted content, using a layered, proportionate, and robust approach.
2. Service Classification Under the Online Safety Act
AEGIS Kingdoms is a user-to-user service under the Online Safety Act. It incorporates user-generated text-based roleplay in a fictional setting. Although this content does not include explicit sexual material or illegal content in itself, the narrative may reference themes unsuitable for minors (e.g. violence, harm, complex adult themes).
Accordingly, the platform must implement Highly Effective Age Assurance to prevent under-18s from accessing age-restricted content. This aligns with Ofcom’s view that services likely to be accessed by children require HEAA to ensure they are not normally able to access harmful or age-restricted material.
3. Content Safeguards and Prohibitions
AEGIS Kingdoms prohibits the following:
Pornographic content (including erotic roleplay)
Sexual content involving minors
Graphic violence or explicit instruction facilitating real-world harm
Illegal material of any kind
Moderation is ongoing and proactive; however, HEAA is used at the account level and is not replaced by moderation alone.
4. Age Assurance Strategy Overview
AEGIS Game Studios uses a multi-stage defence-in-depth model for age assurance:
Manual account approval
Highly Effective Age Assurance (OneID OTP mobile identity verification)
Paid membership gating
Mandatory authentication
Session expiration
Continuous moderation
Zero-tolerance enforcement
This multi-layered design exceeds baseline expectations and mitigates common circumvention vectors.
5. Account and Access Flow
5.1 Forum Account Creation (Initial Gate)
Users must register an account on the AEGIS Forums.
All new accounts require manual approval.
Anonymous browsing is not permitted.
Prior to approval, access is read-only and limited to general informational pages.
5.2 Pre-Age-Check Information Stage
After forum approval, users are presented with FAQ content explaining:
The nature of the service
Key content restrictions
The requirement to complete age assurance using mobile verification
Progression beyond this point is not permitted until age assurance is completed.
5.3 Highly Effective Age Assurance (Mobile Phone Verification via OneID)
AEGIS Game Studios uses OneID® mobile identity verification, integrating One-Time Password (OTP) checks via mobile network operator data provided by the user’s mobile phone number.
OneID key characteristics:
Uses mobile network operator age checks and/or verified mobile identity data to confirm age.
OneID supports age assurance methods that align with Ofcom’s non-exhaustive list of capable HEAA approaches, including mobile-network operator age checks and digital identity services.
Process:
User enters their mobile phone number.
OneID triggers an OTP via SMS to the device.
The user enters the OTP.
OneID verifies the mobile identity against network operator records or other trusted identity data.
The outcome (age verified or not) is recorded securely; no unnecessary personal identifiers are retained.
Only the verification result (approved/not approved as ≥18) is stored by AEGIS Game Studios.
This method meets Ofcom’s criteria of technical accuracy, robustness, reliability and fairness when properly implemented and monitored.(www.ofcom.org.uk)
6. Additional Access Controls
6.1 Paid Membership Requirement
Active paid membership is mandatory to access AEGIS Kingdoms.
Membership status is manually verified as an additional deterrent against minors, and to support the HEAA framework.
6.2 Lore & Comprehension Gate
After age verification, users must apply for a roleplay/TTRPG character, completing comprehension checks relevant to the game’s lore. This further reduces erroneous or malicious access by minors.
6.3 Game Account Provisioning
Game credentials are issued only after:
Positive age assurance outcome
Active paid membership
Manual approval
Forum credentials and game credentials are managed separately to maintain segmentation of auth flows.
7. Authentication and Session Controls
7.1 Game Client
The client does not persist login credentials.
Users authenticate via OneID-linked credentials at each session.
7.2 Forums
Forum sessions expire after 14 days.
Re-authentication is enforced thereafter.
Anonymous usage is prohibited.
These controls ensure age-verified access cannot be shared or persist beyond the authenticated user’s individual session context.
8. Enforcement and Zero-Tolerance Policy
If a user:
Admits to being under 18 (even as a joke), or
Generates reasonable suspicion that a minor is accessing the account,
then the account is terminated immediately with no exceptions.
This strict policy is documented and applied to prioritise child safety.
9. Why This Approach Meets HEAA Requirements
This age assurance design adheres to Ofcom’s HEAA criteria because:
It uses a method (mobile network/OneID identity verification) listed as capable of being highly effective.(www.ofcom.org.uk)
Age assurance is account-bound, not device- or cookie-based.
Authentication is mandatory.
Sessions expire and cannot be reused without re-auth.
Approval and monitoring are verified manually at key points.
Collectively, these controls ensure that children are not normally able to access age-restricted areas of the service.
10. Proportionality and Data Minimisation
No identity documents are stored.
No sensitive personal data beyond the age verification outcome is retained.
The system only stores the verification result necessary to meet regulatory requirements and support risk analysis.
This aligns with UK GDPR principles of proportionality and data minimisation.
11. Review and Ongoing Effectiveness
AEGIS Game Studios commits to:
Periodic review of age assurance effectiveness
Updates in line with changes to Ofcom’s guidance
Adjustments if circumvention or new risks are identified
12. Conclusion
AEGIS Kingdoms employs a robust, layered, and proportionate age assurance system that is compliant with the UK Online Safety Act and Ofcom’s guidance on HEAA. The system ensures that minors are not normally able to access age-restricted content while respecting user privacy and minimising unnecessary processing.
CHILDREN’S RISK ASSESSMENT – AEGIS KINGDOMS (RPMMO)
Service Provider: AEGIS Game Studios
Service: AEGIS Kingdoms (Gaming Platform with User-to-User Forums)
Regulatory Framework: UK Online Safety Act 2023 – Children’s Safety Duties and Age Assurance
1. Regulatory Context
The UK Online Safety Act 2023 requires providers of regulated user-to-user services to:
Carry out a Children’s Access Assessment to determine whether children are likely to be able to access the service or any part of it.
Where there is a credible risk of child access or exposure, maintain a Children’s Risk Assessment identifying potential harms and the effectiveness of mitigations.
Ofcom guidance clarifies that a service may conclude that children are not normally able to access relevant parts of the service where Highly Effective Age Assurance (HEAA) and effective access controls are implemented and maintained.
Ofcom defines HEAA as age assurance that meets the criteria of:
Technical accuracy
Robustness
Reliability
Fairness
and which demonstrably prevents children from accessing age-restricted services under normal conditions.
AEGIS Kingdoms is intentionally designed and operated as an adult-only roleplay service. The platform therefore implements HEAA at the account level and maintains this risk assessment as formal evidence of compliance, ongoing monitoring, and proportionality.
2. Service Characteristics Relevant to Child Safety
AEGIS Kingdoms includes:
User-generated text-based roleplay content.
Fictional scenarios that may reference violence, conflict, injury, death, or mature narrative themes.
Persistent interaction between adult users.
The service does not permit:
Pornographic content or erotic roleplay.
Sexual content involving minors.
Graphic sexual violence.
Illegal content or real-world harm facilitation.
While moderated, the narrative complexity and thematic material are not suitable for minors. The service is therefore restricted to adults only.
3. Child Safety Risks Identified (Pre-Mitigation)
The following risks were identified before the implementation of controls:
| Risk ID | Risk Description | Likelihood (Pre-Controls) | Potential Harm |
|---|---|---|---|
| R1 | A minor gains access to adult roleplay content | High | Psychological or emotional harm |
| R2 | A minor circumvents self-declared age controls | High | Under-18 access to restricted content |
| R3 | A minor accesses the service via account sharing | Medium | Indirect exposure |
| R4 | Persistent sessions bypass authentication | Medium | Prolonged unsupervised access |
| R5 | Inadequate gating allows browsing without verification | High | Exposure to user-generated content |
These risks align with Ofcom’s expectation that services assess how children could realistically encounter harm through service design, access pathways, and functionality.
4. Mitigation Controls Implemented
4.1 Highly Effective Age Assurance – OneID Mobile OTP Verification
Control
All users must complete age assurance using OneID mobile identity verification with one-time password (OTP) confirmation.
The process:
User submits a mobile phone number.
OneID sends a one-time password to the device.
The user confirms possession and identity.
OneID validates age eligibility using mobile network and identity assurance signals.
Only the verification outcome (pass / fail for adult eligibility) is retained.
No identity documents, raw identity attributes, or mobile network data are stored by AEGIS Game Studios.
Risk Impact
Prevents reliance on self-declaration.
Significantly reduces R1 and R2.
Establishes a robust, repeatable verification barrier prior to any restricted access.
4.2 Multi-Stage Account Approval and Access Gating
Control
All forum accounts require manual approval before activation.
Users cannot access posting areas, private forums, or game systems until HEAA is completed.
Progression requires successful age assurance, membership validation, and manual review.
Risk Impact
Blocks premature exposure (R1, R2, R5).
Prevents anonymous or automated access.
4.3 Paid Membership Validation
Control
Active paid membership is required for game access.
Membership status is manually verified.
Risk Impact
Adds a practical deterrent to minors (R1, R2).
Introduces additional identity friction.
4.4 Authentication and Session Controls
Control
Game login is required every session; credentials are not stored locally.
Forum sessions expire automatically after 14 days.
Re-authentication is mandatory.
Risk Impact
Limits session persistence (R4).
Reduces account sharing effectiveness (R3).
4.5 Moderation and Enforcement
Control
Continuous moderation of all user-generated content.
Explicit prohibition of sexual content involving minors and harmful material.
Immediate termination of any account reasonably suspected of minor access.
Risk Impact
Reduces residual exposure risk (R1, R3).
Provides operational enforcement support.
5. Residual Risk Evaluation
After implementation of controls:
| Risk ID | Residual Likelihood | Residual Impact | Risk Rating |
|---|---|---|---|
| R1 | Low | Low–Medium | Acceptable |
| R2 | Low | Medium | Acceptable |
| R3 | Low | Medium | Acceptable |
| R4 | Low | Medium | Acceptable |
| R5 | Very Low | Low | Acceptable |
Conclusion
The combined controls reduce the likelihood of child access to a level where children are not normally able to access the service under ordinary conditions.
6. Proportionality and Justification
The mitigations are proportionate because:
The service is adult-directed and contains mature narrative material.
Age assurance is applied at the earliest feasible point in the user journey.
Controls are layered, not dependent on a single safeguard.
Manual oversight exists where automated systems alone would be insufficient.
This approach aligns with Ofcom’s expectation that services apply proportionate controls based on realistic risk exposure and service design.
7. Privacy and Data Protection
Only age-verification outcomes are retained.
No identity documents or sensitive personal data are stored.
Processing is limited to what is necessary to demonstrate compliance and prevent child access.
This supports data minimisation and privacy obligations under UK GDPR.
8. Monitoring, Review, and Reassessment
This assessment will be reviewed:
Annually.
Following any material change to service design, access pathways, or age assurance technology.
If circumvention or control degradation is detected.
Upon updated regulatory guidance or enforcement outcomes.
Records of reviews and outcomes are retained.
9. Final Determination
Based on the controls implemented and ongoing monitoring:
AEGIS Kingdoms is operated as an adult-only service.
Highly Effective Age Assurance is implemented using OneID mobile verification.
Children are not normally able to access restricted areas of the service.
Residual child safety risks are low and acceptable.
