LinkedIn's user verification sets the bar. Now regulators must raise it.

Of the major social media platforms, LinkedIn stands out in the extent to which it claims to verify aspects of its users’ profile, offering users options to verify their identity, their workplace, and their education. LinkedIn claims significant global uptake of these features, stating in December 2025 that its global user base now includes over 100 million verified “members”.

This note examines LinkedIn’s approach to identity verification. It considers its strengths and areas for improvement – and what lessons regulators could draw from this example when designing effective regulation.

LinkedIn’s Verification Process

LinkedIn works with third party firms to conduct verification. For users in the UK and EU, LinkedIn has engaged third party ID verification firm Persona. For users in the U.S., Canada, and Mexico, a different provider, CLEAR, is offered. Here, we look at the process with Persona, but the CLEAR process appears similar. 

Verification on LinkedIn requires use of the LinkedIn app on a mobile device. Users accessing LinkedIn on desktop via a web browser are required to scan a QR code using their mobile device and the LinkedIn app. The verification process all takes place within the app, but important stages of the process are taken over by third party ID verification firm Persona. 

On initiating verification within the LinkedIn app, a user is asked by Persona: 

• agree to its Terms of Use and Privacy Policy

• upload a photo of an NFC-enabled government ID (like a passport)

• scan the ID’s NFC chip

• take three live selfies of their face which are then compared to the photo on the ID 

Once the user’s identity is confirmed, users are asked to consent to Persona sharing the verification result and necessary details (name, ID type/issuer) with LinkedIn. Persona states that it shares only this data to LinkedIn, not the biometric data or passport number and issue/expiry date, which remain held by Persona and is handled according to their policies. 

The following table summarises the process:

Assessment

Clean Up The Internet suggests, in this previous submission to UK regulator Ofcom, that some key criteria for assessing a verification process are: accuracy, robustness and reliability; accessibility; affordability; visibility of verification status; account security and user authentication; privacy and data security; encouraging user awareness and uptake; interoperability and user choice. Let’s assess LinkedIn’s verification against these criteria.

Accuracy, robustness and reliability

Requiring a check against government-issued photo NFC-enabled ID and outsourcing to a specialised verification provider should, in principle, ensure a high standard of accuracy, robustness and reliability. Persona’s service is certified to GPG45 profile M1C (medium confidence) under the UK’s Digital Identities and Attributes Trust Framework (DIATF). This is the level of confidence required for the statutory purpose in the UK of right-to-work and right-to-rent checks (there is at present no specific DIATF scheme for social media identity verification).  

However, there are a number of open questions about the specific details of the service which Persona provides to LinkedIn, that we have not been able to clarify based on publicly available documentation and would have an impact on the robustness and reliability of verification, particularly over time:

• To what extent does the service provided by Persona to LinkedIn align with, or differ from, the service as certified under the DIATF?

• Is the verification process based purely on the document plus face match, or are additional device/browser/network signals collected or used in the assessment? Persona’s Privacy Policy states that it has the capability to gather data about users from the user’s device as well as from its “global network of trusted third-party data sources”. If so, what are they? How does this contribute to the robustness of the process? How is this made transparent to users?

• Does Persona only carry out a one-time identity check or may LinkedIn require subsequent reverifications, possibly triggered by a specific risk signal (for example, if a passport subsequently turns up on a stolen passport list or if behaviour of the account suggests a risk that an account has been hijacked). This would have an important impact on the reliability of verification over time.

Accessibility

In respect of accessibility, LinkedIn gets half marks. In the EU, the verification process is open to anyone with an NFC-enabled passport or government-issued photo ID, and in the UK to anyone with an NFC-enabled passport. This is a significant majority of EU adults, likely in excess of three-quarters, although the EU has not published a comprehensive figure for this. In the UK, around 80% of resident adults hold a passport, the vast majority of which will be NFC-enabled. (https://www.international-adviser.com/only-1-of-brits-have-dual-nationality/)

LinkedIn’s requirement for this form of identification therefore on paper includes a significant majority of UK and EU internet users. However, it does exclude people who do not have such IDs. It also risks excluding those who are unable to use it (e.g. because they lack an NFC-enabled smartphone), whose current appearance doesn’t match their documents, or whose government ID is in a different script to their user ID. The reliance on NFC-enabled ID means LinkedIn’s verification is likely to be far more accessible to some groups of people than others. For example, in the UK, we know that age, education, socio-economic status all influence how likely someone is to possess a passport.  Across the EU, approaches to ID documents vary, for example Bulgaria, Portugal, Liechtenstein, and Iceland all only began issuing NFC-enabled ID cards in the first half of 2024. 

LinkedIn should consider expanding its verification process to include a broader (but still reliable) range of verification methods. For those whose legal name doesn’t match their user ID (eg married women), LinkedIn has a process to allow this if the user agrees to add their legal name as an additional name to their profile.

Crucially, LinkedIn has not published any information on its own assessment of the accessibility considerations of its verification system for its user base, and it is unclear what assessments it has made. Nor has it published any figures on how uptake breaks down by different countries or demographics. Given this is an important trust and safety feature, and LinkedIn holds such a dominant position for online professional networking, it should be standard practice for LinkedIn to have considered the accessibility and inclusivity of its design, and to be transparent about how it has done so and how this is working in practice.

Affordability

LinkedIn has neither introduced a standalone charge for verification, nor bundled it with other features of a “premium” subscription.  Making verification free to all users means that LinkedIn’s process meets the affordability criterion (although government-issued photo ID can itself be expensive; another argument for expanding the range of verification methods). 

Visibility of verification status

LinkedIn does make the verification status visible. The verification tick is attached to verified accounts; even better, by clicking on the tick, one can see what type of verification it is, what type of identity document was used and when the verification was done.

Account Security and Authentication

Verified status makes an account of greater value to bad actors, and therefore more of a target to hackers. A strong suite of account security and recovery measures is therefore an important companion to a verification offer.

LinkedIn offers a reasonable suite of standard security features. Two-factor authentication is available to all users, via SMS or authenticator apps, and passkey support is available. Users can review active sessions and sign out of devices remotely from within their settings. There’s email notification for sign-ins from new devices. The platform states that it runs proactive detection systems that flag suspicious login attempts based on location, device fingerprinting, and behavioural signals. It’s unclear what user uptake is for these measures – or whether LinkedIn seeks to nudge verified users towards them more regularly.

Alongside measures to mitigate the risks of verified accounts being compromised, it is crucial that platforms have in place measures to swiftly respond if a hijacking occurs. However, LinkedIn’s process for Account recovery has in the past been seen as a weak point. In 2023 a mass-hijacking campaign saw thousands of users locked out for weeks.

Whilst LinkedIn has updated the account recovery process, with Persona now also the primary route to verifying account ownership, there is no published SLA for hacked accounts. The official Help pages give no commitment on response time, no interim protection commitment for the live profile, and no clear escalation path beyond “submit the form”.  

Data Security and Privacy

The fact that LinkedIn have outsourced to a specialised provider should, in principle, ensure that good industry standards of data security and privacy compliance are applied. However, we did have some difficulty pinning down several data privacy issues in the publicly available documentation. 

It was not clear to us in what country the data is stored. Are Persona and LinkedIn both data controllers, and if so, how are controller/processor responsibilities allocated and data subject rights handled operationally? What data does LinkedIn receive from Persona (there appear to be some inconsistencies in the description and policies)? Persona requests you consent to its “third party service providers processing my biometric information to verify my identity and for fraud prevention;” this purpose seems broad and vague. The data retention periods are also set out in vague terms and could arguably allow Persona in particular to keep data almost indefinitely. With respect to biometric data, inconsistent periods are stated. It would be interesting to check against the actual configured retention periods. Finally, since Persona is a US-based company, in the event of a privacy issue, it would likely be more challenging for a UK or EU consumer to have recourse against them.

Persona advertises that it can check identity against various lists, such as sanction lists and Politically Exposed People lists. Whether it does so depends on what modules are selected by the client (i.e., LinkedIn). Screening against such modules would seem unnecessary and inappropriate in the context of LinkedIn, but we have not been able to identify what modules LinkedIn has chosen and how these contribute to the robustness and reliability of the process, nor how, from a privacy point of view, LinkedIn protects users against subsequent scope creep. 

If risk scoring is involved, does automated decision-making play a role? Persona states in its Privacy Policy that “Persona itself does not undertake automated decision-making.” The way this is so precisely drafted does beg the question whether any of its service providers or LinkedIn do. If so, what human review exists, and what appeal is available?

Some EU and UK users may have concerns about Persona’s profile as a company, and about the lack of meaningful alternatives within LinkedIn’s verification flow. Persona is a US-based identity verification provider that achieved FedRAMP authorisation in October 2025 and counts US federal agencies among its customers, alongside a public-facing case study with OpenAI in which it screens “millions monthly” against sanctions lists and politically exposed person databases. Such concerns, brought into focus when a researcher identified evidence of Persona tagging “reports with codenames from active [US] intelligence programs”, led to Discord dropping Persona as a vendor in February 2026.

These points reflect long-standing questions about what it means for UK and EU users’ biometric and identity data to be processed by a US-based vendor whose core business is increasingly intertwined with US federal compliance work. Persona’s Privacy Policy does state: “We will access, disclose, and preserve personal data when we believe doing so is necessary to comply with applicable law or respond to valid legal process, including from law enforcement, national security, or other government agencies.” As a US company, this presumably includes US laws and agencies. 

Not all LinkedIn users will necessarily share these privacy and data concerns, either about Persona in particular, or US-based verification services more generally. But the crucial point is that for those that do, they cannot choose an alternative provider. It’s regrettable that LinkedIn doesn’t offer UK or EU users the option of verifying through a domestic provider operating under UK or EU data protection regimes.

Encouraging user awareness and uptake

In 2023, when LinkedIn launched user identity verification, it set an uptake target of 100million users. Since then it has reported fairly frequently on progress, and it stated in December 2025 that the target had been hit. With the obvious caveat that these figures are self-reported, setting ambitious uptake targets, and reporting on progress towards them, is welcome.

LinkedIn encourages users to consider verification through fairly prominent nudges and prompts, such as banners directly on users' profile and dashboard, encouraging them to "Get Verified". In addition LinkedIn seeks to encourage verification by suggesting that verified members get more profile views, higher engagement rates, and experience greater acceptance of their connection requests.

Interoperability and User Choice

Interoperability, in the context of identity verification on a social media platform, means the platform accepting identity credentials from a range of accredited providers, rather than tying users to a single in-house process or one commercial partner. The platform sets the standards a credential must meet – covering the rigour of the underlying check, data protection safeguards, and technical formats – and then trusts any provider certified against those standards. For users, this means real choice over who holds their sensitive data, and the convenience of reusing a verification they have already done elsewhere (with a bank, a government digital ID, or another identity service) rather than uploading their passport again. It can also make the process cheaper for platforms, by opening up the market to competition between providers rather than locking platforms into a single commercial relationship.

At present LinkedIn would score low on this criteria, as for UK and EU customers Persona is their only option. A user with a LuxTrust qualified certificate, an Italian SPID credential, a French France Identité credential, or a UK Digital Identity and Attributes Trust Framework-certified credential from a provider like Yoti or Post Office EasyID, cannot present any of those to LinkedIn as an alternative route to gaining verified status.

Interestingly, and perhaps revealingly, whilst LinkedIn is closed to inbound interoperability, it is actively encouraging other platforms to accept “verified on LinkedIn” as an outbound verification signal. It makes its verification available to third parties, for free, via an API, stating that this is so that “LinkedIn members can take their authenticity to other sites, helping platforms create safe interactions between authentic users”. Notable partners include Zoom and Adobe.

This offers a convenient experience for verified LinkedIn users when accessing these other services – they are able to reuse their LinkedIn verification, and do not have to re-upload any documents. And it makes a form of verification, with the safety benefits that entails, available to be implemented on these other services. 

However, LinkedIn’s decision to allow its verification process to be used as a trust signal by third-parties, but not to accept any other DVS-certified or eIDAS-notified credentials itself, is a strictly one-way approach to interoperability. It suggests that LinkedIn sees commercial advantage in pulling other platforms into its dependency. This illustrates why regulatory oversight of platforms’ verification systems, including their approach to interoperability, would bring better outcomes for users. If the large platforms were all required to accept verification which meets suitable frameworks of standards, like the UK Digital Identity and Attributes Trust Framework or the eIDAS2.0 framework, then users get choice, convenience, and the assurance that verification trust signals meet a common minimum standard. Centralising verification in the hands of one, or a small number of, major platforms, may deliver some convenience, but doesn’t offer users choice and leaves those platforms to set their own minimum standards.

Lessons for regulators?

The first and most important lesson for regulators is that requiring large platforms to offer robust user verification to all users, as a freely available safety measure, is perfectly feasible. LinkedIn claims over a billion users globally and tens of millions in the UK and EU, and it has implemented a verification process using a provider that meets a recognised standard, is free at the point of use, and is available to a substantial majority of its user base. 

Whatever its limitations - and we've identified some significant room for improvement - LinkedIn's implementation is powerful evidence that implementing the UK’s user verification duty in a meaningful way, or following through on the proposals for user verification contained in the EU’s Democracy Shield Initiative, is perfectly achievable.

This matters because platforms have a long track record of arguing that trust and safety measures regulators propose are technically infeasible, commercially ruinous, or disproportionate. When platforms push back against verification requirements on these grounds, LinkedIn is a powerful counter-example. A major platform, operating at scale, has built it - without charging users, without bundling it into a premium tier, and without suffering any commercial damage as a result.

The question for regulators is therefore not whether platform verification can be required, but what standards it should meet. The lessons below set out where LinkedIn's implementation suggests those standards should land.

1. Verification can and should be free for all users

LinkedIn's decision not to charge, and not to bundle verification with a premium subscription, is a positive choice. Meta and X have made different choices by bundling their “verification” offers as part of premium subscriptions. Regulators shouldn't leave this to platform discretion. Where verification is offered as a trust signal to other users, it should be free at the point of use, available to all users on equal terms, and not tied to paid tiers. Otherwise verification status risks signalling willingness to pay rather than confirmed identity.

2. Robustness standards should be set by regulators, not platforms

LinkedIn has effectively delegated standard-setting to its commercial partner, Persona, which in turn aligns to the UK’s DIATF. That's a reasonable outcome in this case, but it is not one that should be entirely left to the platform’s discretion. Regulators should set out the minimum standards that platform verification must meet – aligning with existing frameworks like DIATF and eIDAS 2.0 - and require platforms to demonstrate compliance.

3. Interoperability should be required, not optional

LinkedIn's one-way approach to interoperability - happy to export "Verified on LinkedIn" as a trust signal to others, unwilling to accept any external credentials in return - shows how dominant platforms could use verification to deepen lock-in, and how this could result in less choices for users. Regulators should require platforms above a certain size to offer users a choice of different verification processes, and to accept verification credentials from any provider certified under stipulated recognised frameworks. This would give users meaningful choice over who holds their data, encourage competition between identity providers, and prevent the emergence of de facto private monopolies over online identity. Some users would likely want to use “verified by LinkedIn” as their portable identity credential of choice for other services, but that should be a matter of choice, not compulsion.

4. Verification uptake should be transparent

LinkedIn’s headline figures sound very encouraging – by December 2025, the platform announced “100 million members who have now added a verification on LinkedIn”.  In October 2024 the claimed figure was 55m, in April 2025 80m, suggesting significant and sustained growth. However there is a lack of detail behind these headline figures – for example LinkedIn doesn’t provide breakdowns by region, or by type of verification used. Regulators should require platforms to publish uptake figures and to demonstrate they are actively encouraging adoption.

5. Accessibility must be designed in and reported on

Reliance on NFC-enabled government photo ID excludes a meaningful minority of adults, and excludes them unevenly across age, socio-economic status, and country. Interoperability and improved user choice would improve accessibility. But alongside this, regulators should require platforms to publish accessibility assessments of their verification systems, including demographic breakdowns of who remains at risk of being excluded. 

6. Transparency obligations should cover the full verification process

LinkedIn’s processes, and the accompanying documentation, leave too many open questions that users shouldn't have to investigate themselves: whether automated decision-making is involved, what happens on reverification, what risk signals are used, how long data is retained, where it's stored, and who the controllers are at each stage. Regulators should require platforms to publish clear, accessible documentation covering each stage of the verification process and the data flows it involves - and to keep that documentation current.

7. Set standards for account security and recovery alongside verification

A verified account is a higher-value target. Regulators should require platforms to set out how they are mitigating these risks. This should include making available, and actively promoting, 2FA for verified users, publishing 2FA uptake figures, and committing to published service level agreements for hacked account recovery, including interim protection of the live profile while ownership is being established.

8. Verification status must be clearly and consistently displayed

LinkedIn does this reasonably well - a tick that, when clicked, shows what was verified, by what method, and when. This should be the regulatory baseline. Verification ticks that conflate paid subscriptions with identity verification, as on X, are actively misleading and should be prohibited where they create a risk of consumer deception.

Conclusion

LinkedIn's verification system is, by some margin, the strongest implementation among the major platforms. It is free at the point of use, appears to be built to a recognised standard, and is visible in a way that distinguishes identity from paid subscription. Meta and X have made very different choices - bundling verification with premium tiers, and in X's case offering a "verification" that may actually increase the risk of impersonation and fraud rather than reducing it. By comparison, LinkedIn shows that robust, free, at-scale user verification is achievable. That is a significant finding, and it removes a familiar industry objection from the table.

But "best in class" is not the same as "good enough". LinkedIn's process lacks transparency in important respects, locks users into a single US-based commercial partner, treats interoperability as a one-way street, and does not demonstrate sufficient focus on mitigating the risks if verified accounts are hijacked. These are important areas for improvement - getting these details right is what will ensure verification delivers what it promises.

Regulators should take note. Ofcom is expected shortly to start consulting on how to give effect to the user verification duty in Section 64 of the Online Safety Act. The European Commission is developing its Democracy Shield proposals, including measures on user verification to restrict the use of fake accounts for Foreign Information Manipulation and Interference. LinkedIn proves that it is perfectly reasonable to require platforms to offer robust verification. Now it’s up to regulators to set the right standards to ensure that LinkedIn’s current offering becomes the floor, not the ceiling.