There is a particular kind of policy theater that announces itself with the word “robust.” When the European Commission released its age-verification app in mid-April 2026, the surrounding language did the usual work: privacy-preserving, user-friendly, interoperable, built on the same technical foundations as the forthcoming European Digital Identity Wallet. The app was meant to let a person prove they were over eighteen without surrendering a name, a birthdate, or anything else — a clean cryptographic answer to a messy political demand to keep children away from harmful content. It was the kind of thing you are supposed to admire from a distance and not look at too closely.

Security researchers looked closely. According to reporting from cybersecurity outlets and Politico, UK-based consultant Paul Moore demonstrated a full bypass of the app’s authentication in under two minutes. French cryptographer Olivier Blazy independently probed the same release. The method was not exotic. It did not require a deepfake, a stolen credential, or a lab full of equipment. It required a text editor.

What “hacked in two minutes” actually meant

The app stored several of its security controls in an editable configuration file on the device rather than in the phone’s secure hardware. The PIN protection could be undone by deleting the values tied to it and restarting the app, which let an attacker set a new PIN while keeping access to credentials created under the old profile. The rate limiting — the mechanism that is supposed to stop someone from guessing a PIN over and over — was just a counter in that same editable file. Reset it to zero and the system forgets every failed attempt. And biometric verification, the layer that is supposed to anchor the whole thing to an actual human face, was governed by a boolean flag named UseBiometricAuth. Set it to false and the biometric step simply disappears.

This is the detail worth sitting with. The biometric check — the part of the system that exists precisely because it is hard to fake a face — was protected by a switch a user could flip. Modern smartphones ship with secure enclaves designed for exactly this kind of secret. The app, by several researchers’ accounts, did not use them where it mattered. The cryptography on paper was sound; the implementation left the keys to it in an unlocked drawer. A separate architectural flaw flagged back in March 2026 went deeper still: the system reportedly could not verify that the passport validation it depended on had actually happened on the user’s device. The proof of age could be asserted without the act that was supposed to produce it.

The Commission’s response followed the script. A spokesperson called the release a demonstration version, said DG CONNECT and the contractor — Scytáles and T-Systems — had taken immediate steps, and promised an updated build. Moore and Blazy pushed back in the press, saying they had been testing the latest available code, not some throwaway prototype, when they found the holes. The app had been presented to the age-assurance community at a global standards summit, where the flaws were spotted almost on contact. “Demo” is doing a great deal of load-bearing work in that sentence.

The flaw beneath the flaws

It would be easy to file this under sloppy engineering and move on, confident that version two will be better. Some of it probably will be. Boolean flags get moved into enclaves; counters get hardened. But the more durable lesson is the one that survives any patch, and more than four hundred privacy and security researchers had already named it when they urged the Commission to pause deployment pending stronger standards.

Age verification is not safe by design, because it requires linking a real identity to an online action. That link is the whole point — it is what makes the system “work” — and it has to be established somewhere, by something, even if the clever cryptography then tries to forget it. The EU’s design was, to its credit, genuinely thoughtful about this. The zero-knowledge approach is supposed to let your phone generate a mathematical proof that your birthdate satisfies years >= 18 without ever transmitting the birthdate itself, with the private key sealed on the device. In principle, that is about as good as the idea gets.

But the proof has to be grounded in something. A passport chip is scanned; a qualified authority signs a credential; a face is checked against a document. Every one of those steps is a moment where sensitive identity and biometric data exists in the clear, on a device, in a process — and every one is a moment an implementation can get wrong. The two-minute bypass is what it looks like when those moments are handled carelessly. The honeypot is what it looks like when they are handled at scale.

The honeypot we keep building

This is the pattern age-verification mandates share across jurisdictions, whatever the technical sophistication of any given implementation. To prove that millions of people are adults, you must process the documents and biometrics of millions of people. Even an architecture that promises to discard the data the instant it is used has to touch the data to use it. And the political logic rarely stops at “prove you’re over eighteen.” Once the infrastructure exists — once every adult is expected to carry an identity credential to reach ordinary parts of the internet — the temptation to reuse it, to log it, to require it elsewhere becomes structural. The EU app is meant to be unlinkable and anonymous. The mandate it serves is neither.

What the researchers exposed in two minutes was not just bad config-file hygiene. It was a preview of the gap between how these systems are described and how they behave. We are told they are robust, privacy-preserving, and safe. Then someone opens a text editor. The honest position is not that the EU built a uniquely bad app — by the standards of the field, its ambitions were unusually good. The honest position is that the safest age-verification system is the one that collects and binds the least, and that “protecting children” should never be a phrase that ends an argument about who holds the keys to everyone’s identity. A protection that breaks in two minutes was never protecting the children. It was only ever collecting the data.

Sources: Cybernews, Proton, Biometric Update, EFF, EU digital strategy.