EU's Age Check App Declared "Ready." Researchers Cracked It in 2 Minutes.

The European Commission declared its age verification app ready to roll out across the entire bloc. Security researchers broke through its core protections in about two minutes. Not two hours. Not two days. Two minutes.

If you've ever handed your I

If you've ever handed your I.D. to a website to prove your age, or let your kid download an app that asked for a birthdate, this story is about you. It's also about anyone who builds, evaluates, or stakes a legal case on identity verification tools. The E.U. built an app meant to protect children online by confirming a user's age without exposing their full identity. The idea was straightforward — store sensitive identity data in a secure vault on your phone, lock it behind a PIN and biometrics, and let websites check your age without seeing your name or face. The Commission called it technically ready and said it met the highest privacy standards. Then researchers showed that the vault's lock wasn't actually connected to the vault. So the question running through this entire episode is simple — when a system is declared "ready," who's checking whether it actually resists the people trying to break it?

Start with the PIN. The app asks you to set a PIN to protect your stored identity data. You'd assume that PIN is cryptographically bound to the secure vault — meaning the PIN itself is part of the math that locks and unlocks your information. It wasn't. The PIN and the vault existed independently, like a padlock sitting next to a door instead of threaded through the latch. An attacker with access to the device could manipulate a local configuration file and take over the account without ever guessing the PIN correctly. That's not a minor bug. That's an architectural disconnect between the thing that's supposed to protect you and the thing it's supposed to protect.

And the PIN itself had its own problem. The app included brute-force protection — a limit on how many times you could guess wrong before getting locked out. Sounds reasonable. But that lockout counter was stored as a simple incrementing number in a local file called shared preferences. Researchers just reset the counter back to zero. That gave them unlimited guesses. Unlimited. A four-digit PIN with unlimited attempts doesn't take long to crack. For anyone who's ever set a PIN on a banking app and assumed there's a hard limit on wrong guesses — this is what it looks like when that limit is enforced by a number you can edit.

The biometric bypass was even simpler

The biometric bypass was even simpler. The app had a setting for fingerprint or face unlock. That setting was controlled by a single true-or-false flag in the code, labeled "UseBiometricAuth." Flip it from true to false, and the app stops asking for your fingerprint entirely. No exploit kit needed. No specialized hacking tools. Just change one value in one file. That's how researchers got through the entire security stack in under two minutes.

Now, the E.U. made this app open-source on purpose. They published the code so anyone could inspect it, which is genuinely a good practice. Open-source code gets more eyes on it, and more eyes usually means faster discovery of problems. The vulnerability wasn't hidden in a black box — it was found precisely because the code was available for scrutiny. That's actually better than a proprietary system where the same flaw might sit undetected for years. But transparency only works if someone acts on what's found. According to reporting from multiple outlets, as of mid-April twenty twenty-six, the European Commission hadn't released an official fix or even a public response to these specific vulnerabilities. Countries like France, Spain, and Denmark are still piloting the app. So the code is open, the flaws are public, and the rollout continues.

What does that pattern look like beyond this one app? According to the Open Rights Group, more than four hundred security researchers have reached a consensus on a broader point — age verification systems face systemic bypass challenges that go beyond any single implementation. The structure of the open internet itself makes circumvention straightforward for motivated users. A teenager who can follow a YouTube tutorial can find a workaround. That doesn't mean age checks are worthless. It means the gap between "we deployed a control" and "the control actually works under pressure" is where credibility lives or dies. Regulators are starting to push toward what's called performance-based compliance — not just "did you install a system" but "can you prove it actually reduces underage access." That shift matters for every organization choosing an identity tool, and for every parent assuming the guardrails are real.