NemID

The NemID logo often appears where its usage is required or one of the log in options

NemID (lit.'EasyID') was a common login solution for Danish Internet banks, government websites, and some other private companies. NemID was managed by the Nets DanID A/S company and came into use on July 1, 2010. During its use, everyone in Denmark who was more than 15 years old and had a CPR-Number was eligible for a NemID, which could be used with their bank as well as public institutions. Anyone over 13 years old was able to use a NemID for internet banking. NemID was scheduled to be phased out on 30 June 2023,[1] and replaced by MitID. It was shut down on 31 October 2023.[2]

Operation

A NemID card that holds the user's private one-time-use keys

Users of NemID were assigned a unique ID number that could be used as a username in addition to their CPR-Number or a user-defined username.[3] They would receive a card containing pairs of numbers, similar to Transaction authentication numbers. After logging in with a username and password, NemID users were prompted to enter a key corresponding to a number as part of NemID's two-factor authentication scheme. These private keys were one-time use only. After all of them were used the user was required to get new private keys, which were typically sent to the user via mail once they were about to run out. Private keys were kept in a central server.[citation needed] This has caused criticism against the security of NemID system.[citation needed]

A NemID code token.

Unlike other web-based single sign-on solutions, NemID was not based on a cryptographical guarantee. While the security of Google's single sign-on, for example, is based on HTTPS, in that you use the domain name accounts.google.com in the browser's address line to ensure that you only send your password to Google (trusted third party), NemID was based on inputting your NemID-password on arbitrary webpages which show something that looks like a NemID password dialog, and then hoping that these pages do not steal your NemID-password.[4] As NemID was a legally binding signature which gave access to bank accounts and protected much personal information, this lack of cryptographical security has been criticized.[4][5] There appear to be no concrete reason for NemID to not have been designed with a cryptographical guarantee.[4]

History

On 11 April 2013, the NemID system shut itself down in response to a DDoS attack, causing widespread chaos in Denmark where internet banking was not possible during the attack.[6] With Java version 1.7.0_45, NemID Java applet was not able to log users in.[7]

On 29 May 2018, Digitaliseringsstyrelsen and Finans Danmark launched the NemID key app for smartphones, as a supplement to the NemID cards and NemID code tokens.[8]

MitID was rolled out as a replacement for NemID between 2021 and 2022.[9] In November 2022, it was announced that NemID would end on 30 June 2023.[10] It was shut down on 31 October 2023.

See also

References

  1. ^ "NemID will close soon". NemID.[dead link]
  2. ^ "NemID". www.borger.dk (in Danish). Digitaliseringsstyrelsen. Retrieved 6 January 2024.[dead link]
  3. ^ "Under 18 - NemID". NemID (in Danish). Retrieved 13 September 2023.[dead link]
  4. ^ a b c Kristensen, Thue (4 January 2016). "NemID er ikke kryptologisk sikker - og myndighederne er ligeglade". Ingeniøren (in Danish).
  5. ^ Biering, Henrik (17 September 2013). "Myter om NemID". Ingeniøren (in Danish).
  6. ^ "UPDATE: NemID system running again following attack". Copenhagen Post. Retrieved 12 April 2013.[dead link]
  7. ^ "NemID dur ikke med seneste opdatering". Berlingske (in Danish). 16 October 2013.[dead link]
  8. ^ Carlsen, Jacob (28 May 2018). "Nu kan du lade nøglekortet ligge - NemID er blevet til en app". TV 2 (in Danish).
  9. ^ "MitID vil løbende erstatte NemID". NemID (in Danish). 6 October 2021.[dead link]
  10. ^ "Om NemID og MitID efter d. 31. oktober". MitID (in Danish). 1 September 2022.