NemID (lit. 'EasyID') was a common login solution for Danish Internet banks, government websites and some other private companies. NemID is managed by the Nets DanID A/S company and came into use on July 1, 2010. During its use, everyone in Denmark who was more than 15 years old and had a CPR-Number was eligible for a NemID, which could be used with their bank as well as public institutions. Anyone over 13 years old was able to use a NemID for internet banking. NemID was scheduled to be phased out on 30 June 2023,[1] and replaced by MitID. It was shut down on 31 October 2023.[2]
Users of NemID are assigned a unique ID number that can be used as a username in addition to their CPR-Number or a user-defined username.[3]
Users receive a card containing pairs of numbers, similar to Transaction authentication numbers. After logging in with a username and password, NemID users are prompted to enter a key corresponding to a number as part of NemID's two-factor authentication scheme. These private keys are one time use only. After all of them are used the user must get new private keys, which are generally sent to the user via mail once they're about to run out.
Private keys are kept in a central server. This has caused criticism against the security of NemID system.
Unlike other web-based single sign-on solutions, such as Google's and Facebook's, NemID is not based on a cryptographical guarantee. While the security of for example Google's single sign-on is based on HTTPS, in that you use the domain name accounts.google.com in the browser's address line to ensure that you only send your password to Google (trusted third party), NemID is based on inputting your NemID-password on arbitrary webpages which show something that looks like a NemID password dialog, and then hoping that these pages do not steal your NemID-password.[4] As NemID is a legally binding signature, gives access to bank accounts, and protects much personal information, this lack of cryptographical security has been criticized.[4][5] There appear to be no concrete reason for NemID to not be designed with a cryptographical guarantee.[4]
On 11 April 2013, the NemID system shut itself down in response to a DDoS attack, causing widespread chaos in Denmark where internet banking was not possible during the attack.[6] With Java version 1.7.0_45, NemID Java applet was not able to log users in.[7]
NemID key app
On 29 May 2018, Digitaliseringsstyrelsen and Finans Danmark launched the NemID key app for smartphones, as a supplement to the NemID cards and NemID code tokens.[8]
End of Life
MitID was rolled out as a replacement for NemID between 2021 and 2022.[9] In November 2022, it was announced that NemID would end on 30 June 2023.[10] It was shut down on 31 October 2023.
See also
References
- ↑ "NemID will close soon - NemID".
- ↑ Digitaliseringsstyrelsen, Skrevet af. "NemID". www.borger.dk (in Danish). Retrieved 6 January 2024.
- ↑ "Under 18 - NemID". www.nemid.nu. Retrieved 13 September 2023.
- 1 2 3 "NemID er ikke kryptologisk sikker - og myndighederne er ligeglade". 4 January 2016.
- ↑ "Myter om NemID". 17 September 2013.
- ↑ "UPDATE: NemID system running again following attack". cphpost. Retrieved 12 April 2013.
- ↑ "NemID dur ikke med seneste opdatering". 16 October 2013.
- ↑ "Nu kan du lade nøglekortet ligge - NemID er blevet til en app - TV 2". 28 May 2018.
- ↑ "MitID vil løbende erstatte NemID". 6 October 2021.
- ↑ "Om NemID og MitID efter d. 31. oktober". 1 September 2022.
External links
- Forbrugerrådets page about NemID (in Danish)
- NemID opposition (in Danish)