Aarhus Universitets segl

[Translate to Dansk:] Computer science student from Aarhus University helps improve the security in MitID.

[Translate to Dansk:] Computer science student Thomas Kingo T. Mogensen and associate professor lektor Diego Aranha
[Translate to Dansk:] Computer science student Thomas Kingo and associate professor Diego Aranha have analyzed MitID and identified several security breaches, which now have been closed. Photo: Sebastian Krog Knudsen//Department of Computer Science

MitID is a step forward - if used properly

Denmark is phasing in a new digital ID system, known as MitID. A student and several researchers from the Department of Computer Science at Aarhus University have carried out an analysis of the new system based on the information that is publicly available. The conclusion is that MitID in many ways is better organized and more secure than NemID, which it replaces.

However, it is important to note that users of MitID should be careful when choosing their username to ensure it is not too easy to guess. If an attacker gets knowledge of a username, it is possible, in certain circumstances, to keep a user out of the system for a longer period of time. This option is to some extent also found in NemID but can be avoided in MitID by choosing a username that has no obvious connection to the person in question.

We encourage new users to be guided better in choosing good and secure usernames, at least until the system is updated and the problem is solved. The analysis is made by computer science student Thomas Kingo T. Mogensen, in collaboration with associate professor Diego Aranha, assistant professor Sophia Yakoubov and Professor Ivan Damgård.

A detailed report containing the analysis can be found here. The report has been presented to MitID, and the system has subsequently been updated, so that the "social engineering" attacks mentioned have become significantly more difficult to carry out.