Aarhus University Seal

Computer science student from Aarhus University helps improve the security in MitID.

Computer science student Thomas Kingo T. Mogensen and associate professor lektor Diego Aranha
Computer science student Thomas Kingo and associate professor Diego Aranha have analyzed MitID and identified several security breaches, some of which have been closed. Photo: Sebastian Krog Knudsen//Department of Computer Science

MitID is a step forward - if used properly

Denmark is phasing in a new digital ID system, known as MitID. A student and several researchers from the Department of Computer Science at Aarhus University have carried out an analysis of the new system based on the information that is publicly available. The conclusion is that MitID in many ways is better organized and more secure than NemID, which it replaces.

However, it is important to note that users of MitID should be careful when choosing their username to ensure it is not too easy to guess. If an attacker gets knowledge of a username, it is possible, in certain circumstances, to keep a user out of the system for a longer period of time. This option is to some extent also found in NemID but can be avoided in MitID by choosing a username that has no obvious connection to the person in question.

We encourage new users to be guided better in choosing good and secure usernames, at least until the system is updated and the problem is solved. The analysis is made by computer science student Thomas Kingo T. Mogensen, in collaboration with associate professor Diego Aranha, assistant professor Sophia Yakoubov and Professor Ivan Damgård.

A detailed report containing the analysis can be found here. The report has been presented to MitID, and the system has subsequently been updated, so that the "social engineering" attacks mentioned have become significantly more difficult to carry out.

Updated october 2022:

The final report can be downloaded here. In addition, Version2 has written an article [in Danish] about a similar study of MitID. This therefore suggests that not all security breaches have been resolved - Thomas and Diego recently talked to Danish newspeper Politiken about this.