Comment by zenmac

2 days ago

Should have stuck with NemID a previous paper alternative or only offered MitID as a digital alternative. The rush to go all digital is coming back to bite them in the .....

9 comments

zenmac

Reply
mrweasel  2 days ago

One of the flaws of that system was exactly that you didn't know which domains where allowed to issue the requests for a one-time key.

Each service would serve the authenticator snippet from their own domain, with their own certificate. MitID, for all it's centralization flaws, solved that by only being valid under the mitid.dk domain. I doubt that most people check the domain and the certificate, but they could.

lxgr  2 days ago

How would you use a paper ID online? (Securely, i.e. not the insane thing of taking a selfie holding it or something similarly bizarre in an age of powerful GenAI.)

  • simongray  2 days ago

    NemID, the previous national 2-factor solution, used a small card with rows of pre-printed single-use codes. When you logged in to a bank or a public sector website, it would ask for a random code at a specific row and column number. Once the system registered that you had just a handful of codes left, a new card would be sent to you via snailmail. It worked fine for the time.

    The current system, MitID, depends on smartphones, though you can get an an external key generator as a backup too.

    • xorcist  2 days ago

      The big drawback of one time passwords is that it doesn't protect against man-in-the-middle attacks such as phishing, which is in practice one of the most common attacks on systems of this scale.

      The logistics operation involved in distributing codes is also very expensive and inflexible. You may need to authenticate payments a dozen times in an hour one day, when you are on a farmers market which doesn't take card payments or you are out dining with friends, and another day not at all.

      Given all this, a good old public key infrastructure makes sense. But that is unfortunately also usually the first step to a complexity explosion.

      3 replies →

    • LeonidasXIV  2 days ago

      Yeah but functionally it is the same. If the website is down it doesn't matter if I got the OTP code from a piece of paper or the dongle.

  • LeonidasXIV  2 days ago

    The way it worked before was that you had basically a piece of paper with OTP codes and the website would prompt you for a very specific one.

    How that would've prevented this issue: not at all. If the login service is down, having the piece of paper with OTP codes is worthless as the problem is not getting the codes (I can still get MitID codes with the OTP dongle) but the authentication website. The previous system was just as centralized.