Comment by throwmitid1234

MitID is not great, I worked on the implementation for one of the providers.

I am surprised this is even a frontpage topic, 3 years after it was rolled out, we saw downtime every week or so. So much so that we implemented automatic pop ups for our customers, and no on-call, signaturgruppen a subsidiary of NETS didn't even file this incident as a major outage lol. There is also no alternative, you simply can't access banking apps without MitID, so without it people in Denmark are just screwed, 3D Secure (online payments doesn't work for most merchants), login to government and banking sites doesn't work.

The main issues are that we have a central provider NETS whom are known for NemID its predecessor, and card payments in Denmark. They're huge in this space, at least for Denmark.

The government and the banks wanted more control over MitID, so the responsibility was split between the major banks, Digitalstyrelsen (the government), and NETS.

Basically, customers, middle man and NETS the vendor.

It was truly a shit show. The middleman (Digitalstyrelsen - Agency for Digital Government was technically illiterate, either by contract, or because they wanted to be in control, had inserted themselves in-between customer and vendor, and now we suddenly couldn't provide feedback, or talk to the vendor at all, this meant that the vendor had full control over how they interpreted the contract.

During development they shipped a version of the product that had a single flag set to false, preventing a login. NETS weren't allowed to ship a fix for this for 3 months. Many of the customers had to use burp suite during their testing simply to progress with development.

Finally when the vendor had "delivered" to their contract, the customer was sitting back with a half-baked product, and because it was Digitalstyrelsen that was the primary arbiter of whether they'd fulfilled the contract, NETS got away with having delivered at that point 1 year past schedule.

I've never had so many support tickets. For such a technically tiny product, we saw so much trouble getting people to use MitID over NemID. It was incredible.

What is even more insane is that each provider implementation of MitID is technically an independent implementation, some are React, Preact (if using nets provided version), etc. All the providers have to provide a pixel perfect replication to be allowed to issue MitID credentials.

Also this was designed when OAuth was really hot, so most implementations are like 3 levels deeply nested of OpenID Connect and OAuth2, it gets pretty nuts.

Talk about an amount of wasted effort.

As with many other huge projects especially government lead. It is just a big power play, and as it turns out, power wins. In this case NETS.