Simona z komunity sa popytala Tech lead z dánska pre ich “SVM”.
MitID
-
From a technical point of view, MitID Is only authentication, not signing
-
MitID is an authentication on a level “substantial” (normally), it can also be updated to level “high” but it requires going to the citizen office, in that case the certificate will be stored on the mobile hardware and it is not possible to use biometrics to authenticate
-
During the transition from NemID (previous authentication) to MitID, 900k people had to go to the citizen office to activate their MitID because their NemID was not on a “substantial” level.
-
The rest of the transition was done via banks. Banks were used to give the citizens “motivation” to go through the transition. It was decided that banks will phase out the old authentication at the end of November 2022, meaning the citizens had to change to MitID to do basic banking (e.g. log-in to their banking app or make a payment). Banks gradually sent out letters (digitally) and “call to action” via their apps.
-
The primary activation method after the transition is passport activation. Young people from 13 years old can use their passport to activate MitID for the first time. It’s also possible to activate a new MitID app on a new device using the passport, for instance when an old phone is broken or stolen.
-
The reason why it’s not needed to use password in MitID app (only PIN or biometrics + swipe) is because the Danish digitalization agency believe that the technology trends show that in the future, we should have a different security, not password based - people forget their passwords all the time, they get stolen, leaked or there is too much phishing going on. So they decided to go with this approach where the password is saved in the app, they call in the “knowledge element” of the app, hidden behind the PIN / biometrics. It has created a lot of controversy also in Denmark but they believe that passwords are a thing of the past
Signing
-
Signing is done via Nem Login which is a remote signing technology (tu je stranka na to Nem Login, je to sice iba v Dancine ale Google translate je niekedy zazracny pomocnik - Signering - Nemlog-in ). From the user perspective, the user is only using MitID to both sign and the signature is authentication based.
-
Nem Login is a qualified trust service that has the certificate saved on the server, the key is generated on the service side based on the authentication, not on the client side
-
Nem Login facilitates the signing in public services but banks and other brokers can develop their own services to handle the signing
-
If you perform singing in the public sector, then it is performed via Nem Login (back-end). When signing in public services, the signature has the level of ‘qualified electronic signature’ but other brokers can have advanced electronic signature (e.g. banks or private sector) because in Denmark there is a law which accepts advanced electronic signature as equal to a hand-written signature.
-
Currently it’s possible to generate a qualified electronic signature with authentication level “substantial” but there is a new revision of eIDAS coming which wants to change it and allow QeS only with level “high”, this would mean everyone would have to go to the citizen office to update MitID to level “high” and Denmark wants to avoid that
-
Signing between two private people can happen via third-party service provider, e.g. Penneo (Penno is now the first private trusted service provider in Denmark - eIDAS Dashboard )