MitID and NemID before it was pretty much bought by the Banks and the government together.
It is to avoid the banks needing their own id for customers, as people would need to go into the banks using their passports etc to register.
Some banks do have their own logins and IDs for various purposes, but you often need MitID somewhere in there simply to verify the actual identity of the person with the account. All the other logins simply give you access to the ID it doesn't actually verify it. MitID does that.
For example Lunar doesn't need MitID during 3D Secure (online payments), but that is only because you used MitID at some point to store your proof on your phone, that you can unlock with a secure enough method, and then do the payment. This is considered enough, as you still use an identity that has been verified by MitID at some point.
I wouldn't bet on a postmortem. MitID is well into maintenance mode, like NemID before it.
NETS have always been very sparse with their post mortems, they don't act like a SaaS provider. Not even as a partner did we get postmortem. They're well and truly into the jaded territory. During two jobs, both as a provider (customer of NETS), and as a consumer of a provider of MitID
Note this is as a customer. The provider and in turn their customers pay pr login and a quite hefty fee at that. NETS are just too big.
They were down every few weeks for a short while (between 2020-2023), so I guess this is probably still the norm
Payments were affected somewhat. In Denmark it is often required to sign in to MitID when doing online transactions using credit/debit cards, it is called 3D Secure. You usually have other options. MobilePay, PayPal, the likes.
This is mostly a case of them not really reporting it, MitID is down quite frequently (now once a month ish, but in the first few years every week or so), or at least partially down . They now finally have their own status page, previously you had to get your status from a provider when they noticed that logins began to fail ;)
They're very light on reporting issues, in this case Signaturgruppen a subsidiary of NETS, didn't even mark this as a full outage.
MitID is not great, I worked on the implementation for one of the providers.
I am surprised this is even a frontpage topic, 3 years after it was rolled out, we saw downtime every week or so. So much so that we implemented automatic pop ups for our customers, and no on-call, signaturgruppen a subsidiary of NETS didn't even file this incident as a major outage lol. There is also no alternative, you simply can't access banking apps without MitID, so without it people in Denmark are just screwed, 3D Secure (online payments doesn't work for most merchants), login to government and banking sites doesn't work.
The main issues are that we have a central provider NETS whom are known for NemID its predecessor, and card payments in Denmark. They're huge in this space, at least for Denmark.
The government and the banks wanted more control over MitID, so the responsibility was split between the major banks, Digitalstyrelsen (the government), and NETS.
Basically, customers, middle man and NETS the vendor.
It was truly a shit show. The middleman (Digitalstyrelsen - Agency for Digital Government was technically illiterate, either by contract, or because they wanted to be in control, had inserted themselves in-between customer and vendor, and now we suddenly couldn't provide feedback, or talk to the vendor at all, this meant that the vendor had full control over how they interpreted the contract.
During development they shipped a version of the product that had a single flag set to false, preventing a login. NETS weren't allowed to ship a fix for this for 3 months. Many of the customers had to use burp suite during their testing simply to progress with development.
Finally when the vendor had "delivered" to their contract, the customer was sitting back with a half-baked product, and because it was Digitalstyrelsen that was the primary arbiter of whether they'd fulfilled the contract, NETS got away with having delivered at that point 1 year past schedule.
I've never had so many support tickets. For such a technically tiny product, we saw so much trouble getting people to use MitID over NemID. It was incredible.
What is even more insane is that each provider implementation of MitID is technically an independent implementation, some are React, Preact (if using nets provided version), etc. All the providers have to provide a pixel perfect replication to be allowed to issue MitID credentials.
Also this was designed when OAuth was really hot, so most implementations are like 3 levels deeply nested of OpenID Connect and OAuth2, it gets pretty nuts.
Talk about an amount of wasted effort.
As with many other huge projects especially government lead. It is just a big power play, and as it turns out, power wins. In this case NETS.
It is to avoid the banks needing their own id for customers, as people would need to go into the banks using their passports etc to register.
Some banks do have their own logins and IDs for various purposes, but you often need MitID somewhere in there simply to verify the actual identity of the person with the account. All the other logins simply give you access to the ID it doesn't actually verify it. MitID does that.
For example Lunar doesn't need MitID during 3D Secure (online payments), but that is only because you used MitID at some point to store your proof on your phone, that you can unlock with a secure enough method, and then do the payment. This is considered enough, as you still use an identity that has been verified by MitID at some point.
reply