Danish MitID vulnerability may be fixed with QR code
A few days ago, the Danish national broadcaster, DR, published a story documenting that the new Danish MitID has a vulnerability requiring a fix.
We suggest introducing a QR code to be scanned with the MitID app on the phone, which will effectively close the door on this particular attack.
The published vulnerability is serious and required an immediate update to MitID, before the DR news story (in Danish) could be run.
The key observation by DR is that a login with MitID is a little too easy to complete by someone with knowledge of just another person’s MitID user name. A more thorough description may be found in the DR article if you read Danish.
Still, it is essential to emphasise that, from a technical perspective, MitID is more secure than its predecessor, NemID. The documented attack may only succeed if the victim is unattentive and without prior knowledge of the official MitID guidelines, which may, unfortunately, be a sizable population.
A login must be started and completed on the same phone
Luckily, you only have to look to Sweden for an example of a robust solution with a 100% guarantee that a login may never be initiated by anyone other than the person who will complete it. And this with the convenience of never having to enter any username or password.
Swedish BankID has introduced a login flow for use when logging in on devices other than the one with the BankID app installed.
The flow is as could be set up for MitID would be as follows (see also the image below from the Swedish bank, SEB):
- The website you a signing into displays a short-lived QR-code
- You open the MitID app on your phone, which immediately turns on the camera
- You point the camera at the QR code shown on the website
- The MitID app reads the QR code and recognises it as a signed login request from the website
- After this, the user is taken through the approval flows already provided by the MitID app
This approach is more user-friendly than the current one as no typing is required by the user, while at the same time making it impossible for anyone by you to start the login process.
What’s required by owners of MitID
The owners of MitID, the Danish Agency for Digitization, and the Danish Banking Association must commission the MitID supplier to develop a fix to mitigate the vulnerability documented by DR.
To maintain the usability of MitID, we suggest a solution as described with QR codes. And as the fix is rolled out, it is equally crucial that the current username entry capability is removed from the MitID app.
Only with initiatives like this may MitID maintain its otherwise very promising convenience, which may lead to a much broader adoption than has so far been the case with its predecessor, NemID.