MitID is already available on our Enterprise plan, and will soon be available on Express.
MitID is a new electronic ID in Denmark, replacing NemID. It is a collaboration between the Danish banks and the Danish public sector. This alliance forms a nationwide solution and provides a secure authentication mechanism for all citizens in Denmark. People in Denmark can use MitID for online banking, Digital Post, communication with public authorities, identifying themselves in other digital services, and more.
# Try it out
Here is how the MitID login box will look for the end-users. Since it is a demo, any username and password will work:
For more information about the user interface, see Frontend policies and guidelines.
# Time plan
MitID will be available in mid-2021. There will be a transition period where you can use both NemID and MitID, although NemID will be phased out at the beginning of 2022.
Signicat will provide a MitID version in the pre-production environment from 1. February 2021. This allows you to start preparing and implementing your solution some months before the go-live date on 6. May 2021. If you would like to start the implementation before 1. February 2021, please contact Signicat.
# Contact Signicat for more information
Signicat will continuously add content to this page reflecting the status of the integration.
To keep updated on the development progress, you can sign up for the latest news by sending an e-mail to email@example.com.
Signicat will be happy to assist you in ordering and setting up MitID. Please, contact Signicat for more information.
# Key features of MitID
This is an overview of important features in MitID (more details will come later):
A common, national identity and authentication solution.
Public actors, financial institutions and other private service providers can only use MitID through certified brokers.
Secure login supporting all three levels of assurance (LoA) from eIDAS, Low, Substantial and High:
- Low authenticates the user with only a password authenticator. This is not available in NemID.
- Substantial authenticates the user with a two-factor authenticator combination, e.g. password + code display.
- High authenticates the user with a more advanced two-factor authenticator combination, e.g. app + chip.
For more details, see Level of Assurance.
Integrate with Signicat Sign to create Advanced Electronic Signatures (AES).
# Level of Assurance (LoA)
MitID is compliant with the NSIS standard, which is the Danish version of eIDAS (Electronic Identification and Trust Services in EU). The defined LoA values for the transaction are Low, Substantial or High. LoA consists of the following assurance components:
- IAL: "Identity Assurance Level" for the transaction. This refers to the identity proofing process and indicates how sure you are that the person is the true owner of the identity.
- AAL: "Authentication Assurance Level" for the transaction. This refers to the authentication process and indicates how sure you are that the end-user is in control of the used authenticator.
- FAL: "Federation Assurance Level" for the transaction. This indicates the requirements to a relying party for receiving information about the end-user.
The level of assurance is decided by the combination of these components. When requesting an authentication, the request can either specify a target LoA, or a target AAL.
For an overview of attributes, see the Attributes section.
With LoA Low, you can allow your users a simple password-based login.
Substantial achieves the equivalent LoA of NemID authentications.
With LoA High, you can achieve the highest level of confidence using a two-factor authentication of your users.
With Step-Up authentication, you can achieve a higher LoA for a user in a fast and simple way. For example: If a user is logged into your service with LoA Low, but tries to access a restricted area which requires LoA Substantial or LoA High, they do not have to re-enter their username, password, or any authenticators from their previous authentication. Instead, they only need to use the additional authenticator(s) that are needed to achieve the required LoA.
With MitID, the end-user logs in with a username in combination with one or two authenticators.
MitID offers the use of the following authenticators:
- Password: A high-security password authenticator implementation based on the Secure Remote Password (SRP) protocol.
- Code display: A physical device authenticator showing a one-time password (OTP) to be typed into the service provider’s user interface within a certain time. It is based on OATH TOTP (RFC 6238)
- Audio code reader: A sound-based TOTP token (time-based one-time password algorithm). The device reads aloud the OTP code to the user so the user can enter it in the service provider’s user interface. This is an alternative for visually impaired or if the user does not want to use the code app.
- App: The user can use this app when a secure element is present in the hardware or in combination with the MitID chip, assuming proper activation. Both will give a High LoA. There is an alternative version of this app named App Enhanced Security. With this app, the user must enrol on a device with SE/TEE technology (secure element/trusted execution environment). These technologies are possible elements included in the NFC technology (Near Field Communication for smartphones). The user should not enable biometric unlocking of the app. This prevents the use of multi-user functionality.
- Chip: This is a chip that supports the FIDO U2F standard. The end-user can combine this with the password or the app for reaching High LoA.
# Possible authentication combinations
MitID supports different combinations of authenticators. Single-factor authentication can be to combine a username with one of the mentioned authenticators, for example a password. If higher security is needed, you can use a more secure authenticator, such ass App, or use two-factor authentication, e.g. combining a password with Code display.
The following table (from the MitID broker package documentation) shows possible combinations of authenticators and what level of assurance the combinations give (Low, Substantial and High):
For example, a password alone gives single-factor authentication with Low as LoA. Password together with a code token gives two-factor authentication with Substantial as LoA. Password together with a chip gives two-factor authentication with High as LoA etc.
Note: As a broker, Signicat supports all MitID authenticators. MitID decides the possible combinations.
# Authentication flows for the end-user
The authentication flow for the end-user depends on the level of assurance for each use case and which authenticator(s) the end-user uses. This section shows some authenticator combinations with photo sliders.
# Username and password (single-factor, Low)
The following flow is a basic single-factor login with username and password. It gives Low as LoA, which is the missing “one-factor” login in NemID.
- From the service provider site, the end-user selects the MitID Login link. This displays the Load page. The Load page sets the stage for a safe and secure end-user experience.
- After the load screen, the MitID Login box is presented in front of the broker's landing page. The end-user enters the username.
- The end-user enters a personal password.
- When the end-user is successfully identified, the Approved screen is displayed. The end-user is redirected to your site as logged in.
# App in combination with username (single-factor, Substantial)
To obtain Substantial LoA, the end-user can replace the Password authenticator with the App authenticator in the above flow:
# Code display in addition to password (two-factor, Substantial)
To obtain two-factor authentication with Substantial LoA, the end-user can add the Code Display authenticator to the username and password combination:
# Audio code reader in addition to password (two-factor, Substantial)
Visually impaired can use the Audio code reader authenticator as an alternative to the Code display authenticator. This is also a step up to two-factor authentication with Substantial LoA:
# Chip in addition to password (two-factor, High)
To obtain two-factor authentication with High LoA, the end-user can add the Chip authenticator to the username and password combination:
With Signicat's own authentication-based signing solution, you can electronically sign documents using a MitID authentication. This ensures a unified output format in accordance with EU specifications. The signing results in a PAdES (PDF Advanced Electronic Signature) consisting of one or more signed documents (XAdES, implemented as LTV-SDO).
# Frontend policies and guidelines
The UX scheme is a central part of the MitID brand, and there are strict rules on how to set up the end-user interface, e.g. for the MitID Login box. However, you do not need to worry about these rules, since Signicat as a broker will handle it for you.
In addition, there are some GUI elements that you may decide or adjust yourselves:
- Pop-up or redirect?
- Texts like reference text header and action texts, e.g. Log på.
- Colors (More information will come later)
- Language (Danish, English or Greenlandic)
# Pop-up or redirect?
This choice is up to you and is all about user experience (see more details below). Both ways are equally secure. The following sub-sections describe the advantages and disadvantages of both redirects and pop-ups.
The popup is displayed on top of your website when the end-user is asked to authenticate and will be closed once the authentication is successful. For an example of a pop-up, see the image below.
Advantage: The end-user does not shift context and can see your website behind the popup when using a PC.
- For mobile devices, the pop-up is displayed in a new tab and the end-user switches context.
- End-users may experience problems with pop-up blockers, resulting in never seeing the MitID Login box.
- If the end-user enlarges the text, a scrollbar may appear, and this is not allowed.
- Some flows may require more space than is suitable for a pop-up.
Recommendations for desktops:
When using a pop-up on a desktop, the broker landing page should be as limited as possible to create a familiar experience for the end-user. For example, avoid unnecessary elements around the MitID box. Center the pop-up on the screen and anchor the MitID box to the top.
Recommendations for mobile devices (tablets and smartphones):
- Set up the switch between the original tab and the MitID tab automatically so the users do not get stuck nor must navigate themselves.
- The space around the MitID box must adapt to the screen size.
- Center the pop-up on the screen and anchor the MitID box to the top.
A redirect means the end-user is redirected to be authenticated on the broker landing page where the MitID box is shown inside the landing page. When the authentication is successful, the user is sent back to your website.
- The user can bookmark the redirect page to log in directly.
- Easier to implement.
- A pop-up on a mobile device is displayed in a new tab, so redirect is recommended for those devices to avoid a bad user experience when switching between tabs.
Disadvantage: The user leaves your web site.
Recommendation: Center the pop-up on the screen and anchor the MitID box to the top.
Supported languages are Danish and English. Later versions will also support Greenlandic.
# Reference texts
The reference text consists of:
- Reference text header (action text + name of service provider): Adjust the wording in the action heading that fits best, e.g. Log på, Godkend på, Bekræft på, Accepter på, Underskriv på, before the name of your business. Max 60 characters.
- Reference text body: Max 130 characters.
# Frequently asked questions
# Why is Denmark changing the digital ID infrastructure?
NemID was launched in 2010 and is based on a 10 years old infrastructure and 10 years old contracts between the Digitisation agency (digst.dk), the Danish Banks and Nets. There is a need for a more secure and user-friendly solution. For more information, see digst.dk.
# What are the advantages of the MitID architecture compared to NemID?
For the service provider there are lots of advantages: Better support for standard security protocols, risk data support, three levels of assurance compliant with eIDAS, built-in step-up authentication to mention a few.
# How do we get started with migrating from NemID to MitID?
All service providers must use MitID through a MitID broker. You must find a MitID Broker and make a contract with them to offer MitID login or signing. For more information, see Migration from NemID to MitID.
# Must we show both NemID and MitID login to end-users during the transition period?
Signicat recommends that you support both NemID and MitID in the transition period. For more information, see Migration from NemID to MitID.
# Who can issue a MitID identity?
The government (Kommuner) and banks.
# How will MitID look like?
Seen from the end-user, there is no big difference in a typical login flow. Most of the new things are "behind the scene". For more information, see Authentication with MitID compared to NemID.
# Does the end-user just need a username and password and is it safe?
Yes, MitID supports single-factor authentication like username and password. This is obviously not as secure as two-factor authentication, but in many cases enough and easier to use.
# What types of authenticators (app, chip, display device etc.) should we require from end-users to get the appropriate level of assurance (low, substantial, high)?
As a service provider, you must make a "risk assessment" for information/data assets the user can access and assign the appropriate level of assurance. Different combinations of authenticators satisfy different LoAs. For example, just "Password" will only satisfy LoA "Low", while "Password + Chip" will satisfy LoA "High". For more information, see Possible authentication combinations.
# Which environments will be available and when?
MitID will go in production in May 2021. For more information, see Timeplan.
# Will it be possible to create test identities for non-production testing?
Yes, Signicat can do that for you as our customer.
# Which protocols is supported for MitID?
SAML 2.0 and OIDC.
# How is it planned to implement functionality to increase Level of Assurance during the user session?
There is a built-in function in the MitID protocol that supports step-up from one assurance level to another. The user must only activate the authenticator required to go to next level of assurance and not do a completely new login. The step-up may require the service provider to store certain attributes from the original authentication and pass them on as request parameters. The exact protocol here has yet to be fully determined.
# Does MitID support iframes?
No, MitID does not support iframes. Instead, you can choose between implementing the login box using either redirect or popup. For more information, see the Popup or redirect section.
# Can MitID be used for payments?
It depends on the application using it. MitID is not a payment method, but an electronic identification method (eID).