 | ||
NemID (literally: EasyID) is a common log-in solution for Danish Internet banks, government websites and some other private companies. NemID is managed by the Nets DanID A/S company and came into use on July 1, 2010. Everyone in Denmark who is over 15 years old and has a CPR-Number is eligible for a NemID that can be used with their bank as well as public institutions. Anyone over 13 years old may use a NemID for internet banking.
Users of NemID are assigned a unique ID number that can be used as a username in addition to their CPR-Number or a user-defined username.
Users receive a card containing pairs of numbers, similar to Transaction authentication numbers. After logging in with a username and password, NemID users are prompted to enter a key corresponding to a number as part of NemID's two-factor authentication scheme. These private keys are one time use only. After all of them are used the user must get new private keys, which are generally sent to the user via mail once they're about to run out.
Private keys are kept in a central server. This has caused criticism against the security of NemID system.
Unlike other web-based single sign-on solutions, such as Google's and Facebook's, NemID is not based on a cryptographical guarantee. While the security of for example Google's single sign-on is based on HTTPS, in that you use the domain name accounts.google.com in the browser's address line to ensure that you only send your password to Google (trusted third party), NemID is based on inputting your NemID-password on arbitrary webpages which show something that looks like a NemID password dialog, and then hoping that these pages do not steal your NemID-password. As NemID is a legally binding signature, gives access to bank accounts, and protects much personal information, this lack of cryptographical security has been criticized. There appear to be no concrete reason for NemID to not be designed with a cryptographical guarantee.
On 11 April 2013, the NemID system shut itself down in response to a DDoS attack, causing widespread chaos in Denmark where internet banking was not possible during the attack. With Java version 1.7.0_45, NemID Java applet was not able to log users in.