Published

Could NemID exist in other countries? And should it?

Front of a NemID card

Last Monday, I met with some friends at the Cock in Hackney. One of them had just returned from Copenhagen and mentioned having to sort out something related to his NemID. I’d never heard of it before.

Apparently NemID is a common login tool that Danish residents use to access online banking and services offered by public institutions. It’s a little credit card-sized booklet of 148 key pairs that you use alongside a user ID and a password. It’s like an analogue version of two-factor authentication. Each time you log in to something with NemID, the key pair you use is invalidated and is never used again. When you’ve used up all of your key pairs, you’re sent a new NemID booklet.

It seems like a great system. Unlike biometric data, it would be easy to replace if it were compromised. Unlike most other two-factor authentication methods, it doesn’t require an additional (usually smart) device of some sort.

There are downsides though. NemID is administered by a single organisation, Nets DanID A/S, and all of the data seems to be held in one place. This was a problem in 2013 when a DDoS attack knocked it offline temporarily. The oversight also seems pretty iffy, see this January 2016 blog article: “NemID is not cryptologically secure – and the authorities do not care”.

It’s also hard to say how this could be rolled out in countries with larger populations… Denmark’s population is around 5.7 million. That’s a bit more manageable than the UK (~ 66 million), Brazil (~ 209 million), or India (~ 1.3 billion).

Apparently NemID is going to be replaced by MitID in the next few years, so it will be interesting to see if the Danish government forces any changes to make the system less centralised.

And it makes me wonder (again) if something like Dark Crystal could ever work on a national scale.