Front of a NemID card

Last Monday, I met with some friends at the Cock in Hackney. One of them had just returned from Copenhagen and mentioned having to sort out something related to his NemID. I’d never heard of it before.

Apparently NemID is a common login tool that Danish residents use to access online banking and services offered by public institutions. It’s a little credit card-sized booklet of 148 key pairs that you use alongside a user ID and a password. It’s like an analogue version of two-factor authentication. Each time you log in to something with NemID, the key pair you use is invalidated and is never used again. When you’ve used up all of your key pairs, you’re sent a new NemID booklet.

It seems like a great system. Unlike biometric data, it would be easy to replace if it were compromised. Unlike most other two-factor authentication methods, it doesn’t require an additional (usually smart) device of some sort.

There are downsides though. NemID is administered by a single organisation, Nets DanID A/S, and all of the data seems to be held in one place. This was a problem in 2013 when a DDoS attack knocked it offline temporarily. The oversight also seems pretty iffy, see this January 2016 blog article: “NemID is not cryptologically secure – and the authorities do not care”.

It’s also hard to say how this could be rolled out in countries with larger populations… Denmark’s population is around 5.7 million. That’s a bit more manageable than the UK (~ 66 million), Brazil (~ 209 million), or India (~ 1.3 billion).

Apparently NemID is going to be replaced by MitID in the next few years, so it will be interesting to see if the Danish government forces any changes to make the system less centralised.

And it makes me wonder (again) if something like Dark Crystal could ever work on a national scale.

– – –

web thoughts from jon-kyle

repeat these instructions until the project is complete

finish the project, scrap all of it.
finish the project, scrap half of it.
finish the project, scrap a third of it.

– – –

Musarc’s going to be at Palais de Tokyo in April. Info/tickets

– – –

Shop Talk ep. 250, Web security with April King and Alex Sexton

– – –

Beetroot Achaar recipe

– – –

On archiving/preserving websites

SB and I have been chatting about the whys, whens and hows involved in archiving a website. Archiving is always an uphill battle. It’s hard to take care of things as they age no matter what the material, and ageing code comes with a specific set of worries.

Read more