Source code for Dutch DigiD app released under Dutch Open Government Act

Quite similar to Estonia. Tho they run their own Gitlab instance https://koodivaramu.eesti.ee/explore

And not everything is there. ID Card software is hosted on Github https://github.com/open-eid

Just curious, since it's been a dream of mine to have public services powered by open software: How often do bugs in the services get reported either, with direct references to the underlying software (function names, line numbers, etc.), or as changesets/PRs with proposal fixes?

Especially for simpler things like style/accessibility issues, I could see this being somewhat common honestly.

Iceland does the same: https://github.com/island-is/island.is

maybe EU countries could save a bundle and co-develop these apps. might also improve quality / ensure best practises are available to all etc.

Wow, looks pretty nice from the screenshots. Do you have experience using it? Does it work well/do what it claims? I recently moved to Spain, who has a digital identity system, but is a pretty disjointed attempt.

> The fact that we do not have a standardized national ID easily available to everyone is embarrassing.

Why? I’ve lived in a European country with common national IDs, in the US, and in a European country without national IDs, and I’m not sure that the absence of it is “embarrassing.” Note that in most European countries it’s an identifier of citizenship, not residence, with other ID cards such as residence permits, drivers licenses, or municipal registrations indicating residence. Therefore, it’s far from sufficient for many common use cases that depend on residence, and the countries that don’t have one such as the US or the UK typically use passports (or ad-hoc solutions such as US/Canada enhanced drivers licenses) for travel.

I agree that digital IDs can be very useful.

> The fact that we do not have a standardized national ID easily available to everyone is embarrassing.

Surely that's hyperbole. State IDs are pretty standardized, and even more so with the REAL ID system (if the mandates for it ever go into effect). When have you ever had a problem using one state's ID in another state?

It's was on purpose. Americans traditionally don't like the idea of a standard, mandatory national ID. But SSNs have basically been re-appropriated to serve that purpose, to get around that, despite them being explicitly listed as "not intended as a means of general identification."

For an app that cost in the tens of millions to produce[1], and for which the company (gov-owned and operated) behind it charges implementors/users (not end-users ofc)[2] for each and every single successful DigID authentication event €0.13, DigID authorization event €0.88, and even for every digital message delivered into your "berichtenbox" €0.32, it could.. no rather it should indeed provide a much better experience than what we have now.

1: https://www.rijksfinancien.nl/memorie-van-toelichting/2019/O...

2: https://logius.nl/onze-organisatie/zakendoen-met-logius/door...

On the other side of this, push-phishing through MFA fatigue has become extremely frequently used to hack into enterprise O365 instances (as well as Google Cloud accounts and the like).

People don't generally read it when their phone apps send them a "please login" notification after the 200th one that day, they tend to approve it without thinking (or worse, accidentally approve a phishing notification while trying to login), especially when busy, which results in them letting phishers onto their device.

The DigiD login flow is a bit of a mess, but it seems very well designed to avoid that particular tendency. The entire process requires active involvement from the end-user, which means they'll be paying attention on whether it's them logging in or not.

That's a bad comparison, as you're comparing a full authentication process against just one step: with Office 365 (and SMS verification for DigiD) you additionally need to provide a username and password, which you don't need to do with the app.

I think the only part that can reasonably be simplified without compromising security is to use a push notification instead of having to scan the QR-code.

If you leave the country without setting up SMS you can’t ever use 2FA. They claim to support adding foreign numbers, support people being abroad, support adding new DigiD accounts from abroad, but oh no you can’t just add a number. Not even by going to an office or doing a virtual interview. I would think this violates EU law on discrimination. If you live in the UK post-Brexit it’s now totally impossible, I believe (since you aren’t even allowed to make a new account).

It's slightly easier on-device (where the app runs), still try opening your government messages inbox, that takes 5 taps/screens/faceID and a code. It always works though, and one does not use it very often.

I do appreciate that they keep is so secure (or perhaps I should say, not logged in by default). It works well in general imho.

I have dozens of 2FA codes now that requires searching for the correct one and I have to store backup codes in physical form. Which probably a lot of people keep unencrypted on their desktop somewhere.

With the Digid app you just need to remember the pin code or unlock with face id. The app generates the codes for each login and then you just scan the QR. It's very simple to use.

Recently I lost my phone and had to set everything up again. I had to start digging for 2fa backup codes, but Digid I could easily set up again using the NFC chip in my passport.

The Swedish "Bankid" is very nice to use, imho. Its very similar to the MS authhenticator.

On mobile, you just use pin. So easy!

On desktop, you use pin, type code, then scan. I find the flow quite smooth.

The company making this clearly doesn't want to open up development, this code was released because the government was forced to. They stripped the commit history and some hard coded details and I don't think they'll develop on this repo either.

Some extra eyes on the current code might fix some small issues, but I doubt this is going to improve the app much.

It's pretty pathetic how many people feel the need to dunk on this bit of code just because it's not how they would write it. There's nothing really wrong with it. I'm sure the author was aware of alternative, perhaps more concise solutions using a string builder but they chose to be clear instead.

So many big egos in software.

I like it. Easy to understand, fast, no allocations.

I vaguely suspect that this is a product of the sort of environment where you have to fill out a form in triplicate to get the static analyser to let you concatenate strings (which, to be clear, may not be inappropriate for something like this).

I do object to the variable being called ‘percentage’ tho, as it clearly isn't one.

I'm triggered by the lack of brackets after every if-expression. Sure it looks nicer this way but the default Visual Studio code style settings will complain if you don't do it, hence I'm used to it.

Is this literate programming?

It's semi-voluntary; the request to open source the application came from the Dutch congress/2nd chamber if I recall, but took a while due to private information leaking concerns.

How this is used in practice is when you log in to a government site, you provide your DigiD account name and password, and then (often but not always) verify that it's really you with either SMS or (apparently) by scanning a document with NFC. Since it's just a single-use authentication I don't see a particular problem with doing it on another device. The actual government interaction after you're logged in happens on the website anyway, not your friend's phone.

btw I see that attaching an nfc reader to your computer is also supported.

I don't think I've ever used DigiD to verify my passport, I was vaguely aware it had the capability though. On the other hand I use DigiD all the time to login to websites. My health insurance, government websites, etc. Super efficient and simple.

The passport feature is a new one to provide an alternative safer method of verifying ID for the times you need it. It isn't the default use of DigiD and is meant as an alternative to physically taking your passport places.

Access to a smartphone with NFC can indeed be an issue for some people, but it is still better than having to record videos of yourself holding your ID next to your face, then a couple of years later finding out that your personal data is freely circulating on the web because one of those sleezy identity verification services has been hacked.

Certainly better than in my country where you need to have a windows machine w/ a card reader to use the certificate from the ID card to login.

For what it’s worth, what you describe is optional, there are other ways to verify if you do not have such a device.

What’s your concern here?

I don't know why so many people are saying that this is bad code.

Besides the redundant checks, it's really simple, so simple that an intern, maybe even someone who doesn't code, can understand and update it.

It's performant, most compilers will cache the strings.

People trying to justify more complex one-liners with "what if you change the symbol, or just show 5 characters" etc. These scenarios wouldn't take more than 5 minutes to adapt this code, and anyone could do it.

For me, this code with a good set of tests doesn't get much better.

It's easy to read, simple to maintain, and performant code. Maybe one of those newer switch expressions would make the code even clearer, but they already left the redundant lower bound checks in so I think the way this looks is quite intentional.

Much easier to read than `int count = (int)Math.Floor(percentage / 10); return new String("#", count) + new String("-", 10 - count));` in my opinion and not worth writing a custom progress component for.

LLMs can do better

Do you live in Nederland still? You can request the verification via post instead of using your passport. If you lose your DigiD login, you can also create/request another. The account acts as a pointer to your official ID. My wife made a mistake and had to attempt the process 3 times. Not a problem.

Living overseas it took them several yesrs to realize that making a trip to an embassy overseas just to get a registration code was not a feasible way.

Luckily Corona made them realize you can also do it over a Skype call.

They explicitly say it's not intended for reuse, and various stuff has been redacted (though I've not identified any that would stop the code from working). Interestingly you are allowed to reuse the code under the EUPL license.

It would seem so: https://github.com/MinBZK/woo-besluit-broncode-digid-app/blo...

The interesting aspect of this is that it can be studied to write clients for platforms that are not officially supported -- currently, only Android and iOS are supported, but it'd be great to see a Linux client too.

It's a big shame that history has been rewritten and heavily redacted though. Version control history often has a lot of contextual information that's not immediately obvious in the source code itself.

I dont think self complied version would work with service like belasting etc.

I did not look in depth, but the source code would reveal how thing are getting encrypted and business flows but not the data. That is in the digid's infrastructure

It appears any important strings have been replaced with 'S' characters.

So you definitely can't use this unless you pull the strings from the compiled APK theyve published.

One runtime to rule them all.

It's the frontend app. Even script kiddies can download it from the Play Store and decompile it.

So now we’ll know if it’s _actually_ secure. This is a good thing as far as I’m concerned.

Trusting it’s safe because you don’t know if its not sounds like a bad idea.

Which would you rather trust?

1. A safe that's been sitting on a public square for ten years, which the best safe-crackers in the world have tried – and failed – to break.

2. A safe hidden in a secret room that no one is allowed to access, but the manufacturer claims it's safe without real evidence beyond "trust me".

Xamarin?