Should have stuck with NemID a previous paper alternative or only offered MitID as a digital alternative. The rush to go all digital is coming back to bite them in the .....
One of the flaws of that system was exactly that you didn't know which domains where allowed to issue the requests for a one-time key.
Each service would serve the authenticator snippet from their own domain, with their own certificate. MitID, for all it's centralization flaws, solved that by only being valid under the mitid.dk domain. I doubt that most people check the domain and the certificate, but they could.
How would you use a paper ID online? (Securely, i.e. not the insane thing of taking a selfie holding it or something similarly bizarre in an age of powerful GenAI.)
NemID, the previous national 2-factor solution, used a small card with rows of pre-printed single-use codes. When you logged in to a bank or a public sector website, it would ask for a random code at a specific row and column number. Once the system registered that you had just a handful of codes left, a new card would be sent to you via snailmail. It worked fine for the time.
The current system, MitID, depends on smartphones, though you can get an an external key generator as a backup too.
The way it worked before was that you had basically a piece of paper with OTP codes and the website would prompt you for a very specific one.
How that would've prevented this issue: not at all. If the login service is down, having the piece of paper with OTP codes is worthless as the problem is not getting the codes (I can still get MitID codes with the OTP dongle) but the authentication website. The previous system was just as centralized.
mrweasel|2 days ago
Each service would serve the authenticator snippet from their own domain, with their own certificate. MitID, for all it's centralization flaws, solved that by only being valid under the mitid.dk domain. I doubt that most people check the domain and the certificate, but they could.
lxgr|2 days ago
simongray|2 days ago
The current system, MitID, depends on smartphones, though you can get an an external key generator as a backup too.
LeonidasXIV|2 days ago
How that would've prevented this issue: not at all. If the login service is down, having the piece of paper with OTP codes is worthless as the problem is not getting the codes (I can still get MitID codes with the OTP dongle) but the authentication website. The previous system was just as centralized.