User-centric security analysis of MitID: The Danish passwordless digital identity solution.

MitID is the new electronic identification (eID) solution in Denmark. It provides access to many online services, including online banking, insurance, taxes, and health information. In this paper, we analyze the security of the new solution from the user experience perspective concerning Denial of Service (DoS), Social Engineering (SocEng), and other possible attacks that can be mounted without special privileges or obtaining unauthorized access. Our analysis shows that, even though the solution is of paramount importance to the Danish online infrastructure, the analyzed version did not adequately defend against simple attacks targeting specific users. With simple automated scripts, we were able to prevent a targeted user from authenticating for a period of 9 days; and show how an attacker can collect information to mount convincing SocEng attacks aiming at identity theft. Our findings were disclosed to the affected parties in December 2021, and since then, the solution has been updated two times. The first update in January 2022 rendered the SocEng attacks ineffective. However, due to the inherent design trade-offs, targeted DoS attacks were still unmitigated. The second update was in June 2023 and appears to address all of our findings. & COPY; 2023 The Authors. Published by Elsevier Ltd. This is an open access article under the CC BY license ( http://creativecommons.org/licenses/by/4.0/ )