So in Denmark we have got a new authentication system: NemID. As employed in the state through the university I get my salary information in an e-box. Logging into such a system is one of the uses of NemID. Netbanking also opts in. Entry of taxation information. Quite a lot. Premiered in the beginning of 2010 July 3 million Danes are suppose to get NemID in the next half a year . NemID means ‘easy identifier’ and it makes a promise for an easy system, and according to the Minister of Research Charlotte Sahl-Madsen it “gives the Danes one secure code, which can be used by all to almost everything everywhere”. I wouldn’t bet my right hand on that, though it seems fine in some aspects. Sahl-Madsen mentions that the system has been usability tested on elderly and a handful of young students. Furthermore an organization of the blind has been involved in the testing.For the user NemID consists of a user-id, e.g., our Danish personal registration number – the CPR number (what the Americans call the Social Security number), one self-selected password and a paper card with one-time codes (a one-time pad). You login with all three items. Behind the scene is a centralized keystore. The good news is that the paper one-time codes make it difficult for an attacker to use your credentials if he ‘only’ has control over your hacked computer or your hacked smartphone. He would usually need physical access to the paper card to make his attack complete. One-time codes are difficult to break. There 148 one-time numbers on the card. And now for the bad news:
- The first day of operation a bottleneck arose since the company, CSC, taking care of the CPR numbers had not enough capacity to follow the requests from DanID (the company operating the NemID system)! It basically meant a denial of service like situation, and since police and hospitals also use the CPR system they too were affected.
- In the first days of operation the web-based system greeted users with the message “The security is compromised” when emailing the support staff. At one point the DanID didn’t know why the error message was triggered!
- Two weeks later an error in a certificat resulted in half a day where new NemID could not be ordered.
- One commentor on the Ingeni??ren web site noted that there seems to be no difference in case handling for the password. Thus “pASsWoRd” and “password” would be the same, quite reducing the number of possibilities a brute-force attacker needs to go through. The password can be as short as 6 characters and cannot have special characters.
- CPR numbers are supposed not to be disclosed in public. If you use the CPR number as user-id in the NemID login interface the number is displayed unhidden.
- You can write on the paper card with the one-time codes. If a forgetful user writes the password on the card and the wallet is stolen, then the thief has straight access. The CPR number is available in the drivers license and with the two other codes he should be able to login from anywhere in the world.
- It is easy to copy the one-time code card, e.g., with an ordinary copy machine. I did that, but it took me quite a while to destroy the copy. Copy machines prevents color copies of banknotes but not NemID. An attacker may copy or take a photo of your card without you knowing it if he has a brief access to it. Then he mostly only needs to work on your self-selected password. And passwords may be easy to guess, e.g., Obama Twitter account were guessed from public information. A hardware security token would have been more difficult to copy. A high-resolution surveillance camera together with a keylogger at an internet cafe should also allow a hacker full entry.
- I ordered my NemID right away, but it took some days before the letter with NemID activation information came. For security reasons two separate letters are sent on separate days. However I was away on meetings, WikiSym and Wikimania (a report on that is available here) and the two letters lay there in my mailbox for several days. A mailbox thief would have gotten my CPR number (on my bank statement), the one-time code card and the initial code number to start the activation process.
- Several commentors have pointed to the strange use of paper instead of hardware security token. When the 148 one-time codes have been used a new card needs to be given to the user. Postal service will be happy. I should think that the paper card is only a temporary solution. And yes it is. Apparently, the paper card is there because it is a reasonable easy way for people to accept the system. It is planned that users later can buy systems such as a token. So then you need to pay to log efficiently into required government systems. DanID is owned by PBS, ??? a company owned by Danish banks.