Concerns over Denmark’s MitID security after media finds vulnerability to ‘simple hack’    

Author thumbnail
Ritzau/The Local - [email protected]
Concerns over Denmark’s MitID security after media finds vulnerability to ‘simple hack’    
Danish journal Ingeniøren reported that MitID is vulnerable to sabotage. File photo: Liselotte Sabroe/Ritzau Scanpix

IT experts say that the discovery of a hack using “unbelievably simple code” raises concerns over the security of Denmark’s new online digital ID, MitID.


Engineering journal Ingeniøren reported on Friday that a coding trick can enable hackers to easily identify the usernames of MitID users.

According to an investigation by Ingeniøren, MitID contains several serious design flaws that make it possible to guess the usernames of thousands of users and lock them out of the system for several days at a time.

In some instances, hackers may even be able to log on using victims’ MitID, the investigation concluded.


The MitID digital ID system is gradually replacing NemID as the online ID used in Denmark for access to public service platforms, online banking and shopping online.

READ ALSO: MitID takes over as default option on Danish platforms

An investigation of MitID’s security conducted by Ingeniøren's supplement media Version2 resulted in 11,000 MitID usernames being correctly guessed in one night by applying a “simple stump code”.

Ingeniøren subsequently spoke to IT security professor Carsten Schürmann of the IT University of Copenhagen, who called the hack used an “unbelievably simple code”.

“My students learn this type of attack during the first two to three weeks on my courses,” he said to Ingeniøren.

Another commenter, Jan Kaastrup of IT security firm CSIS, told the journal he was surprised at the ease of the method.

“I knew this was possible but not how easy it was. I really think MitID has erred and I think your investigation proves that convincingly,” he said. Kaastrup is a former member of Europol IT security organ European Cybercrime Centre.

The Danish Agency for Digitisation (Digitaliseringsstyrelsen) told Ingeniøren that it would investigate the issue. The agency did not comment on the specific findings of the journal’s investigation, but said it has protections in place against the type of attacks described.

NemID will be turned off for secure platforms like banking and public services on October 31st. After this date, only MitID can be used to log on.

Other platforms, like online shopping, will still accept NemID for now. The old system will be fully decommissioned on June 30th, 2023. 



Join the conversation in our comments section below. Share your own views and experience and if you have a question or suggestion for our journalists then email us at [email protected].
Please keep comments civil, constructive and on topic – and make sure to read our terms of use before getting involved.

Please log in to leave a comment.

See Also