Tell HN: MitID, Denmark's digital ID, was down

Hacker News Discussion ↗

Outage and Immediate Impact

  • MitID, Denmark’s sole digital ID, was unavailable for a bit over 1.5 hours; people report it’s now back.
  • When it’s down, users can’t log into banks, government sites, or complete many 3D Secure card payments; some call this effectively a “national infrastructure outage.”
  • A few locals say such incidents are minor and short, others warn that complacency now could lead to worse outages later.

Centralization, Resilience, and Alternatives

  • Many see a single national ID as a classic single point of failure and “tail risk”: fine until a major outage, attack, or authoritarian misuse.
  • Comparisons with Sweden (BankID), Norway, Finland, Italy (SPID with multiple providers), the Netherlands (DigiD), and EU eID laws show a spectrum from one dominant provider to multi-provider systems.
  • Some argue systems should degrade gracefully: banks and other critical services should still work when the central ID is down.
  • Ideas floated: TLS-style short-lived certs, distributed revocation lists, multi-provider architectures, even blockchain-based identity; others counter that real-time revocation inevitably reintroduces centralization.

Security Model: NemID vs MitID and Revocation

  • NemID used paper OTP cards; MitID primarily uses smartphones, with OTP dongles and a paid FIDO/U2F option.
  • Paper/OTP is seen as cheaper to attack (phishing, MitM) and logistically expensive; MitID’s app adds push notifications and time-based codes.
  • Critics note that if the central auth website is down, it doesn’t matter whether the factor is paper or hardware; the central point remains the bottleneck.

Privacy, Culture, and Trust

  • Several expatriates describe MitID + CPR (personal number) as a “privacy nightmare”: one ID ties together banking, health, tax, purchases, and more.
  • Some Danes and Swedes counter that high trust in institutions and strong public services make this trade-off acceptable and practically convenient.
  • Others warn that trust is fragile: centralized IDs could be powerful tools of coercion under future governments or in crises.

User Experience and Implementation Critiques

  • Complaints: MitID app doesn’t run on rooted/custom Android; disassembly suggests explicit blocking; IMEIs may be blacklisted.
  • Hardware dongle users report a smoother, simpler experience but lose some on-the-go convenience.
  • An implementer describes MitID as technically messy: fragmented provider implementations, deeply nested OAuth/OIDC flows, heavy oversight by a non-technical government agency, and a dominant vendor (NETS) with frequent partial outages and sparse postmortems.

Digital Money and Systemic Dependence

  • The outage triggers broader reflection that “money” is just a database value; outages in ID or payments systems can temporarily strand people despite having funds.
  • Debate contrasts risks of digital centralization (outages, debanking, infrastructure attacks) with risks of physical cash (theft, loss, forgery, impracticality).
  • Some argue a mixed world—digital systems plus residual cash and physical IDs—offers better overall resilience.