Security analysis of the passwordless MitID digital identity system

MitID is the new eID system in Denmark. It provides access to a large quantity of online services, including online banking, insurances, taxes and health-information. In this paper, we analyze the security of the new system from the perspective of user experience with respect to Denial of Service (DoS), Social Engineering (SocEng) and other possible attacks that can be mounted without having any special privileges or obtaining unauthorized access. Our analysis shows that, even though the system is of paramount importance to the Danish online infrastructure, the analyzed version of the system did not properly defend against simple attacks targeting specific users. With simple automated scripts, we were able to prevent a targeted user from authenticating for a period of 9 days; and show how an attacker can collect information to mount convincing SocEng attacks aiming at identity theft. Our findings were disclosed to the affected parties in December 2021 and since then the system has been updated to render most of our attacks ineffective. However, due to the inherent design trade-offs, targeted DoS attacks are still unmitigated and could potentially be scaled to destabilize MitID.