Digital Identity Management in Norway Is a Catastrophe

Digital Identity Management in Norway Is a Catastrophe(uio.no)

57 points by giuliomagnifico 7 hours ago | 41 comments

throwaway2037 3 hours ago |

The HN title is misleading and "editorialising". The real title:

    > Digital Identity Management in Norway is a Success but also a Disaster

I checked: It is not too long for HN. I think the title should be updated here.

e12e 4 hours ago |

The article is a little one sided, as it doesn't touch upon MinID which is a government ID service, and Idporten which is an authentication service that allows use of different EIDs, like MinID and BankID.

MinID is only considered "secure" while BankID is considered "highly secure"; as the linked pdf report (on Norwegian) states - in Norway, due to the popularity/market dominance of BankID - a lot of the logins are "highly secure" - while in Sweden their (different, but with same name) BankID is only "secure" - and most services require only "secure" login.

In Norway there are AFAIK public services that require "highly secure" login - and there the public issued MinID isn't enough.

If 2fa for MinID is improved - I think it would easily be upgraded to "highly secure" (most other details are similar to BankID). That should take care of public services.

Private services that do not cater to the public good - would still need a portal similar to (or be granted use of) Idporten.

So I think catastrophe is a little hyperbolic - but the current path of BankID dominance isn't good.

Ed: I see the hn title is editorialized - TFA has a more balanced title.

Ed2: From the podcast - BankID might get downgraded to "secure" because of how 2fa is handled - so it's not only MinID that might need some adjustments.

petterroea 3 hours ago | |

To be fair a part of the problem here is that BankID is so common it has become the "Jacuzzi of EID" or the "Google of EID" or whatever your poison is. So all EID-related discussion in public is now "Why aren't we just adding BankID".

Sure, some policymaker will probably interpret this as "introduce EID" but it does color public debate.

I think it's a shame MinID doesn't have the same level of security as BankID, we are really missing out on a great opportunity. But something tells me the powers that are in Norway's socialite community doesn't want it. In Norway we don't have that much monetary corruption, but we have a lot of "kompistjeneste"

wood_spirit 4 hours ago |

The article title actually says it is a success as well as a disaster. The title here has been shortened.

And, as the professor in the article explains, it is a “disaster” for a small minority. And those are not he same minority who struggled for the same reasons before, and those difficulties ought be addressed. The system can be improved.

But it’s largely a success for the vast majority too. I don’t personally know of anyone with a negative impression of it. It’s actually something that the average Nordic Baltic person is so used to and happy with that it only comes to mind when we meet people from countries that aren’t organised - and we feel sorry for them!

It’s the same situation with cash. Very few people in a cashless society are wanting to go back to the old ways.

mistrial9 4 hours ago | |

> average Nordic Baltic person

there is no average person, it is a myth of statistics.

buran77 3 hours ago | | |

A meaningless distinction and unnecessarily nitpicky. From a scientific perspective it's not a myth, it's a valuable tool. For the average person (see what I did there?) it's not a mathematical formula, it's way of saying "that person whose characteristic being discussed is very common and representative of the whole group".

aboardRat4 3 hours ago | | |

An average person has one testicle and one ovary.

tamimio 4 hours ago | |

> Very few people in a cashless society are wanting to go back to the old ways.

I don’t think that’s true. Also, never “trust” a bank with your money, for starters, “your money” is nothing but a fake number that doesn’t actually reflect a physical monetary asset, hence why if enough amount of people withdraw their money, you end up with a bank run, aka, the bank digital fake numbers are more than the actual physical papers. Additionally, in many cases you don’t want to be in entirely cashless system, besides the privacy concerns, you might get locked out of your account because the network operator malfunctioned (like Rogers in Canada back in 2022 I think, all ATMs were useless, purchase points, etc.), or maybe a sun coronal mass ejection that fries some utility power plants, or drop in the frequency and you end up like Spain last year or the year before.

The more you rely on one centralized point, the worse, hence why engineers avoid single point of failure in any design, be smart, and diversify your options.

Scroll_Swe 2 hours ago | | |

>I don’t think that’s true.

It is.

Source, me in Sweden.

bflesch 4 hours ago | |

Cashless society is amazing until the foreign shareholders of your core suppliers of digital infrastructure develop their own political agenda.

But Norway is a monarchy well connected with the global Epstein class so I doubt their political system can actually reach an shareholder-hostile edge case. And meanwhile the surveillance helps keeping internal peace because one can reliably deplatform dissenters and conspiracy theorists.

It's a win-win until the n-th generation of nepo children is trying to steal too much and everybody notices they have been robbed.

Aurornis 4 hours ago |

> The report tells the story of Bendik, who has Down syndrome and is denied BankID, thereby losing access to digital public services due to his diagnosis.

The article is light on details. Are people being denied BankID due to having an autism diagnosis?

There are some crazy details in this story that are presented as side notes in between long paragraphs of filler text that don’t contribute anything. It’s an article where you keep reading expecting some explanations that never arrive.

joaohaas 3 hours ago | |

I'm assuming it fails to do face recognition, but yes the article is clearly very one sided on making 'digital ID' look bad.

petterroea 3 hours ago | | |

The other part of the problem not discussed in this article is that many services now require digital ID. Banks don't really have many physical locations any more, etc. So not having a digital ID is seriously impractical, and it didn't have to be this way. That is IMO a big factor for why digital ID is receiving so much flac: "Digital ID isn't something everyone can have, and for the corner-case people, the alternatives are drying up due to over-digitalization"

Shellban 2 hours ago |

Sometimes I wonder if we should consider using some sort of a hardware key going forward, like a Yubikey or similar product. Physical devices are fairly easy to understand, and a simple on-device PIN or fingerprint-reader adds a 2FA that prevents a lot of fraud. While an ID number is fairly easy to steal, a GPG private key is nearly impossible if handled right.

Of course, the flip-side, this would open up more opportunities for tracking (requiring the hardware keys to log into Facebook). However, in most societies, we do need some way of authenticating who is who, and at least this approach makes fraud much more difficult.

jazzyjackson 2 hours ago | |

Yes I think government issued credentials like Estonia does is very neat, and preferable to what we have in USA when you need to verify your identify to interact with online gov services, the id.me, which is taking a video and uploading it to some third party to say 'yep that's the person definitely using their laptop right now', as if gen-AI hasn't already made that obsolete.

Besides that we have the technology for services to ask 'yes/no' questions of a secure enclave without revealing the personal data, like 'is this person's birthdate after May 29 2005', instead of letting every liquor store and gas station scan the barcode of your government ID including your home address

Sometimes it makes me feel crazy what we collectively have settled on.

zajio1am 2 hours ago | |

U2F token is used by one eIDAS identity provider in Czechia.

WinstonSmith84 4 hours ago |

On the plus side, their database has still not been hacked .. like it has happened one month ago in France, with the "ANTS" (the French equivalent). More than 10 millions people had their data leaked including pretty much everything from SSN, to email, phone, etc. A mine gold for Phishers and Scammers.

bflesch 4 hours ago | |

Why would they leak the data of only 10M people and not all? Just to cause damage or were some people filtered out?

tamimio 5 hours ago |

Digital ID is a catastrophe, in Norway or elsewhere. But that doesn’t matter because the purpose of such ID is more surveillance, and if any issue happens you might end up liable like that man mentioned in the article. Right now in countries where digital ID isn’t yet implemented, phone numbers are used instead to link your digital identity to the real one, and most countries require government ID to issue one, and sometimes a biometric identification too, that number is later used in online services or messaging apps that links back to you. Watch now the applications that still insist on having phone numbers as an ID removing them once the digital ID is used instead.

lifestyleguru 5 hours ago | |

I'm confused how Nordic countries accepted linking banking login with government ID. Neither of them is your friend and both of them are not a friend in a completely different way.

tyfon 4 hours ago | | |

It's not linking banking login with government id. It is a story of the banks solving an issue with remote identification and the system working well enough that the public/government also want to use it for other things.

Being able to sign contracts, engage with the healthcare system, file taxes, read messages from the government and do general banking without having to leave the home is a massive convenience boost.

We are a high trust society where the government or the banks are not out to "get you". The majority of the banks (not by volume but by numbers) are even in a structure without any ownership of the capital except for the depositors, and most of the profit from these banks that is not used to build the capital further is handed out to customers and/or the local community.

Daunk 5 hours ago | | |

Probably because they're not corrupt America. They don't walk around checking their back every minute for "Uncle Freedom" screwing them over.

woliveirajr 3 hours ago | | |

Brazil has the same. It's possible to login in the government platform by your bank login. Simplifies a lot for the general population that won't use password managers and so on. And, as banks use a 2FA, security is improved.

hobofan 4 hours ago | | |

That seems better than the alternative in Belgium. There the prevalent ID app "itsme" was launched by a consortium of banks.

Last year the government launched an goverment owned alternative "myGov" and now has to claw back market share, which I don't see working out.

sam_lowry_ 5 hours ago |

Wait until EU Dugital Wallet in 2027, that will be the ultimate fiasco.

lifestyleguru 5 hours ago |

An outstanding solution no one asked for.