link

# Migration from NemID to MitID

MitID offers the same functionality as NemID with additional features and ease of use, flexibility and safer authentication of Danish citizens and businesses. The main differences are both within the underlying technology and by improved user experience.

The main aim of this page is to give you as a service provider help with migrating from NemID to MitID.


Page contents

# Migration process overview

The main steps in the migration period for you as a service provider are as follows:

  1. Signicat presents an offer and information about needed steps you must follow to have a fully functional eID solution running through Signicat. To get help with this, please contact Signicat at support@signicat.com.
  2. You sign a contract with Signicat as a broker.
  3. Signicat registers you in the MitID Broker portal. You do not need any specific certificate for this.
  4. Signicat sets up MitID in a pre-production environment and gives you access to this environment. For information about test access and test users, see Test information.
  5. You do the necessary changes in your integration with Signicat. When going from NemID to MitID, be aware that MitID cannot be run in iframe, and will instead trigger a pop-up. If you want to use redirect instead, you must change the integration.

# The transition period

MitID is scheduled to go live in May 2021 and NemID is scheduled to be phased out at the beginning of 2022.

This period between May 2021 and January 2022 will be a transition period for end-users to migrate from NemID to MitID.

Note: It is the Danish banks and the Danish government services (e.g. eSkat) that handle the migration of end-users from NemID to MitID. The broker or service providers have no role in this process.

In this transition period, Signicat recommends that you support both NemID and MitID, and that you, for example, present both the login options for your users on your login page. See the following section about login examples.

# Login examples in the transition period

In the transition period, you should support login for both NemID and MitID. Here are some suggested ways you can set this up for the end-user:

In the first example, the end-user is sent to Signicat's ID-portal and Signicat takes care of the rest. The two other examples require more development on the service provider's side.

# Login via Signicat's ID portal

In this example, the end-user logs in via Signicat's ID portal. The ID portal is Signicat’s own authentication portal interface presenting a list of ID methods the end-user can choose between.

  • The end-user selects the Login button on the service provider page:

click-to-zoom

  • The end-user is redirected to Signicat's ID-portal and selects between the eID methods active for the service provider, like MitID and NemID.

click-to-zoom

You can determine in the response which ID method is selected from the ID portal. With OIDC, the method used can be determined by checking the idp claim.

Graphical profile

The ID portal uses the standard graphical profile, as you use today for NemID. This is not tied to the graphical profile implemented specifically for MitID.

# Login methods on your home page

In this example, the end-user can choose between either MitID or NemID directly on your home page. The following is just a sketch example of how it may look. You must implement this login option yourself. You can design it as you wish as long as you follow the UX requirements for the MitID login button.

  1. The end-user selects the Login button on the service provider page.
  2. A menu is displayed on the service provider page where the end-user can select either Log in with MitID or Log in with NemID.

click-to-zoom

# Login with one default ID method

In this example, the end-user does not need to choose between NemID or MitID.

At the beginning of the transition period, you can use the same login set-up as you do today for NemID. NemID should be the default until autumn 2021, where we expect the number of MitID users to reach a critical mass. Thereafter, you should set up an authentication flow with MitID, including the option to switch to NemID. Signicat’s MitID Advanced Graphical profile add-on has built-in functionality for switching to the other method.

The following is just a sketch example of how it may look with the MitID login. You must implement this login option yourself. You can design it as you wish as long as you follow the UX requirements for the MitID login button.

  • The end-user logs in on the service provider page and is redirected to the MitID login box.

click-to-zoom

  • If you have the add-on for using the advanced graphical profile for MitID, you can also add a link to the other ID-method on the login page itself, e.g.

click-to-zoom

The grey label to the bottom right shows an example of how you can link to the other method:

click-to-zoom

For more details, see Advanced graphical profile > Label.

# Authentication with MitID compared to NemID

In short, the main difference seen from the end-user’s perspective is that MitID provides new authenticator devices and single factor support.

click-to-zoom

For NemID, the only way of authentication is two-factor. It also always results in the Substantial level of assurance (LoA). MitID opens up for single factor support. The default level of assurance is Substantial, but it is also possible to set it to Low or High depending on the required level of security for your online information/transactions.

# What does this mean for you as a service provider?

This means that you in the migration period must decide the appropriate level of assurance for your different use cases. For more details about recommended authenticator setup and level of assurance, see the Authentication page.

# The broker role

One major change from NemID is that all services using MitID for identity verification must access the MitID infrastructure through a MitID certified broker. This means you cannot access MitID directly as you could with NemID, but must go via a broker.

There are high certification requirements to become a MitID broker (ISO 27.001 level). Only organisations certified according to Digitaliseringsstyrelsen's (opens new window) requirements, can act as an intermediate between the MitID core system and the service provider.

Signicat has passed the base certification and is preparing for the final MitID broker certification.

Important note for service providers

As a broker, Signicat has some contractual requirements that you as a service provider must follow when using Signicat's MitID implementation. For more information, see Requirements for MitID service providers.

# UUID/CPR match service (former PID/CPR match service)

With NemID you need a separate agreement for using the PID/CPR match service. This is not necessary with MitID, since the CPR match is built into the MitID core. If you need CPR verification, you must use the CPR number as a parameter or Signicat can present a dialogue box where the end-user can enter the CPR number. This is similar to the NemID flow.

Last updated: 8/16/2021, 8:39:04 AM