Requirements for MitID service providers
The policies of MitID, provided by the Agency for Digitisation and the Danish banks, have strict requirements regarding security and user experience.
As a certified MitID broker, Signicat is bound to pass on some of these requirements to MitID service providers. These requirements are mentioned in the contract between you as a service provider and Signicat in "Appendix 4 - Terms for Danish MitID". More specifically, this appendix states in section 5.2 that the "Customer shall adhere to the design requirements" and refers to this page for more information (see UX requirements below). Furthermore, the appendix states in section 7.2 that the "Customer must implement appropriate security measures" and refers to this page for more information (see Security requirements below).
Security requirements
IT information security is an important and central part of the MitID infrastructure. There are strict certification requirements between the MitID provider and MitID brokers.
To fulfil the role as MitID broker, Signicat is forced to ensure a high level of IT information security between the customer as service provider and Signicat as MitID broker. This section describes the minimum-security requirements for MitID service providers.
You as a service provider must:
- Adhere to applicable laws and regulations, for example the GDPR.
- Use best practice principles when integrating towards Signicat services.
- Validate the authenticity of the authentication response received from Signicat.
- Do at least one annual assessment of the compliance with focus on IT information security and the integration with Signicat. Signicat may require receiving a copy of the latest assessment with no less than 30 days' notice. There are no formal requirements for the format of the assessment.
- Provide intelligible and easily accessible guidance for the end-user on how to install the correct mobile app or other application or guidance on how to verify that they are in fact using the correct mobile app or other application. This rule applies when the service provider implements MitID functionality in a mobile app or other application that does not allow for the end-user to verify that credentials are provided in a legitimate mobile app or application, by reviewing the address in the address bar.
Best practice security principles
- Use of encryption in transport security (minimum TLS 1.2 or higher) and appropriate cipher suites (SHA 256 or better and only ciphers supporting perfect forward secrecy (PFS)).
- Support of CRL (Certificate Revocation List) and/or OCSP (Online Certificate Status Protocol).
- Support of CAA (Certification Authority Authorization) on DNS. CAA is an open standard specified in RFC 6844.
- Support of HSTS (HTTP Strict Transport Security) which protects against man-in-the-middle. HSTS is based on the IETF standard specified in RFC 6797.
Supported WebViews
To perform a MitID authentication from a native app, you MUST display the MitID login flow in Chrome Custom Tabs (Android) or SFSafariViewController (iOS). All other WebViews are not supported by MitID and can break at any time.
UX requirements
The service provider must adhere to the MitID UX scheme and branding guidelines. This section addresses the following requirements:
- MitID name
- Authenticator icons and names
- Typography
- Service provider name
- URL and page title
- Reference text
- MitID button (CTA)
MitID name
When using MitID as text in a sentence or heading (for example on a website), always use the correct wordmark.
Wordmark
Authenticator icons and names
When describing the MitID authenticators, always use the correct icon and name.
Authenticators
Colour on dark icons: #001C44
Colour on white icons: #FFFFFF
You can download the dark version of the icons here:
Typography
If the service provider in any way creates marketing material within the MitID design universe, you must follow the defined typography.
The font family is IBM Plex Sans. SemiBold is used for component labels and buttons. Bold is used for all headers.
Font
Service provider name (Tjenesteudbyder)
Length
- The name of the service provider (Tjenesteudbyder) in the reference text header can be up to 32 characters. This ensures it is visible on all screen sizes in the header.
- If the name is long, the reference text header will expand to the second line. Then you should consider how it will break between the two lines.
- If the name extends the available characters given by the screen size, the name will be truncated with (…).
- If the name is unusually long, we recommend making a shortened version.
Recognisable and no suffix
- The name must be the one that end-users recognise.
- It should not include unnecessary suffixes like “Aps” or “A/S”.
URL and page title
A big change from the NemID solution is that MitID cannot be embedded on websites. It must exist as either pop-up or redirect. The reason for this is that the MitID authentication always will have a URL connected to the MitID.dk domain.
If you use the service provider name in the URL, it is recommended to use the same name as in the MitID box (Tjenesteudbyder). However, if the name is unusually long, we recommend to show a shortened version in the URL, so end-users can always see the MitID.dk domain. It is recommended that the page title is “MitID”.
URL
Reference text
The reference text consists of the reference text header (<Action text> <Tjenesteudbyder>) and the reference text body. The reference text body can give more details about the authentication, for example account numbers or the amount of a financial transaction. Reference text body can be max 130 characters.
Reference text
Action texts
The reference text header consists of an action text and the service provider name. The action text tells the end-users what kind of action they are doing. The action text corresponds to the one used on the MitID button. You can choose between the following predefined texts:
Danish | English | Greenlandic |
---|---|---|
Log på hos <Tjenesteudbyder> | Log on at <Service provider> | Uunga iserit <Kiffartuussisuusoq> |
Godkend hos <Tjenesteudbyder> | Approve at <Service provider> | Uani akuersigit<Kiffartuussisuusoq> |
Bekræft hos <Tjenesteudbyder> | Confirm at <Service provider> | Uani uppernarsaagit<Kiffartuussisuusoq> |
Accepter hos <Tjenesteudbyder> | Accept at <Service provider> | Uani akuersigit<Kiffartuussisuusoq> |
Underskriv hos <Tjenesteudbyder> | Sign at <Service provider> | Uani atsiorit<Kiffartuussisuusoq> |
MitID button (CTA)
When using the MitID logo on a button as a Call to Action (CTA), the service provider must follow the required specifications. This could for example be if you want to show the option to authenticate with MitID on your website or app. The MitID button is restricted to a limited design flexibility:
MitID button
Colour
- Background colour (MitID blue colour): #0060E6
- Background hover colour: #004CB8
- Text colour: #FFFFFF
Height
- Preferred: 48 px
- Minimum: 32 px
Corner radius
- Preferred: 4 px
- Minimum: 0 px
- Maximum: rounded
Padding
- Between logo/action text and button left/right: 24 px
- Between logo and action text: 16 px
Action texts
The action texts to the right of the logo must be one of the following (they are the same as in the MitID box, but do not include the name of the service provider):
Danish | English | Greenlandic |
---|---|---|
Log ind med MitID | Log on with MitID | MitID atorlugu iserit |
Godkend med MitID | Approve with MitID | MitID atorlugu akuersigit |
Bekræft med MitID | Confirm with MitID | MitID atorlugu uppernarsaagit |
Accepter med MitID | Accept with MitID | MitID atorlugu akuersigit |
Underskriv med MitID | Sign with MitID | MitID atorlugu atsiorit |