I find the DigiD app to be one of the most annoying implementations of 2FA out there. You have to unlock the app with a pin code, then enter an app-generated code on the site, then scan a QR with the app, and then grant permission to login to that site.
If you compare that to 2FA for Office 365 for example, where you just have a push notification where you press a button to allow, then you can't help but think that some attention to UX would be helpful.
As it is, I usually pick SMS verification instead of using the app. Yes, less secure, but so much easier.
For an app that cost in the tens of millions to produce[1], and for which the company (gov-owned and operated) behind it charges implementors/users (not end-users ofc)[2] for each and every single successful DigID authentication event €0.13, DigID authorization event €0.88, and even for every digital message delivered into your "berichtenbox" €0.32, it could.. no rather it should indeed provide a much better experience than what we have now.
If the money is going back into the public coffers supplanting other tax revenue, a fee for delivery must help prevent spam? I don't know enough about the topic but at first glance it seems there could be worse things.
I suppose it would hinge on your view of regressive use fees as well.
“ This code has been disclosed in response to a request under the Dutch Open Government Act ("Wet open Overheid"). This implies that publication is primarily driven by the need for transparence, not re-use. Re-use is permitted under the EUPL-license, with the exception of source files that contain a different license.”
It sounds like they might not been very keen to maintain the app.
Can there be alternative better implementations or DigID “hardcoded” to one provider?
I think that just means "this won't be very helpful in standing up your own DigID". It also says they're looking at providing more ongoing transparency.
On the other side of this, push-phishing through MFA fatigue has become extremely frequently used to hack into enterprise O365 instances (as well as Google Cloud accounts and the like).
People don't generally read it when their phone apps send them a "please login" notification after the 200th one that day, they tend to approve it without thinking (or worse, accidentally approve a phishing notification while trying to login), especially when busy, which results in them letting phishers onto their device.
The DigiD login flow is a bit of a mess, but it seems very well designed to avoid that particular tendency. The entire process requires active involvement from the end-user, which means they'll be paying attention on whether it's them logging in or not.
This is real and a serious threat. Both the company I work in and I (personal account) have been targeted with this specific method. I got tens of random notification pop-ups on my phone in different days and I almost approved it once. It didn’t stop until I disabled login using that specific email address altogether.
Edit: I received the notifications for Microsoft Authenticator app
YYMV: I'm on an OnePlus 8 using the Microsoft Authenticator App. OS update changed the PIN pad, which in turn soft-broke the M$ authenticator app's PIN lock security, rather than presenting a PIN pad to enter my PIN code, it now presents a full QWERTY keyboard... making it excedingly annoying to enter my PIN - to the point where I simply disabled the PIN lock on the app (not on my phone, obviously).
So yeah, MFA fatigue is a thing and a PIN lock on the notification is not going to survive for very long given these OEM shenanigans...
Edit: Also M$ Auth app offers no proper export of my MFA keys, so I am stuck in this walled garden :')
That's a bad comparison, as you're comparing a full authentication process against just one step: with Office 365 (and SMS verification for DigiD) you additionally need to provide a username and password, which you don't need to do with the app.
I think the only part that can reasonably be simplified without compromising security is to use a push notification instead of having to scan the QR-code.
> That's a bad comparison, as you're comparing a full authentication process against just one step: with Office 365 (and SMS verification for DigiD) you additionally need to provide a username and password, which you don't need to do with the app.
I hadn't even noticed that app login doesn't require username and password. With a password manager that doesn't add a lot of friction. Even when accounting for that extra step, I still find Office 365 and SMS verification much easier.
What's the purpose of the code you're entering from the app? Isn't that a bit superfluous/couldn't the app open a communications channel with the server via the QR code you scan and provide that itself?
Then the app relies purely on the ssl cert of the server, for mitm mitigation. This way, the qr can contain a signed reply to the code, which adds a layer.
Wait, I don't get it. I understand that the server is signing a challenge with a key presumably known to the client. But why can't the app submit the challenge programmatically upon scanning a QR code? It would still verify the signature!
If you leave the country without setting up SMS you can’t ever use 2FA. They claim to support adding foreign numbers, support people being abroad, support adding new DigiD accounts from abroad, but oh no you can’t just add a number. Not even by going to an office or doing a virtual interview. I would think this violates EU law on discrimination. If you live in the UK post-Brexit it’s now totally impossible, I believe (since you aren’t even allowed to make a new account).
Holder of Dutch passport here. I created a DigiD account from France, using a French phone number.
You plan a video conf using their web app, connect at the right time, and show your passport when asked.
As an aside, I login without using their app, as my Android phone does not support Google Play.
Don't know what happens if you don't have a dutch passport though. I guess they are under no obligation to render services to people that are neither citizen nor national.
A bit like when I got married and the French state wanted proof that I wasn't already married before, during the period I had lived in the UK. The UK services wouldn't give me the time of day, since I was neither British nor living there. I ended up getting an official looking note from the Dutch embassy to the UK, stating that "to the best of their knowledge I wasn't married" =)
Create - from the EU - yes. As I said: you cannot add to existing that you already use extensively. And not create new from outside EU. That’s what makes it so shambolic. They clearly have the ability to both do it technically and to verify appropriately.
No problems using similar UK services for EU citizens I know, nor non-EU. Usual bank/address shenanigans at the start, but no issues with government gateway etc.
After moving to the States and losing my Dutch mobile number I was also not able to use it for more than 10 years.
During covid the government provided an ability to schedule a zoom call to verify identity remotely and set up Digid with a foreign number so I finally have it.
It's slightly easier on-device (where the app runs), still try opening your government messages inbox, that takes 5 taps/screens/faceID and a code. It always works though, and one does not use it very often.
I do appreciate that they keep is so secure (or perhaps I should say, not logged in by default). It works well in general imho.
I have dozens of 2FA codes now that requires searching for the correct one and I have to store backup codes in physical form. Which probably a lot of people keep unencrypted on their desktop somewhere.
With the Digid app you just need to remember the pin code or unlock with face id.
The app generates the codes for each login and then you just scan the QR. It's very simple to use.
Recently I lost my phone and had to set everything up again. I had to start digging for 2fa backup codes, but Digid I could easily set up again using the NFC chip in my passport.
> On desktop, you use pin, type code, then scan. I find the flow quite smooth.
I find the constant back and forth between devices annoying. 2FA is already annoying because you have to switch from desktop to mobile and back, but that can't be helped. There's no need to make it 6 times, though:
desktop (on site) -> mobile (start app + pin) -> desktop (fill in code) -> mobile (get camera) -> desktop (scan QR) -> mobile (press allow) -> desktop (continue on site)
If you compare that to 2FA for Office 365 for example, where you just have a push notification where you press a button to allow, then you can't help but think that some attention to UX would be helpful.
As it is, I usually pick SMS verification instead of using the app. Yes, less secure, but so much easier.