News

90 percent of DigiD users use service without SMS authentication update

By admin
Spread the love

A report from the Court of Audit published on Wednesday shows that ninety percent of DigiD use occurs without two-step authentication. The organization further notes that the encryption is incomplete, but that this is a small risk.

In its findings, the Court of Audit writes: “Of the approximately 250 million times that DigiD is used, in 90 percent of the cases this is with a simple password and without SMS. In many cases, this low reliability level is not in accordance with the rules, for example when consulting tax or donor data.” According to the Minister of the Interior, organizations themselves are responsible for applying ‘the correct assurance level’. Logging in with ‘an extra check via SMS’ is optional.

In addition, the Court of Audit pays attention to the encryption of DigiD data. In recent years, it turned out that this did not meet the requirements. In 2016, an audit established that sufficient measures have been taken in the area of ​​periodic security investigations, as well as logging and analysis. The encryption is still only partial and does not comply with the applicable regulations, but misuse of the data would be limited by other security measures “to a low risk”. The minister therefore took the decision in October 2016 to accept the residual risk. According to the minister, encryption must be applied in the successor to DigiD, which is expected at the beginning of 2018, according to the Court of Audit.

Other findings from the Court of Audit’s report are that central government does not have sufficient expertise in various areas, including ICT. This also applies to the police, where, despite various recruitment rounds, too few ICT experts are still employed, as a result of which growing areas of investigation such as internet crime receive too little attention. The Court of Audit therefore mainly identified problems with central government operations in the field of ICT and information security.

Ministries should pay more attention to the latter area. The Court states: “In addition, administrative attention is required to better protect sensitive data of citizens about criminal history, organ donation, tax or medical information. And to prevent identity fraud, the hacking of systems for operating bridges and locks or other critical systems.”

Update, 15:14: The report has led to some confusion as to whether the Court has examined the strength or complexity of passwords. Pending an official response from the Court of Auditors, the text has therefore been amended to avoid confusion. The original article stated that 90 percent of DigiD use occurs with a weak password and no SMS authentication. The text parts about weak passwords have been adjusted for the time being.

Update, 18:18: A spokesperson for the Court of Audit has confirmed that the word ‘simple password’ refers to the method of logging in and does not pass judgment on the quality of the password. The changes to the article therefore remain in effect.

You might also like
News

Microsoft and Activision Blizzard postpone acquisition deadline until October

News

Sony and Microsoft sign agreement to keep Call of Duty on PlayStation

News

‘Microsoft considers selling cloud gaming rights in UK for Activision…

News

FTC appeals Microsoft-Activision lawsuit ruling

News

‘FTC is considering appealing the Activision acquisition lawsuit’

News

Amazon goes to the EU Court for stricter supervision under the Digital Services Act