link

# Swedish BankID

# About Swedish BankID

Swedish BankID is an electronic identity scheme in Sweden that can be used for identity proofing during onboarding of new customers, authentication of existing customers and electronic signing.

Individuals who have a Swedish national identification number (personnummer) can obtain Swedish BankID through their bank. BankID may be issued to persons over 18 years, but several banks also give BankID to persons under 18 years.

# Use cases

If you are not so familiar with how Swedish BankID is used, here are some typical use cases:

  • Digital onboarding: To become a customer of a bank, you have to register as a user for the first time. To prove your identity, you can choose to use Swedish BankID, among others, as an ID method.

  • Authentication: As a registered customer with a bank, you will be able to apply for a loan. To be able to log in to your bank, you have to authenticate to prove your identity. Swedish BankID can be used for authentication, the same way it can be used for registering as a new customer.

  • Signing: With Signicat's electronic signature solution, you can use Swedish BankID to sign (as well as view or upload) one or more documents, such as loan applications or contracts. Signing with signed statement will allow you to sign all documents at once, while third-party signing will require you to sign the documents one at a time.

# Demo

If you want to see how Swedish BankID works, you can use Signicat's demo service and demo credentials.

Sign up for demo credentials

# Digital onboarding and authentication

For digital onboarding, the ID method can be used as a standalone identity method or in combination with other services provided by Signicat to verify an identity, such as identity proofing and registry lookups.

When the user has completed the digital onboarding process, Swedish BankID can be used for authentication by verifying an existing user’s identity. The getting started guides for authentication can be found here.

The ID method is technically the same for both the onboarding and authentication processes. However, you should consider how you set the ID method up in each user flow, since onboarding a new customer is a one-time occurrence, while authentication is a repetitive action for the customer. You may set up a simpler user flow for recurring authentications than for digital onboarding. You should also consider your security requirements when setting up the flow.

Note

If Swedish BankID is used for user onboarding, it is not allowed to issue alternative credentials (also known as ID switch). So if Swedish BankID is used for the initial user onboarding then Swedish BankID should also be used for all subsequent authentications.

# Method names in authentication URLs

You may set up the user flow in different ways, by using specific methods that Signicat provides.

When you want to redirect the end-user so they can authenticate, you have to include the name of the relevant method in the redirect URL. The table below shows which method names are available for authentication and digital onboarding. For further information about the authentication URL, see the Authentication API.

Method name Description
sbid Regular Swedish BankID. Displays a device selection screen with options for both mobile or desktop. Normally used on a website. See flow examples.
sbid-remote Displays entry for national ID to be consumed by mobile BankID. Normally used on a website for desktop. See flow example.
sbid-qr-remote Displays a QR code to be consumed only by mobile BankID. Normally used on a website for desktop. See flow example.
sbid-local Starts on the current device. Can be used on both mobile or desktop, but it is normally used in a mobile flow. See flow example.

'remote' means that the user must use an additional device to identify themselves.

# Regular (sbid)

When using the regular method (sbid), the user can choose between either BankID on mobile or BankID on desktop. This method is normally used on a website. The following image sliders, show the flow for both options.

BankID on mobile (sbid)

When the user selects BankID on mobile (normally from a website), they are asked to scan a QR code and afterwards confirm with a security code on their mobile.

Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide

BankID on desktop (sbid)

When the user selects BankID on desktop (normally from a website), they are asked to start their BankID app on their desktop and to confirm with a password in the BankID app (still on the desktop).

Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide

# Personal identity number with remote confirmation on a mobile (sbid-remote)

This configuration displays a screen (normally on a website on a desktop) where the user is asked to enter their national ID number and then must confirm with a security code on their mobile device.

QR-code is recommended

We recommend using flows with QR-code instead, since it is more secure.

Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide

# BankID app, QR code and remote confirmation on a mobile (sbid-qr-remote)

In this configuration, the user is asked to start the BankID mobile app, choose the QR code option and scan the QR code displayed on the desktop.

Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide

# BankID app on current device (sbid-local)

In this configuration, the user is asked to start the BankID app on the current device. It can be used on both mobile or desktop, but it is normally used in a mobile flow.

Mobile:

click-to-zoom

Desktop:

click-to-zoom

# Authentication result

An authentication will result in a type of response that will depend on the type of authentication protocol used. This is an example of an OIDC flow when Swedish BankID is used for authentication:

Request

curl -XGET "https://preprod.signicat.com/oidc/userinfo" -H "Authorization: Bearer ACCESS_TOKEN"

Response

{ 
	"family_name": "Signicat", 
	"given_name": "John", 
	"locale": "SE", 
	"name": "John Signicat", 
	"signicat.national_id": "199010275312", 
	"sub": "KGMyh5FBCMTkEN934sOLyyBS0rPd4-up", 
	"subject.nameid.namequalifier": "BANKID-SE" 
}

The OIDC result will be the same regardless of whether it is Swedish BankID or Swedish Mobile BankID optimised for in-app that is used during authentication. See more about the in-app solution here.

# Electronic signatures

For electronic signing of documents, Swedish BankID can be used in two ways; Authentication-based signing or third-party signing.

The first alternative, authentication-based signing, is Signicat's own signing solution and supports the use of any type of authentication method provided by Signicat. Swedish BankID as an authentication method is used for this alternative, where the authentication result is reused for signing. It will ensure a unified output format in accordance with EU specifications as well as a scalable, responsive signing interface supporting all modern device standards and window sizes.

The second alternative, performing native signing with Swedish BankID as a third-party method, is Swedish BankID’s native signing support. It will not follow the same output formats and cannot be guaranteed to support a responsive signing interface nor necessarily support all of the same signing functionalities as the authentication-based alternative. Swedish BankID natively supports signing of text documents in the BankID säkerhetsprogram (BankID Security Application). The technical requirements are that your text document is UTF-8 (opens new window) encoded and doesn’t exceed 100 KB. Control characters such as TAB and CR LF are allowed. This file is a text document which is within the 100 KB limit.

The signing result will, regardless of the alternative chosen for signing, result in a PAdES (PDF Advanced Electronic Signature) consisting of one or more signed documents (XAdES, implemented as LTV-SDO). See the Result section for signing result examples.

For more information about getting started with electronic signatures, the different signing methods and more, refer to our electronic signature documentation.

# Method names

# Signing with signed statement

You can use the same authentication method names as described in Method names in authentication URLs.

# Third-party signing

Method name Description
sbid-sign Regular Swedish BankID signing
sbid-qr-sign Swedish BankID signing with QR code scan

# Screenshots for desktop

The screenshot illustrates authentication-based signing and third-party signing when using Swedish BankID. In both flows, there are two documents for signing, ‘Letter of intent’ and ‘Contract details’, as well as one document for viewing only, ‘Information about Signicat’.

# Authentication-based signing

Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide

# Third-party signing

Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide

# Screenshots for mobile

The screenshot below illustrates the signing process for Mobile BankID.

click-to-zoom

Signing with Swedish BankID also supports the scanning of a QR code in order to perform the signing process. Contact support@signicat.com in order to have this functionality configured.

# Signing result

The signing result will produce a PAdES (PDF Advanced Electronic Signature) consisting of one or more signed documents (XAdES as LTV-SDOs).

# Authentication-based signing

An example of an LTV-SDO as a signing result, with authentication-based signing and Swedish BankID as the authentication method, can be found here.

An example of a PAdES as a signing result, with authentication-based signing and Swedish BankID as the authentication method, can be found here.

# Third-party signing

An example of an LTV-SDO as a signing result, with third-party signing and Swedish BankID as the authentication method, can be found here.

An example of a PAdES as a signing result, with third-party signing and Swedish BankID as the authentication method, can be found here.

# How to get started with Swedish BankID

In order for Signicat to set up a new solution with Swedish BankID, there are two pieces of information the customer must provide before Signicat can start the process:

  • A preferred BankID bank. If the customer does not have a preferred BankID bank, Signicat will select an issuing bank.
  • A display name for the BankID app.

The customer then signs an agreement with Signicat AS, which enables Signicat to have a Relying Party certificate (Förlitandepartcertifikat, or FP-certifikat) issued on behalf of the customer. Signicat is an official BankID broker, approved by Finansiell ID-Teknik in Sweden.

Signicat will then install the Relying Party certificate in the customer’s service. No further input is normally needed from the customer.

# Certificate information

# Relying Party Certificate

The Relying Party certificate (Förlitandepartcertifikat, or FP-certifikat) is used to identify a service provider offering BankID. It is intended to secure communication to and from said service provider. It does not store any personally identifiable information.

Important

The Replying Party certificates created by Signicat cannot be used outside of Signicat's solution, i.e. not in applications that do not use Signicat's cloud service. If a certificate without this limitation is desired, see our documentation on how to get started with Swedish BankID through an agreement with a BankID bank.

# BankID e-identity for private persons

Personal BankID certificates are usually accessed via an app on the end-user’s phone. In a few cases, they are stored on a smartcard or on a file on the end-user’s computer.

Several Swedish banks are capable of issuing BankID e-identities for private persons. Such identities roam across banks.

# Test information

Signicat offers 24/7/365 free access to the test environment at preprod.signicat.com.

# Certificates for test users

If you already have a certificate for production BankID, you can log in to https://demo.bankid.com and issue test certificates as explained below. This is also possible using an existing valid test certificate.

Prepare a name and personnummer (Swedish national identification number) for the test users you would like to create. The personnummer should be a valid combination of 12 digits. You can use www.personnummer.nu to create a valid personnummer for Sweden. See the next paragraph of how to obtain a Swedish personnummer . You will get a number in this format: YYMMDD-XXXX. You will have to change this to YYYYMMDDXXXX. If you do not have a Swedish BankID, you may order a code from https://demo.bankid.com/CreateCode.aspx and issue new test-users according to the ‘How to obtain the test user’ section.

If you do not have a personnummer, you may construct one for testing. This must be a properly formatted national ID including a control digit. For details, see www.personnummer.nu.

# How to obtain a personnummer (Swedish national identification number)

To get a Swedish personnummer you can go to www.personnummer.nu to generate one.

If you do not understand Swedish

  • Födelsedatum = Date of birth (ÅÅ-MM-DD) = (YY-MM-DD) as in year-month-day.
  • Kön = Sex
  • Kvinna = Woman
  • Man = Man
  • Generera = Generate
click-to-zoom

The highlighted field is the generated personnummer . To use it for the purpose of authenticating/signing you need to remove the hyphen and add a prefix. The prefix should be the two first numbers of the year the person was born. So if the person was born between 1900-1999, the prefix is 19. If the person was born between 2000-2099, the prefix is 20.

The generated personnummer 800618-4629 would appear as 198006184629 without the hyphen and with the prefix.

# How to install the application

# How to install the application (Android)

  1. To install the Swedish Mobile BankID application for testing you first have to download it from this page: http://www.bankid.com/rp/info/
  2. Under the header "Test av BankID” choose the "Testversion BankID säkerhetsapp för Android” link and save the .apk file you get
  3. Send the .apk file to your smartphone by email
  4. You have to allow the phone to install from unknown sources
  5. Click the .apk file in your email and install the app
  6. When you open the app you need a Swedish personnummer for testing purposes and an activation code

The installation file can be found here: click-to-zoom

# How to install the application (iOS)

  1. Install BankID säkerhetsapp from the App Store.
  2. Go into Settings -> BankID -> Utvecklare (Developer) -> Server. Change this to businternal.test.bankid.com. This setting makes the security app communicate with the test environment instead of production. It cannot be changed back. If you later need the production version, uninstall the app and install it again via the App Store.

# How to install the application (Windows Phone 8)

  1. Install the BankID säkerhetsapp from the Windows Phone Store
  2. Start the BankID Security App, select Settings / Developer / Server and enter "businternal.test.bankid.com"
  3. Save, exit the BankID Security App and launch again
  4. The BankID Security App will now connect to the test server

# How to install the application (Windows)

  1. Uninstall all previous versions of the BankID säkerhetsprogram. Reboot PC
  2. Download and install the latest version, available at https://install.bankid.com/
  3. Find the config folder at this location: %APPDATA%\Roaming\BankID\ (Find appdata by writing %appdata% in the adressbar)
click-to-zoom
  1. You will end up in the ‘Roaming’ folder. From there, continue to the BankID folder. Your adress path should look like the following now: C:\Users\Steffen(Your username)\AppData\Roaming\BankID. Here, you will find a folder named ‘Config’.
click-to-zoom
  1. Rename this to ‘Config.prod’ and create a new folder named ‘Config’.
click-to-zoom
  1. Open the ‘Config’ folder you created. Create a new .txt file and name it CavaServerSelector.txt.
click-to-zoom
  1. Open it in Notepad, write "kundtest” and save.
click-to-zoom
  1. Restart the PC.

# How to obtain the test user

Go to https://demo.bankid.com/ and log in using your preferred option.

https://www.bankid.com/rp/info also contains links and information about Swedish BankID and how to obtain test users.

There are four options

  1. Logga in med test-BankID” = Log in with a test BankID.
    You can either log in with a test user on the computer or with a test user using the mobile application you installed (that is, if you already have a test user in the app/ computer).
  2. "Logga in med produktions-BankID” = Log in with a production BankID.
    If you have a Swedish BankID you can log in with your production BankID on the computer or in the production app (if you have set up the app for your BankID).
  3. "Logga in med personligkod” = Log in with a personal code.
    If you do not have a personal code, you can choose to generate a new code.
  4. "Logga in med BankID på fil eller kort – Plugin” = Log in with a BankID on file or card – Plugin
    Here you would have been able to use the old solution with plug-ins in the browser that were phased out during 2014. This is the option you would have chosen if you had BankID Security 5.0.2 or older.
click-to-zoom
  1. After logging in you will be presented with this page. Choose "Hämta BankID för test”:
click-to-zoom
  1. On this page, you can choose to download Mobile BankID (left) or desktop BankID (right). Fill in the form with the personnummer as well as first and last name and click "Hämta”.
click-to-zoom

# Mobile client

If you choose Mobile BankID, you will get an activation code such as the following (you must disable any popup blockers). This code is valid for 10 minutes.

Open the BankID app on your phone, enter the personnummer and activation code. In the next window, you create a PIN code with at least 6 digits. The last two images below show the end of the activation process and the phone settings indicating that Swedish BankID is ready for use.

Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide

# Desktop client

If you choose BankID on file, you will be presented with a new window (you must disable any popup blockers). Press "Open BankID issuing” to get started and download the client, install it and choose your password. After you have downloaded and installed the app you will be asked to choose a password for your BankID. You have to remember this PIN code for use later when you test authentication/ signing. The app will not allow you to choose a simple code like 111111 or 123456, so it is recommended to use date of birth, e.g. 180680.

Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide

# If you have an ordinary or test BankID, you may follow these steps:

  1. Access https://demo.bankid.com/nyademobanken.
  2. Log in with your BankID and select "Hämta BankID för test”.
  3. You will receive an activation code which you may use in the BankID säkerhetsapp.
  4. Select your security code for Mobile BankID, minimum 6 digits.

If you don’t have a Swedish BankID, you may follow this manual procedure:

  1. Send an email to teknikinfo@bankid.com (Financiell ID-Teknik) and describe where you work, the purpose of your development and phone numbers
  2. They will contact you and initiate creation of a test BankID. During this process you have to specify some data into the BankID säkerhetsapp. They will verify that the newly issued BankID working.
  3. If you do not have a personnummer, you may construct one for test. This must be a properly formatted national ID including control digit. See: www.personnummer.nu.

# Getting started

# For merchants

Existing customers of Signicat may contact support@signicat.com to find out what needs to be done to get up and running with Mobilt BankID.

For other customers the establishment process is identical with ordinary Swedish BankID. See a detailed description under certificates.

  1. You will need a merchant agreement with your bank.
  2. The bank performs a "Köpargenomgång” of your company.

After the agreements are signed and "Köpargenomgång” is performed, the bank will issue a merchant certificate for the test and production environment.

# For end-users

End-users must install the BankID säkerhetsapp on their mobile device.

  • For Android users, the BankID säkerhetsapp may be installed from Google Play.
  • For iOS users, the BankID säkerhetsapp may be installed from AppStore.

# How to integrate authentication with Swedish BankID from headless systems

In May 2014, Signicat released a version of Swedish Mobile BankID optimised for in-app usage. If you want to send headless authentication requests (typically from a backend or app to backend system) via Signicat, we recommend using our OpenID Connect (OIDC) API as a mediator. Refer to our documentation on headless authentication for further details.

# Description of the Android App

The Signicat Swedish Mobile BankID Android App (referred to as the app or android app for the rest of this document) is a native Android app that demonstrates using Swedish Mobile BankID for authentication from a native app. It uses Signicat services and demonstrates a simple authentication scenario where the user enters their personnummer, continues the process in the BankID app and finally returns to the app for completion.

If you are building your own browserless native app and want to use mobile text-only signing, or Consent Signature, via Signicat, you can do this using our OpenID Connect (OIDC) API as a mediator. Refer to our documentation on Consent Signature for detailed information on how to integrate Consent Signature.

# Detecting if the end-user has the BankID app installed

# From a native app

If you are writing a native app where you use Signicat services for your authentication or signature needs, then you will be able to detect if the end-user has installed the BankID app necessary to complete the transaction.

# Detecting on iOS

BOOL installed = [[UIApplication sharedApplication] canOpenURL:[NSURL URLWithString:@"bankid://"]];

Refer to Apple Developer (opens new window) for more information on canOpenUrl.

# Detecting on Android

private boolean isSwedishMobiltBankIdInstalled(Context context) {
    PackageManager pm = context.getPackageManager();
    try {
        pm.getPackageInfo("com.bankid.bus", GET_ACTIVITIES);
        return true;
    } catch (NameNotFoundException e) {
        return false;
    }
}

Refer to Android Developers (opens new window) for more information about the PackageManager.

# From a web page on a mobile device

It is not possible to detect if the end-user has the BankID app installed from a web page on a mobile device. Otherwise, it would be possible for any web page to scan users’ phones and tablets for which apps are installed, perhaps to target an attack against the user.

The good news is that you do not have to do anything about this because Signicat already does its best depending on the platform.

  • For iOS, an attempt is made to launch the app from javascript. If nothing seems to happen, a message is displayed saying that it appears that the app could not be launched, along with a link to the app store.
  • For Android, a message is immediately presented to the user saying that the app is required to complete the process (along with a link to the app store). Two buttons are presented, one to launch the app and one to cancel. If the user chooses to launch the app even though it is not installed, nothing happens. Presumably, the end-user realises the mistake and either proceeds to download the app or simply cancels.

# Swedish BankID support

Support email Website homepage
teknikinfo@bankid.com www.bankid.com

# Other sources

Last updated: 10/1/2021, 2:05:06 PM