link

# Authentication

This page shows the different MitID authentication flows that Signicat supports.


Page contents


Since the process in all the flows are quite similar, we only provide a step-by-step list with image sliders for the "normal" authentication. The difference lies in the step for the chosen authenticator. The following screen examples show the advanced graphical profile in desktop version.

# Normal authentication

The normal MitID authentication flow consists of two main steps (we assume the user has already selected a login link from the service provider site):

  1. The user enters the username in the MitID Login box.
  2. The user authenticates using authenticators applicable for the requested LoA or AAL.

If you have set up CPR matching, the user is asked to provide their CPR match after step 2. For more details, see CPR matching.

After a successful login, the Approved screen is displayed and the user is redirected to the service provider site as logged in.

This image slider shows an example of a normal authentication with the MitID code display authenticator. This example shows the advanced graphical profile in mobile version.

Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide
Slideshow slide

The flow is quite similar when using the other authenticators. The difference lies in the step for the chosen authenticator:

  • MitID app: After having entered the username (no password is needed), the user is asked to approve in the MitID app. The user either approves with a 6-digit PIN or with biometrics (fingerprint or face ID.)
  • MitID code display and MitID audio code reader: After having entered the username and password, the user is asked to confirm with a one-time password (OTP) received on their token.
  • MitID chip: After having entered the username and password, the user is asked to confirm with their chip.

The chosen authenticator combination also decides the LoA/AAL (see Possible Authenticator combinations).

# CPR matching (add-on)

Signicat offers a CPR match flow that can be conducted after a MitID authentication. This is useful, since private service providers are not permitted to do a direct CPR lookup for a user in MitID, but they can match a given CPR number.

This is an example of Signicat's user interface for CPR matching, displayed after the MitID authentication flow (e.g. see Normal authentication):

click-to-zoom

This example shows the mobile version and uses an advanced graphical profile.

MitID enforces a maximum limit of three attempts to match the CPR number within a given authentication.

Signicat supports three possible sources that can provide the CPR number for matching: CPR from user, cache and prefilled subject (see below).

# CPR from user

The end-user provides their CPR number themselves by entering it as an input in Signicat’s CPR user interface (see screen example above). This can be considered the default source for the CPR number: If no other source was provided or the prefilled/cached CPR number does not give a positive match, the user will be prompted to provide it themselves. If the user enters an incorrect CPR number, they are met with a warning as well as information detailing how many remaining attempts they have.

# CPR from cache

If the end-user has provided their CPR number and checked the “Remember my CPR number” checkbox in the CPR user interface (see screen example above) and gets a positive match, Signicat will store the number for that user for a period of 90 days (by default). The next time the user conducts a CPR match flow (within the expiration time period and on the same service) the cached CPR will be used for matching, meaning the user will not have to provide it again themselves.

# CPR from prefilled subject

In the CPR match flow, you can use the subject prefilled parameter to inform Signicat of the CPR number that you want to match against the user being authenticated. The effect of this is that when the user has authenticated, the prefilled subject value will be matched using MitID's CPR matching service. If the match is successful, the transaction will complete without further user action. If the match is unsuccessful, the user will be prompted with the Signicat's CPR user interface (see screen example above) to provide their CPR number manually instead.

The box below shows code examples with the subject prefilled parameter.

# OIDC example


login_hint=nin:2805542112

# REST API example

{
  "prefilledInput": {
    "nin": "2805542112"
  }
}
Last updated: 8/16/2021, 7:43:17 AM