Swedish BankID

About Swedish BankID

Swedish BankID is a personal and easy method of secure electronic identification and signing on the Internet.

Individuals who have a Swedish personnummer (Swedish national identification number) can obtain Swedish BankID through their bank. A BankID has the same value and is used the same way, regardless of the bank that issued it. BankID may be issued to persons over 18 years, but several banks also give BankID to persons under 18 years.

Swedish BankID clients exist for desktop (Windows or macOS) and mobile devices (Mobile BankID on Android or iOS).

The banks issuing Swedish BankID

The banks issuing BankID to private individuals are Handelsbanken, SEB, Swedbank, SkandiaBanken, Länsförsäkringar Bank, Danske Bank, Sparbanken Finn, Sparbanken Gripen and Ikano Bank. Together, these banks have more than 5.6 million Internet customers who have the option of using their BankID in more than 300 different service applications.

Integrating with Swedish BankID through Signicat

Signicat has an integration with Swedish BankID and delivers this, as well as a vast amount of other integrated methods, through a single point of integration. For our customers, this means shorter time to production and time saved integrating and maintaining the integrations with one or several identity providers. Through the single point of integration, one will get access to Signicat’s wide portfolio of integrated ID methods; not only Swedish BankID, but also other services like identity paper verificationlookups, and video assurance.

Digital onboarding

Swedish BankID can be used for digital onboarding of a user, through user identification. The ID method can be used as a stand-alone method or in combination with other services provided by Signicat to assure an identity, such as identity paper verificationlookups, and video assurance.

Use case

In order to become a customer, you first have to register. During this digital onboarding process, you can choose to use Swedish BankID, among others, as an ID method to register as a user for the first time.

NOTE: If Swedish BankID is used for user onboarding, it is not allowed to issue alternative credentials (also known as ID switch). So if Swedish BankID is used for the initial user onboarding then Swedish BankID should also be used for all subsequent authentications.

Screenshots

Authentication

When the user has completed the digital onboarding process, Swedish BankID can be used for authentication by verifying an existing user’s identity. Getting started guides for authentication with the different Signicat Connect authentication protocols can be found here.

An authentication will result in a type of response that will depend on the type of authentication protocol used. See the Result section for an example.

Use case

As a registered customer with a bank, you will be able to apply for a loan. To be able to log in to your bank, you have to authenticate to prove your identity. Swedish BankID can be used for authentication, the same way it can be used for registering as a new customer.

Screenshots for desktop

Screenshots for mobile

The user provides his/her personnummer (Swedish national identification number) and security code using the BankID säkerhetsapp on his/her mobile phone or tablet.

Alternatively, Signicat offers the ability to use the Mobilt BankID app to scan a QR code that is displayed on a different device (such as a desktop PC). This replaces the need for providing a personnummer and enhances the security of the authentication process, as both the user and the web browser that the code is scanned from need to be in the same place.

Result

An example of an OpenID Connect response when Swedish BankID is used for authentication can be found here. The OIDC result will be the same regardless of whether it is Swedish BankID or Swedish Mobile BankID optimized for in-app that is used during authentication. See more about the in-app solution here.

Electronic signing

For electronic signing of documents, Swedish BankID can be used in two ways; Authentication-based signing or third-party signing.

The first alternative, authentication-based signing, is Signicat’s own signing solution and supports the use of any type of authentication method provided by Signicat. Swedish BankID as an authentication method is used for this alternative, where the authentication result is reused for signing. It will ensure a unified output format in accordance with EU specifications as well as a scalable, responsive Signflow supporting virtually all modern device standards and window sizes.

The second alternative, performing native signing with Swedish BankID as a third-party method, is Swedish BankID’s native signing support. It will not follow the same output formats and cannot be guaranteed to support responsive Signflows nor necessarily support all of the same signing functionalities as the authentication-based alternative. Swedish BankID natively supports signing of text documents in the BankID säkerhetsprogram (BankID Security Application). The technical requirements are that your text document is UTF-8 encoded and doesn’t exceed 100 KB. Control characters such as TAB and CR LF are allowed. This file is a text document which is within the 100 KB limit: Example text document

The signing result will, regardless of the alternative chosen for signing, result in a PAdES (PDF Advanced Electronic Signature) consisting of one or more signed documents (XAdES, implemented as LTV-SDO). See the Result section for signing result examples.

For more information about getting started with electronic signing, the different signing methods and more, please see this page for the signing documentation.

Use case

With Signicat Signature you can use Swedish BankID to sign (as well as view or upload) one or more documents, such as loan applications or contracts. Signing with authentication-based signing will allow you to sign all documents at once, while third-party signing will require you to sign the documents one at a time.

Screenshots for desktop

The screenshot illustrates authentication-based signing and third-party signing when using Swedish BankID. In both flows, there are two documents for signing, ‘Letter of intent’ and ‘Contract details’, as well as one document for viewing only, ‘Information about Signicat’.

Authentication-based signing
Third-party signing
 

Screenshots for mobile

The screenshot below illustrates the signature process for Mobile BankID.

Signing with Swedish BankID also supports the scanning of a QR code in order to perform the signature process. Please contact support@signicat.com in order to have this functionality configured.

Result

The signing result will produce a PAdES (PDF Advanced Electronic Signature) consisting of one or more signed documents (XAdES as LTV-SDOs).

Authentication-based signing

An example of an LTV-SDO as a signing result, with authentication-based signing and Swedish BankID as the authentication method, can be found here.

An example of a PAdES as a signing result, with authentication-based signing and Swedish BankID as the authentication method, can be found here.

Third-party signing

An example of an LTV-SDO as a signing result, with third-party signing and Swedish BankID as the authentication method, can be found here.

An example of a PAdES as a signing result, with third-party signing and Swedish BankID as the authentication method, can be found here.

How to get started with Swedish BankID

In order for Signicat to set up a new solution with Swedish BankID, there are two pieces of information the customer must provide before Signicat can start the process:

  • A preferred BankID bank. If the customer does not have a preferred BankID bank, Signicat will select an issuing bank.
  • A display name for the BankID app.

The customer then signs an agreement with Signicat AS, which enables Signicat to have a Relying Party certificate (Förlitandepartcertifikat, or FP-certifikat) issued on behalf of the customer. Signicat is an official BankID broker, approved by Finansiell ID-Teknik in Sweden.

Signicat will then install the Relying Party certificate in the customer’s service. No further input is normally needed from the customer.

Certificate information

Relying Party Certificate

The Relying Party certificate (Förlitandepartcertifikat, or FP-certifikat) is used to identify a service provider offering BankID. It is intended to secure communication to and from said service provider. It does not store any personally identifiable information.

Please note that the Replying Party certificates created by Signicat cannot be used outside of Signicat’s solution, i.e. not in applications that do not use Signicat’s cloud service. If a certificate without this limitation is desired, please see our documentation on how to get started with Swedish BankID through an agreement with a BankID bank.

BankID e-identity for private persons

Personal BankID certificates are usually accessed via an app on the end-user’s phone. In a few cases, they are stored on a smartcard or on a file on the end-user’s computer.

Several Swedish banks are capable of issuing BankID e-identities for private persons. Such identities roam across banks.

Test information

Signicat offers 24/7/365 free access to the test environment at preprod.signicat.com.

Certificates for test users

If you already have a certificate for production BankID, you can log in to https://demo.bankid.com and issue test certificates as explained below. This is also possible using an existing valid test certificate.

Prepare a name and personnummer (Swedish national identification number) for the test users you would like to create. The personnummer should be a valid combination of 12 digits. You can use www.personnummer.nu to create a valid personnummer for Sweden. Please see the next paragraph of how to obtain a Swedish personnummer . You will get a number in this format: YYMMDD-XXXX. You will have to change this to YYYYMMDDXXXX. If you do not have a Swedish BankID, you may order a code from https://demo.bankid.com/CreateCode.aspx and issue new test-users according to the ‘How to obtain the test user’ section.

If you do not have a personnummer, you may construct one for testing. This must be a properly formatted national ID including a control digit. For details, see www.personnummer.nu.

How to obtain a Swedish National ID number

To get a Swedish National ID number you can go to www.personnummer.nu to generate one.

For those who do not understand Swedish:

Födelsedatum = Birth date (ÅÅ-MM-DD) = (YY-MM-DD) as in year-month-day.

Kön = Sex

Kvinne = Woman

Man = Man

Generera = Generate

 

The highlighted field is the generated National ID number. To use it for the purpose of authenticating/signing you need to remove the hyphen and add a prefix. The prefix should be the two first numbers of the year the person was born. So if the person was born between 1900-1999 the prefix is 19, and if the person was born between 2000-2099 the prefix is 20.

The generated National ID number 800618-4629 would appear as 198006184629 without the hyphen and with the prefix.

How to install the application

How to install the application (Android)
  1. To install the Swedish Mobile BankID application for testing you first have to download it from this page: http://www.bankid.com/rp/info/
  2. Under the header “Test av BankID” choose the  “Testversion BankID säkerhetsapp för Android” link and save the .apk file you get
  3. Send the .apk file to your smartphone by e-mail
  4. You have to allow the phone to install from unknown sources
  5. Click the .apk file in your e-mail and install the app
  6. When you open the app you need a Swedish National ID number (test) and an activation code

The installation file can be found here:

How to install the application (iOS)
  1. Install BankID säkerhetsapp from the App Store.
  2. Go into Settings -> BankID -> Utvecklare (Developer) -> Server. Change this to businternal.test.bankid.com.

This setting makes the security app communicate with the test environment instead of production, and it cannot be changed back. If you later need the production version, uninstall the app and install it again via the App Store.

How to install the application (Windows Phone 8)
  1. Install the BankID säkerhetsapp from the Windows Phone Store
  2. Start the BankID Security App, select Settings / Developer / Server and enter “businternal.test.bankid.com
  3. Save, exit the BankID Security App and launch again
  4. The BankID Security App will now connect to the test server
How to install the application (Windows)
  1. Uninstall all previous versions of the BankID säkerhetsprogram. Reboot PC
  2. Download and install the latest version, available at https://install.bankid.com/
  3. Find the config folder at this location: %APPDATA%\Roaming\BankID\

(Find appdata by writing %appdata% in the adressbar)

You will end up in the ‘Roaming’ folder. From there, continue to the BankID folder. Your adress path should look like the following now: C:\Users\Steffen(Your username)\AppData\Roaming\BankID

Here, you will find a folder named ‘Config’.

Rename this to ‘Config.prod’ and create a new folder named ‘Config’.

Open the ‘Config’ folder you created. Create a new .txt file and name it CavaServerSelector.txt.

Open it in Notepad, write “kundtest” and save.

Restart PC.

How to obtain the test user

Go to https://demo.bankid.com/ and log in using your preferred option.

https://www.bankid.com/rp/info also contains links and information about Swedish BankID and how to obtain test users.

There are four options:

  1. “Logga in med test-BankID” = Log in with a test BankID.
    You can either log in with a test user on the computer or with a test user using the mobile application you installed (that is, if you already have a test user in the app/ computer).
  2.  “Logga in med produktions-BankID” = Log in with a production BankID.
    If you have a Swedish BankID you can log in with your production BankID on the computer or in the production app (if you have set up the app for your BankID).
  3. “Logga in med personligkod” = Log in with a personal code.
    If you do not have a personal code, you can choose to generate a new code.
  4. “Logga in med BankID på fil eller kort – Plugin” = Log in with a BankID on file or card – Plugin
    Here you would have been able to use the old solution with plug-ins in the browser that were phased out during 2014. This is the option you would have chosen if you had BankID Security 5.0.2 or older.

After logging in you will be presented with this page. Choose “Hämta BankID för test”:

On this page, you can choose to download Mobile BankID (left) or desktop BankID (right). Fill in the form with the personnummer as well as first and last name and click “Hämta”.

Mobile client

If you choose Mobile BankID, you will get an activation code such as the following (you must disable any popup blockers). This code is valid for 10 minutes.

Open the BankID app on your phone, enter the personnummer and activation code. In the next window, you create a PIN code with at least 6 digits.

Now activation is done and the client is ready to use:

Desktop client

If you choose BankID on file, you will be presented with a new window (you must disable any popup blockers). Press “Open BankID issuing” to get started.

Then you can download, install, and choose your password.

After you have downloaded and installed the app you will be asked to choose a password for your BankID. You have to remember this PIN code for use later when you test authentication/ signing. The app will not allow you to choose a simple code like 111111 or 123456, so it is recommended to use date of birth, e.g. 180680.

Your BankID is now ready.

If you have an ordinary or test BankID you may follow these steps:

  1. Access https://demo.bankid.com/nyademobanken.
  2. Log in with your BankID and select “Hämta BankID för test”.
  3. You will receive an activation code which you may use in the BankID säkerhetsapp.
  4. Select your security code for Mobile BankID, minimum 6 digits.

If you don’t have a Swedish BankID, you may follow this manual procedure:

  1. Send an email to teknikinfo@bankid.com (Financiell ID-Teknik) and describe where you work, the purpose of your development, and phone numbers
  2. They will contact you and initiate creation of a test BankID. During this process you have to specify some data into the BankID säkerhetsapp. They will verify that the newly issued BankID working.
  3. If you do not have a personnummer, you may construct one for test. This must be a properly formatted national ID including control digit. See: www.personnummer.nu.

Mobilt BankID

Mobilt BankID is a personal electronic identification for cell phones and tablets. It may be used from a mobile device in the same way as BankID on card or file can be used from a PC.
Mobilt BankID supports authentication and digital signature with Swedish BankID. It depends neither on a special SIM card, nor on a specific telecom company. It is even possible to have Mobilt BankID without a subscription in a Swedish telecom company, but it can only be ordered by persons with a personnummer. Mobilt BankID may be used from Android and iOS based phones and tablets (provided they have Internet access).

Today three Swedish banks are issuers of Mobilt BankID:

  • Swedbank
  • Skandiabanken
  • Länsförsäkringar Bank
  • Several other banks plan to follow these three banks

Getting started

For merchants

Existing customers of Signicat may contact support@signicat.com to find out what needs to be done to get up and running with Mobilt BankID.

For other customers the establishment process is identical with ordinary Swedish BankID. See a detailed description under certificates.

  1. You will need a merchant agreement with your bank.
  2. The bank performs a “Köpargenomgång” of your company

After the agreements are signed and “Köpargenomgång” is performed, the bank will issue a merchant certificate for the test and production environment.

For end users

End users must install the BankID säkerhetsapp on their mobile device.

  • For Android users, the BankID säkerhetsapp may be installed from Google Play.
  • For iOS users, the BankID säkerhetsapp may be installed from AppStore.

How to integrate authentication with Swedish BankID from headless systems

In May 2014, Signicat released a version of Swedish Mobile BankID optimized for in-app usage. If you want to send headless authentication requests (typically from a backend or app to backend system) via Signicat, we recommend using our OpenID Connect (OIDC) API as a mediator. Please refer to our documentation on headless authentication for further details.

Description of the Android App

The Signicat Swedish Mobile BankID Android App (referred to as the app or android app for the rest of this document) is a native Android app that demonstrates using Swedish Mobile BankID for authentication from a native app. It uses Signicat services and demonstrates a simple authentication scenario where the user enters his/her personal identity number, continues the process in the BankID app and finally returns to the app for completion.

 

How to integrate Consent Signature with Swedish BankID from a native app

If you are building your own browserless native app and want to utilize mobile text-only signing, or Consent Signature, via Signicat, you can do this using our OpenID Connect (OIDC) API as a mediator. Please refer to our documentation on Consent Signature for detailed information on how to integrate Consent Signature.

 

Detecting if the end user has the BankID app installed

From a native app

If you are writing a native app where you utilize Signicat services for your authentication or signature needs, then you will be able to detect if the end user has installed the BankID app necessary to complete the transaction.

Detecting on iOS
BOOL installed = [[UIApplication sharedApplication] canOpenURL:[NSURL URLWithString:@"bankid://"]];

Please refer to Apple Developer Center for more information on canOpenUrl.

Detecting on Android
private boolean isSwedishMobiltBankIdInstalled(Context context) {
    PackageManager pm = context.getPackageManager();
    try {
        pm.getPackageInfo("com.bankid.bus", GET_ACTIVITIES);
        return true;
    } catch (NameNotFoundException e) {
        return false;
    }
}

Please refer to Android Developer Center for more information about the PackageManager.

From a web page on a mobile device

It is not possible to detect if the end user has the BankID app installed from a web page on a mobile device. Otherwise, it would be possible for any web page to scan users’ phones and tablets for which apps are installed, perhaps to target an attack against the user.

The good news is that you do not have to do anything about this because Signicat already does its best depending on the platform.

  • For iOS, an attempt is made to launch the app from javascript. If nothing seems to happen, a message is displayed saying that it appears that the app could not be launched, along with a link to the app store.
  • For Android, a message is immediately presented to the user saying that the app is required to complete the process (along with a link to the app store). Two buttons are presented, one to launch the app and one to cancel. If the user chooses to launch the app even though it is not installed, nothing happens. Presumably, the end user realizes the mistake and either proceeds to download the app, or simply cancels.

 

Customizing the graphics and the flow for the end-user

iframe usage

If you intend to run the process in an iframe, you may choose to have graphical profile support disabled so you don’t have to worry about it at all.

Important note for iOS9+

Please note that iOS 9 and later prevents apps from being automatically launched from an iframe. If you choose to iframe the process, then the module must be configured to ask the end user for his/her national id-number, after which the user must manually open the BankID app and then go back to Safari to complete the process. Full frame processes can automatically launch the app on iOS 9.

Custom styling

You may choose to switch off the standard UI, which will produce the same content – unstyled. It will then be up to you to write your own CSS in order to make it look the way you want. Here’s how it will look without any CSS applied:

Behavior customization

The device question

By default, the module will ask the end user if he/she would like to use a BankID on this device/computer or a (mobile) BankID on another device. You may choose to have this question turned off, which implies that the user will always use a BankID on the local device or computer.

The ID number

If the end user chooses to use a BankID on another device (see the previous section), then he/she must input his/her personal identity number (12 digits). The module accepts “prefilling” of the ID number information, so if you already know the ID number of the person then you may append the login_hint=subject-YYYYMMDDXXXX parameter to the request (or add it to the DocumentService request when creating a document order), in which case this dialog will be skipped.

Auto-launching the app

In theory, the BankID app can be automatically launched on some platforms. The auto-launch feature is implemented using an invisible iframe which tries to load a certain kind of URL which will trigger the BankID app to start. Not all browsers support it – Chrome, for example, will disallow it from happening. If it seems that nothing has happened within five seconds after trying to auto-launch, then the interface will display a “Start the BankID app” button.

The auto-launching feature may speed up the process for users on platforms that support it, but it can also be a bit confusing and it will actually slow down the process for users on unsupporting platforms. Auto-launch is disabled by default. You may choose to have it enabled, but there are no guarantees that it will succeed.

Client flow

Given the customization points mentioned, the general client flow up until the BankID app is launched is something like:

The UX on mobile devices

In a browser on a mobile device

The BankID app is available for Android, iOS and Windows Phone.

On Android, the module can be initiated from any browser, and it will simply launch the BankID app and then return to the previous application.

On iOS, the BankID app must be told which URL to open once it’s finished. The way iOS handles URL’s is that it associates a certain “URI scheme” with a certain application, so for example URI’s that start with “http(s)://” will be handled by Safari, “mailto://” by Mail, “bankid://” by the Swedish BankID app and so on.

There is no way to “close” an app programatically on iOS – you can only switch between applications by launching a URI. This goes for BankID too, so it must know which URI to launch once it’s complete (referred to as the “redirect URI”). Now, by default, the Signicat BankID integration will try to switch back to the previously opened tab in Safari. The operating system does not guarantee that this will happen; it may launch a new tab and if it’s running low on memory it may decide to reload the tab.

Signicat will handle try to handle this a graceful as possible, but there is one thing that can’t be controlled: If the user starts the process in a non-default browser (such as Chrome for iOS or from within another app), then BankID will switch to Safari when the process is complete. Signicat will verify the transaction and redirect the user with a response to the given target, but the end user will most likely notice that the “app context” was switched. Functionally, however, it will still be the same.

On Windows Phone, the behavior is similar to iOS, with the distinction that Internet Explorer will always be launched and it will always reload the page when returning from the BankID app (as of Windows Phone 8.0).

None of the mobile platforms allow a webpage to detect if a certain app is installed, for obvious security reasons.

In a native app on a mobile device

If you are building your own native app and you want to integrate with Swedish BankID from that app, you may choose to have the module set up optimized for “in-app usage”. This will eliminate all UI, allowing you to communicate with Signicat with JSON request/responses and give you full control over the flow and user experience.

It’s also possible to do the integration with an integrated browser control in a native app. On iOS and Windows Phone, you may choose to force a certain redirect URI either by having support@signicat.com configure it for you, or you may pass the prefilled.redirect parameter with the (URL encoded) URI you want BankID to switch to. This can come in handy if you need the BankID app to switch back to your own app once it’s done. The User-Agent header needs to indicate iOS (iPhone|iPad) or Windows Phone in order for this approach to succeed.

Browser support

Please refer to the Swedish BankID website for more information on supported platforms. Please refer to the Relying Party Guidelines if you’re looking for detailed technical information on Swedish BankID.

More information about graphical adjustments and customization can be found here.

Swedish BankID support

Support email Website homepage
teknikinfo@bankid.com www.bankid.com

Other sources