Skip to main content

Authentication

This page outlines changes related to Norwegian BankID Authentication.

What customers are affected by this?

This only applies if you are using the old Norwegian BankID Server connection.

Any mention of BankID OIDC refers to the internal connection Signicat maintains with Norwegian BankID. This does not restrict or change the available integration options for our signing or authentication services.

Iframe

If you are currently using an iframe in your authentication flow, this is unfortunately no longer available. If you are currently embedding Norwegian BankID in an iframe, this support has been discontinued in the new solution from BankID referred to as "BankID OIDC".

Instead of embedding the BankID client inside an iframe, you are now required to present BankID in a full frame redirect due to X-Frame-Options on the BankID side.

For certain use cases that require the use of an iframe, meaning checkout/3DS for card payments, there is an alternative product available called "BankID Iframe".

Avoid using iframes

We strongly discourage the use of iframes for the following reasons:

  • Using iframe does not support the same level of assurance that the current BankID integration supports and must not be used for onboarding/AML purposes.
  • The end-user does not see the BankID URL, which prevents them from validating the domain. This may increase abandonment due to perceived fraud or phishing risk.
  • The embedded experience may reduce end user trust and transparency, as end users cannot confirm they are interacting directly with BankID.
  • It introduces potential usability and support challenges compared to the standard full-page flow.

Response changes: Removed attributes

Below is an example of the BankID Server response values that will no longer be included in the new OIDC responses:

Our recommendation

We strongly recommend carefully reviewing this page and the linked technical pages if you are using any of the mentioned features, as they will be affected by the transition from BankID Server to BankID OIDC.

3DS

If you are currently using BankID 3DS, you must migrate to the new Signicat platform to continue using it. BankID 3DS (cookieless) usage is only supported in the new BankID iframe product, which is available exclusively on the new platform. The BankID 3DS flow supports only the Substantial (LOA 3) level and must be displayed within an iframe.

Changes in user experience

With the introduction of the new BankID connection, the user experience will also change. When an authentication is initiated, users will be redirected to a BankID-hosted page, where BankID controls all aspects of theming and visual appearance.

This means that if you are currently using graphical profiles, they will no longer apply once you start using the new BankID connection.

On this page