About Swedish BankID
Swedish BankID is a method of secure digital electronic identification and signing. Individuals who have a Swedish national identification number (personnummer) can obtain BankID through their bank.
Use cases
If you are not so familiar with how BankID is used, here are some typical use cases:
- Identity proofing: To become a customer of a bank, you have to register as a user for the first time. To prove your identity, you can choose to use BankID, among others, as an eID.
- Authentication: As a registered customer with a bank, you will be able to apply for a loan. To be able to log in to your bank, you have to authenticate to prove your identity. BankID can be used for authentication, the same way it can be used for registering as a new customer.
- Signing: You can use BankID to electronically sign one or more documents, for example a loan application in a bank.
Technically, you use the same service for these use cases. However, you should consider how you set the eID up in the total user flow. For example, onboarding a new customer is a one-time occurrence, while authentication is a repetitive action for the customer. You may set up a simpler user flow for recurring authentications. Of course, this depends on the required level of assurance for the services you offer.
If BankID is used for identity proofing during the initial user onboarding, it is not allowed to issue alternative credentials (also known as ID switch). Then BankID should also be used for all subsequent authentications.
For technical integration details:
- For identity proofing and authentication, see the eID Hub Quick start guide.
- For signing, see the Electronic Signing documentation.
Authentication flows
Signicat provides two main authentication flow options with BankID, remote with another device or locally on the same device. Both options assume the user has already installed the BankID app on the device where the authentication is performed.
For technical details about how to set up the different flows, see the Integration guide for Swedish BankID.
"Remote" confirmation with QR code scan
The QR option is normally used when the user starts on a website for desktop. In this case, the user is asked to open the BankID app to scan the displayed QR code with their mobile device:
The link below the QR code allows the user to switch over to authenticate themselves with the same device (see the next section).
"Local" confirmation on the same device
In this option, the user is asked to start the BankID app and authenticate on the same/current device. It can be used on both mobile or desktop, but it is normally used in a mobile flow (since very few users have installed the BankID app on their desktop).
Extra control (add-on)
You can add an extra security check to a normal authentication flow, by using the BankID "Extra control" feature. When this feature is added, the user is required to scan their MRTD (Machine Readable Travel Document) with the BankID app. This MRTD document can be either a Swedish ID Card or passport. The user will not be able to complete the order without providing this information.
This "Extra control" feature can be useful for transactions where an extra security might be warranted, for example transferring large payments or sensitive information.
Extra control with MRTD
For more user flow details, see the How it works for the end-user below.
Supported flows
The "Extra control" (MRTD) feature is supported in the following flows:
- Normal authentication (QR code and app_launch)
- Payment
How it works for the end-user
The following example shows a normal authentication flow with QR code where the extra control is added as an additional security step.
Required equipment
To be able to use the "Extra control" feature, the user needs:
- A smartphone with camera and NFC-reader (chip-reader).
- The BankID app downloaded on their smartphone.
- A valid Swedish ID Card or Swedish passport. These contain a chip that stores personal information. Driving licenses (have no chip) or foreign passports cannot be used.
User flow example
- The user is asked to scan the QR code with their BankID app as in a normal authentication.
- After the user has scanned the QR code, the user is guided through the "Extra control" flow:
- In the BankID app, the user selects the ID document type, either their Swedish passport or their Swedish ID Card.
- The user takes a photo of their ID document photo page. For passports, they must ensure they capture the correct photo page containing the MRZ code.
- The user is also asked to tap the ID document with their mobile phone (NFC) to read the chip. It is then important to place the mobile over the gold camera logo (on the front page).
- After the extra control is finished, the user is asked to identify themselves with the BankID app as they normally do, with security code or biometrics.
In an authentication that requires this extra control, the user will not be able to complete the authentication without providing a photo and tapping the ID document.
Setup in protocols
You must send in the sbid_require_mrtd and sbidMrtd parameters in the authentication request. For technical details, see the protocol descriptions for either Authentication REST API or OpenID Connect.
You must validate that the sbidMrtd attribute is returned as true to prevent any malicious tampering with the sbid_require_mrtd parameter.
Payment (add-on)
The Payment add-on allows you to verify the identity of your users with BankID before an actual payment is processed. This identity verification process ensures that only authorised users complete the payments. The add-on also provides more information about the payment context and helps reducing the risk for certain payment transactions (see more details in the Warning indicators section).
- If you want access to the Payment add-on, please contact us by creating a support ticket in the Signicat Dashboard.
- Currently, we only support entering the national identity number (NIN) with Payment. Support for QR code and app-launch will come in a later version.
- Payment supports iframe, which makes it compatible with 3D Secure payment.
Authentication steps
Your users go through the following authentication steps:
- Before the money transaction happens, the BankID login screen is displayed and the user is asked to enter their national identity number (NIN).
Payment: Enter national identification number
- After having entered NIN, the Card Purchase screen is displayed. The user is asked to approve by identifying themselves with the BankID app as they normally do, with security code or biometrics. Here is an example on how the Card Purchase screen could look on a mobile device:
Payment: Card purchase approval
Warning indicators
Payment offers some warning indicators for high risk transactions. These warning indicators are displayed with a warning icon and text on the Card Purchase screen, for example "Foreign currency" as shown in the above example. The risk indicators are:
- New card
- New customer
- New recipient
- High risk recipient
- Large amount
- Foreign currency
- Crypto currency purchase
- Money transfer
- Overseas transaction
- Recurring payment
- Suspicious payment pattern
- Other
These risk flags are predefined enums (unchangeable variables) and you set them in the request (see example in the integration guide).
Setup in protocols
For technical details about defining Payment parameters, see:
- Signicat Authentication REST API, embedded and headless flows.
- OIDC CIBA protocol (not supported yet for Payment)
BankID in telephone calls (Phone)
The "BankID in telephone calls" feature (hereafter "Phone") is usually initiated when a customer is talking with your customer service operator over the phone. Then you want to verify that the caller is actually who they claim to be. Examples of use cases could be:
- A bank customer calls your bank and wants to transfer money from their account to another account. Your customer service operator then wants to verify the identity of the caller before they start the transaction.
- An employee calls their payroll department to check if their salary is correct. Then the payroll operator wants to verify the identity of the employee before they give any details about the salary.
The phone call can be initiated either by your customer (user) or by your customer service operator. The call can be either live or with IVR (Interactive Voice Response).
Authentication steps
The authentication in a telephone call consists of the following main steps:
- The customer service operator enters the personal identification number of the customer:
Enter personal identification number
The above screen is only displayed for your customer service operator (usually on a desktop). The user never sees this screen.
- The operator chooses if the call was initiated by the User (customer) or the Operator (customer service).
- Once the operator has selected Continue, the Swedish BankID app appears on the user's mobile screen with a security check (yes/no) question.
Security check
- If the user selects Yes, they are presented with a screen where they can identify themselves with a security code or biometrics. If the user selects No, they get an option to cancel the identification.
Configuration
See Configuration for how to enable the Phone feature.
Setup in protocols
For technical details about defining Phone parameters, see:
- Signicat Authentication REST API, embedded and headless flows.
- OIDC autorization flow
Headless authentication
If you want to send headless authentication requests (typically from a backend or app to backend system) with Signicat, you must use our Authentication REST API or OIDC CIBA protocols. For more details, see for example Authentication Rest API > Headless flow.
Result with user information
The user information available after a successful authentication may differ slightly between different issuers. Important parameters are:
- Subject (unique ID)
- National identity number
- Name
- Birth date
- Issuer
For more details, see the Attributes reference.
Other sources
- General information about e-legitimation in Sweden: https://www.e-legitimation.se
- Information about BankID: https://www.bankid.com
- BankID's demo page with links to useful guides: https://demo.bankid.com