About Swedish BankID
Swedish BankID is a method of secure digital electronic identification and signing. Individuals who have a Swedish national identity number (personnummer) can obtain BankID through their bank.
Use cases
If you are not so familiar with how BankID is used, here are some typical use cases:
- Identity proofing: To become a customer of a bank, you have to register as a user for the first time. To prove your identity, you can choose to use BankID, among others, as an eID.
- Authentication: As a registered customer with a bank, you will be able to apply for a loan. To be able to log in to your bank, you have to authenticate to prove your identity. BankID can be used for authentication, the same way it can be used for registering as a new customer.
- Signing: You can use BankID to electronically sign one or more documents, for example a loan application in a bank.
Technically, you use the same service for these use cases. However, you should consider how you set the eID up in the total user flow. For example, onboarding (identity proofing) a new customer is a one-time occurrence, while authentication is a repetitive action for the customer. You may set up a simpler user flow for recurring authentications. Of course, this depends on the required level of assurance for the services you offer. Signing offers more options before and after the authentication, allowing users to read and sign the documents. For screen examples, see Standard flows below.
If BankID is used for identity proofing during the initial user onboarding, it is not allowed to issue alternative credentials (also known as ID switch). Then BankID should also be used for all subsequent authentications.
For technical integration details:
- For identity proofing and authentication, see the eID Hub Quick start guide.
- For signing, see the Electronic Signing > Sign API v2 documentation.
- For Swedish BankID specifics, see the Integration guide for Swedish BankID.
Standard flows
Signicat provides the following standard flows:
Both options assume the user has already installed the BankID app on the device where the authentication is performed.
You can use both these flows in all the above mentioned use cases (identity proofing, authentication, signing).
BankID on another device with QR code (remote)
The QR option is normally used when the user starts on a website for desktop. In this case, the user is asked to open the BankID app to scan the displayed QR code with their mobile device:
Once the user has identified themselves in the BankID app, they are asked to return to the previous application or web site.
The link below the QR code in the first desktop screen above, allows the user to switch over to authenticate themselves with the same device (see the next section).
BankID on the same device (local)
In this option, the user is asked to start the BankID app and authenticate on the same/current device. It can be used on both mobile or desktop, but it is normally used in a mobile flow (since very few users have installed the BankID app on their desktop).
Once the user has identified themselves in the BankID app, they are asked to return to the previous application or web site.
Extra control (add-on)
You can add an extra security check to a normal authentication flow, by using the BankID "Extra control" feature. This "Extra control" feature can be useful for transactions where an extra security might be warranted, for example transferring large payments or sensitive information.
When this feature is added, the user is required to scan their MRTD (Machine Readable Travel Document) with the BankID app. This MRTD document can be either a Swedish ID Card or passport. The user will not be able to complete the order without providing this information.
To ensure that the end-user can complete the process, we recommend advising them to have their ID document ready before the extra control begins.
How-to instructions in the BankID app
For more user flow details, see Authentication steps below.
The "Extra control" feature is available as an add-on and needs to be included in your contract with us. If you would like to add this feature, please contact us by creating a support ticket in the Signicat Dashboard.
Supported flows
The "Extra control" (MRTD) feature is supported in the following flows:
- Normal authentication (QR code and app_launch)
- Payment
Authentication steps
The following example shows a normal authentication flow with QR code where the extra control is added as an additional security step.
Required equipment
To be able to use the "Extra control" feature, the user needs:
- A smartphone with camera and NFC-reader (chip-reader).
- The BankID app downloaded on their smartphone.
- A valid Swedish ID Card or Swedish passport. These contain a chip that stores personal information. Driving licenses (have no chip) or foreign passports cannot be used.
User flow example
- The user is asked to scan the QR code with their BankID app as in a normal authentication.
- After the user has scanned the QR code, the user is guided through the "Extra control" flow:
- In the BankID app, the user selects the ID document type, either their Swedish passport or their Swedish ID Card.
- The user takes a photo of their ID document photo page. For passports, they must ensure they capture the correct photo page containing the MRZ code.
- The user is also asked to tap the ID document with their mobile phone (NFC) to read the chip. It is then important to place the mobile over the gold camera logo (on the front page).
- After the extra control is finished, the user is asked to identify themselves with the BankID app as they normally do, with security code or biometrics.
In an authentication that requires this extra control, the user will not be able to complete the authentication without providing a photo and tapping the ID document.
Setup in protocols
You must send in the sbid_require_mrtd and sbidMrtd parameters in the authentication request. For technical details, see the protocol descriptions for either Authentication REST API or OpenID Connect.
You must validate that the sbidMrtd attribute is returned as true to prevent any malicious tampering with the sbid_require_mrtd parameter.
Payment (add-on)
The Payment add-on allows you to verify the identity of your users with BankID before an actual payment is processed. This identity verification process ensures that only authorised users complete the payments. The add-on also provides more information about the payment context and helps reducing the risk for certain payment transactions (see more details in the Warning indicators section).
- If you want access to the Payment add-on, please contact us by creating a support ticket in the Signicat Dashboard.
- Currently, we only support entering the national identity number (NIN) with Payment. Support for QR code and app-launch will come in a later version.
- Payment supports iframe, which makes it compatible with 3D Secure payment.
- Payment is limited to authentication only and is not available for use with signing through the Sign API v2.
Authentication steps
Your users go through the following authentication steps:
- Before the money transaction happens, the BankID login screen is displayed and the user is asked to enter their personal identity number.
Payment: Enter national identity number
- After having entered their personal identity number, the Card Purchase screen is displayed. The user is asked to approve by identifying themselves with the BankID app as they normally do, with security code or biometrics. Here is an example on how the Card Purchase screen could look on a mobile device:
Payment: Card purchase approval
Warning indicators
Payment offers some warning indicators for high risk transactions. These warning indicators are displayed with a warning icon and text on the Card Purchase screen, for example "Foreign currency" as shown in the above example. The risk indicators are:
- New card
- New customer
- New recipient
- High risk recipient
- Large amount
- Foreign currency
- Crypto currency purchase
- Money transfer
- Overseas transaction
- Recurring payment
- Suspicious payment pattern
- Other
These risk flags are predefined enums (unchangeable variables) and you set them in the request (see example in the integration guide).
Setup in protocols
For technical details about defining Payment parameters, see:
- Signicat Authentication REST API, embedded and headless flows.
- OIDC CIBA protocol (not supported yet for Payment)
Risk indicator (add-on)
The BankID Risk indicator feature allows you to detect potential high-risk transactions using advanced risk signals to prevent fraud.
The Risk indicator add-on is supported in all the authentication flows, except BankID in telephone calls.
The risk indication is a weighted value of security controls produced by Swedish BankID. The indication is categorised as low, medium or high. It is based on various risk triggers like, for example, change of IP address, abnormal device or browser use, multiple failed authentication attempts etc.
For example, if the end-user changes their IP address during the transaction, it might give a higher risk value.
Setup in protocols
You define the Risk indicator by setting the risk attribute in your preferred protocol:
- Signicat Authentication REST API: You can set
riskas a requested attribute in all protocol flows (redirect, headless and embedded). See for example Build the authentication request for the redirect flow. - OpenID Connect: Set
riskas a scope. See Configure the scope.
BankID in telephone calls (Phone)
The "BankID in telephone calls" feature (hereafter "Phone") is usually initiated when your customer service operator is talking with a customer over the phone and an immediate authorisation is needed during the phone conversation. The phone call can be initiated either by your customer (user) or by your customer service operator. The call can be either live or with IVR (Interactive Voice Response). Examples of use cases could be:
- A bank customer calls a bank and wants to transfer money from their account to another account. The customer service operator then wants to verify the identity of the caller before they start the transaction.
- An employee calls their payroll department to check if their salary is correct. Then the payroll operator wants to verify the identity of the employee before they give any details about the salary.
- An insurance customer calls an insurance company to update their policy. During the call, the customer service agent explains that the changes require the customer's signature and the agent initiates a signing request with BankID.
Authentication steps
The authentication in a telephone call consists of the following main steps:
- The Phone flow starts with the customer service operator entering the personal identity number of the customer through a telephone call. The operator also chooses if the call was initiated by the User (customer) or the Operator (customer service).
ID number input screen
The ID number input screen (see below) is only displayed to your customer service operator (usually on a desktop). The user never sees this screen.
- Once the operator has selected Continue, the Swedish BankID app appears on the customer's mobile screen with a security check (yes/no) question so the they can verify that they are in the phone call.
- If the user selects Yes, they are presented with a screen where they can identify themselves with a security code or biometrics. If the user selects No, they get an option to cancel the identification.
Once the user has identified themselves in the BankID app, they are asked to return to the previous application or web site.
Here is an image slider showing the above steps:
Signing steps
The signing steps are similar to the authentication steps when using BankID in telephone calls (Phone):
- The Phone flow starts with the customer service operator entering the personal identity number of the customer through a telephone call. The operator also chooses if the call was initiated by the User (customer) or the Operator (customer service).
ID number input screen
The ID number input screen (see below) is only displayed to your customer service operator (usually on a desktop). The user never sees this screen.
- Once the operator has selected Continue, the Swedish BankID app appears on the user's mobile screen with a security check (yes/no) question so the end-user can verify they are in the phone call.
- If the user selects Yes, they are presented with a screen where they can identify themselves with a security code or biometrics. If the user selects No, they get an option to cancel the identification.
Once the user has signed the document in the BankID app, they are asked to return to the previous application or web site.
Here is an image slider showing the above steps:
Configuration
See Configuration for how to enable the Phone feature.
Setup in protocols
For technical details about defining Phone parameters, see:
- Signicat Authentication REST API, embedded and headless flows.
- OIDC autorization flow
Headless authentication
If you want to send headless authentication requests (typically from a backend or app to backend system) with Signicat, you must use our Authentication REST API or OIDC CIBA protocols. For more details, see for example Authentication Rest API > Headless flow.
Result with user information
The user information available after a successful authentication may differ slightly between different issuers. Important parameters are:
- Subject (unique ID)
- National identity number
- Name
- Birth date
- Issuer
For more details, see the Attributes reference.
Other sources
- General information about e-legitimation in Sweden: https://www.e-legitimation.se
- Information about BankID: https://www.bankid.com
- BankID's demo page with links to useful guides: https://demo.bankid.com