About Swedish BankID
Swedish BankID is a method of secure digital electronic identification and signing. Individuals who have a Swedish national identification number (personnummer) can obtain BankID through their bank.
Use cases
If you are not so familiar with how BankID is used, here are some typical use cases:
- Identity proofing: To become a customer of a bank, you have to register as a user for the first time. To prove your identity, you can choose to use BankID, among others, as an ID method.
- Authentication: As a registered customer with a bank, you will be able to apply for a loan. To be able to log in to your bank, you have to authenticate to prove your identity. BankID can be used for authentication, the same way it can be used for registering as a new customer.
- Signing: You can use BankID to electronically sign one or more documents, for example a loan application in a bank.
Technically, you use the same service for these use cases. However, you should consider how you set the ID method up in the total user flow. For example, onboarding a new customer is a one-time occurrence, while authentication is a repetitive action for the customer. You may set up a simpler user flow for recurring authentications. Of course, this depends on the required level of assurance for the services you offer.
If BankID is used for identity proofing during the initial user onboarding, it is not allowed to issue alternative credentials (also known as ID switch). Then BankID should also be used for all subsequent authentications.
For technical integration details:
- For identity proofing and authentication, see the eID Hub Quick start guide.
- For signing, see the Electronic Signing documentation.
Authentication flow
Signicat provides two main flow options for BankID, remote with another device or locally on the same device. Both options assume the user has already installed the BankID app on the device where the authentication is performed.
For details about how to set up the different flows, see the Integration guide for Swedish BankID.
"Remote" confirmation with QR code scan
The QR option is normally used when the user starts on a website for desktop. In this case, the user is asked to open the BankID app to scan the displayed QR code with their mobile device:
The link below the QR code allows the user to switch over to authenticate themselves via the same device (see the next section).
"Local" confirmation on the same device
In this option, the user is asked to start the BankID app and authenticate on the same/current device. It can be used on both mobile or desktop, but it is normally used in a mobile flow (since very few users have installed the BankID app on their desktop).
MRTD (security add-on)
You can add an extra security check to a normal authentication flow, by using the MRTD feature (Machine Readable Travel Document). This can be useful for transactions where an extra security might be warranted, for example transferring large payments or sensitive information.
When the MRTD feature is added, the end-user is required to scan either a Swedish ID Card or a Swedish passport (see details below).
The MRTD check
Supported flows
The MRTD feature is supported in the following flows:
- Normal flows (QR code and app_launch)
- Headless and redirect
How it works for the end-user
The following example shows a normal authentication flow with QR code where the MRTD check is added as an additional security step.
Required equipment
To be able to use the MRTD feature, the user needs:
- A smartphone with camera and NFC-reader (chip-reader).
- The BankID app downloaded on their smartphone.
- A valid Swedish ID Card or Swedish passport. These contain a chip that stores personal information. Driving licenses (have no chip) or foreign passports cannot be used.
User flow example
- The user is asked to scan the QR code with their BankID app as in a normal authentication.
- After the user has scanned the QR code, the user is guided through the MRTD flow:
- In the BankID app, the user selects the ID document type, either their Swedish passport or their Swedish ID Card.
- The user takes a photo of their ID document photo page. For passports, they must ensure they capture the correct photo page containing the MRZ code.
- The user is also asked to tap the ID document with their mobile phone (NFC) to read the chip. It is then important to place the mobile over the gold camera logo (on the front page).
- After the extra MRTD check is finished, the user is asked to identify themselves with the BankID app as they normally do, with security code or biometrics.
In an authentication that requires MRTD, the user will not be able to complete the authentication without providing a photo and tapping the ID document.
Setup
You must send in sbid_require_mrtd
and sbidMrtd
in the authentication request.
You must validate that the sbidMrtd
attribute is returned as true
to prevent any tampering with the sbid_require_mrtd
parameter.
For setup details, see the Integration guide for Swedish BankID.
Phone flow
The Phone flow is usually initiated when a customer is talking with your customer service operator over the phone. Then you want to verify that the caller is actually who they claim to be. Examples of use cases could be:
- A bank customer calls your bank and wants to transfer money from their account to another account. Your customer service operator then wants to verify the identity of the caller before they start the transaction.
- An employee calls their payroll department to check if their salary is correct. Then the payroll operator wants to verify the identity of the employee before they give any details about the salary.
The phone call can be initiated either by your customer (user) or by your customer service operator. The call can be either live or via IVR (Interactive Voice Response).
The phone flow consists of the following main steps:
- The Phone flow starts with the customer service operator entering the personal identification number of the customer:
Phone flow start
The above screen is only displayed for your customer service operator (usually on a desktop). The user will never see this screen.
- The operator chooses if the call was initiated by the User (customer) or the Operator (customer service).
- Once the operator has selected Continue, the Swedish BankID app will appear on the user's mobile screen with a security check (yes/no) question.
Phone flow on mobile
- If the user selects Yes, they are presented with a screen where they can identify themselves with a security code or biometrics. If the user selects No, they get an option to cancel the identification.
See Configuration for how to enable the Phone flow.
Headless authentication
If you want to send headless authentication requests (typically from a backend or app to backend system) via Signicat, you must use our Authentication REST API or OIDC CIBA protocols. For more details, see for example Authentication Rest API > Headless flow.
Result with user information
The user information available after a successful authentication may differ slightly between different issuers. Important parameters are:
- Subject (unique ID)
- National identity number
- Name
- Birth date
- Issuer
For more details, see the Attributes reference.
Other sources
- General information about e-legitimation in Sweden: https://www.e-legitimation.se
- Information about BankID: https://www.bankid.com
- BankID's demo page with links to useful guides: https://demo.bankid.com
BankID support
Support email | Website homepage |
---|---|
teknikinfo@bankid.com | www.bankid.com |