Integrating with BankID v6
On this page
BankID's version 6 web service API was released in May 2023 and supports a number of security impovements. Starting in version 8.5 of the Curity Identity Server, the v6 behavior is supported in BankID front-channel and back-channel authenticators. Version 8.6 of the Curity Identity Server adds some finishing touches. This tutorial describes the updated security behavior, and how to get integrated.
Applications that integrate with BankID can enable users to login with BankID installed on the same device, such as the BankID desktop app. Alternatively, users can login on a different device, using the BankID mobile app and selecting the
Scan QR Code option. To see how this works, run the BankID online login test, which presents the following options:
Secure Start Changes
In the v6 APIs, all applications that integrate with BankID must implement the Secure Start behaviors. These are briefly summarized in this section, and you can read more about the details in the frequently asked questions.
Firstly, the application must use an auto-start token for same device logins, which binds the application instance to a BankID session. Secondly, when logging in to BankID from another device, a more secure animated QR code, which is more difficult to fake than a static image, is presented to the BankID mobile app. Finally, BankID no longer allows flows that ask the user to enter a personal number, to prevent potential exploits if a malicious app runs such a flow.
Migration to Secure Start
The newer behaviors will become mandatory for all authorities, companies and organizations that use BankID in their e-services. The published deadline is May 1 2024, so it is recommended to update to v6 as soon as possible.
The BankID Front-channel Authenticator
BankID can be used during an OpenID Connect code flow, as an authentication method. To configure BankID authentication, run the Admin UI and navigate to Profiles → Authentication Service → Authenticators →. Then add a BankID authenticator, selecting the version-6 API, so that the new security behaviors are activated. Read more about the configuration settings in the Authentication Service Admin Guide.
The BankID Back-channel Authenticator
Using a Client Initiated Backchannel Authentication (CIBA) flow requires a license with the financial-grade package. A common use case is when a customer service operative runs an app that needs to ask a user to authenticate remotely, e.g., as part of a phone call. Configure a back-channel authenticator with BankID to enable users to authenticate remotely using BankID.
The CIBA tutorial explains how to run a CIBA flow. To set up authentication for a CIBA flow that uses the BankID v6 API, run the Admin UI and navigate to Profiles → Authentication Service → Authenticators → Back-channel Authenticators. When using the v6 API, select the
The customer service application can trigger remote authentication. To enable this, add the
Back-channel Authentication capability to the corresponding OAuth client, then select the authenticator as shown here. The back-channel authenticator interacts directly with the BankID v6 API, so there is no need to configure a BankID front-channel authenticator.
BankID has added a new My intention behavior during user authentication. This provides explanatory text that a company can provide to its customers. From version 8.6 of the Curity Identity Server, a static value can be entered in the
User Message field of the BankID front-channel authenticator. Alternatively, a runtime value can be provided in authentication flows that support a
binding_message parameter, such as a CIBA flow.
BankID Signing Consentor
The Curity Identity Server provides a BankID Consentor, which can be used to digitally sign the attributes of an OAuth user consent.
From version 8.6 of the Curity Identity Server, the BankID Consentor uses the BankID v6 Signng API. Use of consentors enables custom solutions to be built, as demonstrated in the following video.
BankID Technical Setup
If you are new to BankID, the App2App Logins via Hypermedia Authentication API tutorial provides a video walkthrough. The main steps are to first install the BankID mobile app and configure it to point to the BankID test environment. Next, create one or more BankID test accounts, resulting in each user receiving a
personal number and
security code. Finally, use the integration guide to get certificate details to configure in the Curity Identity Server.
BankID provides secure, user-friendly authentication. Users should not need to enter their personal number, with risks of fraudulent authentication. Instead, the user is prompted with an animated QR code or the option to start the BankID app on the same device. Applications that have been using BankID for authentication for same and cross device flows can easily upgrade by enabling version 6 for their BankID authenticator, to enforce secure authentication. For customers who use BankID in phone calls there is the
bankid-phone back-channel authenticator, which provides a BankID native and secure implementation for remote authentication.
Join our Newsletter
Get the latest on identity management, API Security and authentication straight to your inbox.
Start Free Trial
Try the Curity Identity Server for Free. Get up and running in 10 minutes.Start Free Trial