Increase security with secure start

• personalNumber - removed

• endUserUa - removed

• autostartTokenRequired - removed

• tokenStartRequired - removed

• issuerCn - removed

• cert - removed

• notBefore - removed

• notAfter - removed

• uhi - new

• stepUp - new

• mrtd - new

• bankIdIssueDate - new

• allowFingerprint renamed to pinCode with new defaults

• mrtdRequired renamed to mrtd

• personalNumber - new

The animated QR code is used when the customer visits your online services on a computer, but use a different device for the BankID identification. An animated QR code prevents scammers from using an image of the code to fool your customers.

How it works:

1. The customer selects "BankID on another device" in the online service.

2. The customer scans a QR code on the computer screen, using the BankID app.

3. The customer give their approval in the BankID app.

In our technical guide you can find more information about the animated QR code and instructions on how to implement it.

Secure start means that you need to update to the latest version of our RP-API. Doing so means that you need to:

1. Use autostart for BankID on the same device.

2. Use animated QR code for BankID on another device.

3. Remove start initiated by personal identity numbers.

In the latest version of the RP-API, support for start initiated by the personal identity number is fully removed. This is an important security measure that lowers the risk of fraud and enhances security further. The update is mandatory. However, an exception is made for companies using BankID for signing of card payments. Support for this is under development and these companies must wait to make the update. Therefore, the set date of May 1st 2024 is not valid for these companies.

Technical guide

Follow the instructions in our technical integration guide to update to the latest version, version 6, of our RP-API.

Yes. In the latest version, the support for start with personal identity numbers is completely removed. It is an important security measure that will reduce the risk for fraud. All companies, organisations and authorities who use BankID in their services are required to upgrade to the new version.

Companies using BankID for signing of card payments must wait to make the update until support for this is available.

You can find instructions and information about how to update to the latest version, version 6, of the RP API and how to implement animated QR-code, in our technical guide.

The personal identity numbers are public and easy to get hold of. If an identification or signing is started by the user typing in their personal identity number, the flow can be started from another location which can be used by scammers. Using secure start means that the device holding the BankID must be in the same place as the device used for visiting the service.

It depends on if you will use BankID in phone calls and/or for card payments. If not, its limited to a minor upgrade with a URL change and changing names of a few parameters.

Use of BankID in phone calls and/or for card payments will require implementation of new interfaces for these functions. Support for BankID in phone calls is available in the latest version of the RP-API, and support for card payments is currently under development.

More information and instructions can be found in our technical guide.

Autostart is used when the customer visits your online services on the same device as they keep their Mobile BankID on. From your service, the BankID app is started without any middle steps. This makes the identification faster and gives a better user experience. Further, it enhances security by eliminating other steps that could be used by scammers.

How autostart works:

1. The customer selects "BankID on same device" in your service.

2. The BankID app is opened automatically.

3. The customer give their approval in the BankID app.