Skip to content

3-D Secure

3-D Secure is a protocol for secure online credit and debit card transactions. It is used to authenticate the cardholder during payment transactions, and BankID with biometrics is an excellent choice to authenticate the cardholder. The card issuer controls an Access Control Server (ACS) which delegates the authentication to BankID with biometrics.

Two options are offered for implementing BankID with biometrics in your 3-D Secure solution: browser-based authentication using an iframe, or app-based authentication using an app-to-app approach.

Browser based authentication using an iframe

BankID with biometrics provides a smooth and consistent user experience for use in 3-D secure solutions by providing a way to embed the BankID with biometrics client within an iframe.

Showcase

Below you'll see a Figma prototype and images showcasing the BankID with biometrics iframe solution in a 3-D Secure flow. The flow is demonstrated for both users with and without BankID with biometrics enabled.

Interactive Figma prototype

The following prototype is only available in Norwegian.

Flow for user with biometrics enabled

This flow demonstrates the optimal user experience when the user has enrolled in BankID with biometrics, and you as a merchant have provided the user's nnin beforehand.

iOS payment with iFrame and 3D-secure

Flow for user without biometrics enabled

This flow illustrates the experience when the user has not enrolled in BankID with biometrics, and you as a merchant have not provided the user's nnin prior to starting the flow.

iOS payment with iFrame and 3D-secure

Guiding principles for implementation

BankID with biometrics should be presented consistently across implementors. A preferred approach for implementing BankID with biometrics in a 3-D secure solution is therefore described.

The preferred approach is to:

  • Get the BankID with biometrics iframe link, providing the user's nnin for the quickest possible login experience.
  • Immediately display the BankID with biometrics iframe in order to provide the best security possible.
  • If alternative login methods are needed, they can be displayed as tabs in the containing page controlled by the ACS.

Security

Starting the login experience immediately prevents anyone from choosing an authentication methods that obscures the amount and recipient from the real cardholder, and is the preferred approach.

However, if you really need to display a login button to start the BankID with biometrics flow, the button should only contain the BankID icon followed by the text "BankID". Refer to the flow images above for an example of how this button might look. Use the following icon if implementing such a button.

BankID icon

See the page on iframe on further details how to implement.

App based authentication using app2app

For app based authentication, the app2app flow is recommended. The app2app flow is a deep link that opens the BankID app directly, and the user can authenticate with biometrics.

If the BankID app is not available, the CIBA flow can be used as a fallback. The CIBA flow will send a push message to the app to authenticate the user. This will work for game consoles, smart TVs, and other devices that do not have the BankID app installed.