Skip to content

Forcing step-up using acr_values

Any BankID with Biometrics authentication might end up requiring step-up for an authentication based on BankID with Biometrics' internal risk assessment. The assessment criteria we use are opaque for security reasons. If you have your own risk assessment strategy, prefer not to depend on our internal risk assessment, or wish to manage risk on demand, you might consider forcing a step-up. You can achieve this in BankID with Biometrics using the acr_values parameter. This is formally defined in the permissions endpoint specification.


Forcing step-up is a feature which requires creating permissions upfront.

When using acr_values, you will be billed according to the first successful authentication method in the acr_values array.

Supported acr_values

The acr_values parameter takes an array of strings and currently supports two values:

  • urn:bankid:bis - Biometric authentication using WebAuthn
  • urn:bankid:bih - Authentication using BankID High.

Refer to the OpenID configuration document's acr_values_supported property for the latest list of supported acr_values.


When stepping up to BankID High, BankID with Biometrics cannot force the user to a specific BankID IDP, such as BankID on Mobile or BankID using a code device. Which IDP to use in BankID High is at the discretion of BankID OIDC and the user.

Configurations and behaviors


We will always present a biometrics prompt before other authentication methods, regardless of acr_values. This is done to provide a consistent user experience. Depending upon the requested acr_values, the authentication can still fail after performing biometrics if the provided acr_values requirements are not met.


This configuration forces the user to complete the authentication with a step-up to BankID High. If the user can not complete the step-up, the authentication will fail.

This is the recommended way of forcing step-up.


This configuration is the default configuration for BankID with Biometrics, meaning that if you do not supply any acr_values, we will default to urn:bankid:bis.

In this configuration we will attempt biometrics first and fall back to BankID High if the user did not have BankID with Biometrics activated or biometrics failed.

["urn:bankid:bih", "urn:bankid:bis"]

This configuration forces the user to complete the authentication with a step-up to BankID High. If the user can not complete the step-up, the authentication will fail.

We do not currently support falling back to biometrics after failing a BankID high, but we might implement this at some point in the future. Future scenarios where this could be useful would be if BankID High is down, or the user does not have a BankID High.

["urn:bankid:bis", "urn:bankid:bih"]

This configuration is not recommended, as it provides no value over ["urn:bankid:bis"].

Why use BankID with Biometrics when you know you'll want step-up?

Considering stepping up using BankID with Biometrics currently uses BankID High behind the scenes, you might wonder why you would want BankID with Biometrics with step-up instead of going directly to using BankID High. Here are a couple of reasons why forcing step-up in BankID with Biometrics is advantageous over using BankID High directly.


The user is guaranteed to see and approve the authentication context to complete the authentication. This context has greater capabilities when using BankID with Biometrics than in BankID High.

Consistent user experience

While we try to keep the BankID High and the BankID with Biometrics flow as similar as possible from a user perspective, there are significant differences. One such difference is the richness of the authentication context. If your users are accustomed to seeing the rich context from BankID with Biometrics, using BankID with Biometrics with step-up should provide a more consistent user experience.


BankID High does not support a CIBA flow. If you need a CIBA capabilities, and would like to reduce risk above what is provided internally by BankID with Biometrics, CIBA w/ step-up can be a good option.


In the Authorization Code with upfront permissions or CIBA flows, acr_values can be included in the request body when registering the permission via the permissions endpoint.

Returned acr claim in the ID Token

The resulting acr is returned in the ID token as a claim.