Implementing in native applications¶
BankID with biometrics supports being implemented in native applications, enabling smooth authentication experiences inside your native app.
Implementation options¶
There are two ways you can implement BankID with biometrics in your native app:
- Opening the BankID with biometrics client using an in-app browser inside your app
- Sending the user directly into the BankID app (App2App)
Sending the user directly into the app is only recommended if you have a specific requirement mandating this (e.g. 3DS authentication inside a native app), or if you want to further optimize the user experience after already having implemented BankID with biometrics by opening the client using an in-app browser inside your app.
This page describes both these approaches.
Opening the BankID with biometrics client inside your app¶
Opening the BankID with biometrics client is as simple as launching an in-app browser after constructing the authorization URL as described on the Authorization Code Flow page. Which type of browser you should launch depends upon the platform.
Follow the documentation
Do not deviate from the approaches described for each platform, as other approaches may have inadequate security models, or may lack support for the WebAuthn API used by BankID with biometrics, resulting in poor or broken user experiences.
Android¶
Browser type¶
When starting the BankID with biometrics authorization flow in an Android app, use a Custom Tab.
WebViews are not supported.
Experience¶
The user will be able to authenticate using biometrics directly inside the Custom Tab in your app, providing an extremely low-friction experience.
If the user is required to open the BankID app during the authentication, for example because you've selected to force step-up, once the user is done in the BankID app the BankID app will automatically close, bringing your app to the foreground again.
iOS¶
Browser type¶
When starting the BankID with biometrics authorization flow in an iOS app, use either a ASWebAuthenticationSession or a SFSafariViewController. We recommend using ASWebAuthenticationSession for the most seamless user experience.
Experience¶
Since Apple's security model around FIDO2 public key credentials (aka passkeys) is not currently compatible with BankID's security requirements, iOS users always need to go into the BankID app in order to authenticate, as opposed to Android users which can authenticate directly from the in-app browser.
We transport the user from into the BankID app very smoothly, requiring only a single click from the user.
However, once the user is done in the BankID app, the user has to manually navigate back to your app in order to proceed. Navigating manually is needed because of platform limitations, but there are steps you can take to improve this experience. Read the next section on bringing the user back to your app for further details.
Bringing the user back to your app¶
You can use the app_callback_uri parameter to automatically bring the user back to your iOS app once the user is done authenticating in the BankID app.
If you register an app callback URI during permission creation, we will redirect the user to this URI once the user is done authenticating in the BankID app. Provided this URI is correctly set up as a universal link pointing to your app, the effect will be that the user is automatically brought back to your app once done authenticating in the BankID app.
Note that your app must open the same browser session as the user started in.
See the relevant Apple documentation for how to set up universal links.
Example flow using the app_callback_uri parameter:
App2App¶
App2App is a separate flow that allows you to send the user directly into the BankID app to authenticate, without having to open an in-app browser first. This is relevant both when direct app switching is a requirement (e.g. 3DS app authentication) and as a user experience optimization.
See the page on App2App for implementation details.