Understanding authentication methods

The amr (Authentication Methods Reference) claim included in the ID token returned by BankID with Biometrics in a CIBA flow, or BankID OIDC in an Authorization Code Flow describes what authentication methods were used in the authentication.

The amr claim will be an array of strings, which can include any, and multiple of, the following authentication method reference values:

  • bis-bid - Authentication involved BankID NetCentric
  • bis-bim - Authentication involved BankID on Mobile (due to be phased out)
  • bis-mfa - Authentication involved multiple factors
  • bis-hwk - Authentication involved a hardware key

Falling back

In a fallback scenario, you should normally see bid-bid or bis-bim, but not bis-mfa or bis-hwk.

Stepping up

In a step-up scenario, bis-bid and bis-bim are not mutually exclusive with bis-mfa and bis-hwk. If you're implementing logic based on which authentication method was used, keep this in mind.

Never use the amr claim as a security mechanism

A BankID with Biometrics authentication with bis-bid is still LOA=3 as reflected in the acr claim, regardless of the internal authentication mechanism(s) provided in the amr claim.

Info

If you're using BankID OIDC and are still using version 1 of the BankID OIDC authorization endpoint, the amr claim will always be a string equalling "BIS", indicating the use of BankID Substantial authentication, but not providing any additional value.