Introduction¶
What is BankID with biometrics?¶
BankID with biometrics is a new way to authenticate using BankID leveraging WebAuthn for secure authentication. WebAuthn uses the device's security features such as facial recognition, fingerprint recognition and PIN entry to offer a swifter and smoother authentication experience compared to BankID High.
BankID with biometrics offers a superior user experience, but is classified as having a lower Level of Assurance (LoA=3) than a BankID High authentication (LoA=4). See this page to determine whether using BankID with biometrics is appropriate for your product from a trust and security perspective.
BankID with biometrics is implemented as an OIDC service using BankID OIDC as an entry point.
Context / Permission Types¶
In addition to enabling a smoother authentication experience, BankID with biometrics supports displaying rich context information to the user depending on the type of the authentication, referred to as the permission type. This information is used to provide the user with additional context about the authentication.
See the page on permission types to read more about the different types of permissions and how to use them.
Fallback¶
Not all BankID users have activated BankID with biometrics yet. If a user without BankID with biometrics enters a BankID with biometrics flow, they can still authenticate using BankID High. This is referred to as a fallback or falling back to BankID High.
Fallback to BankID High is an internal operation using BankID with biometrics as the internal BankID merchant, meaning the transaction is not registered on the merchant certificate and is not billed as a BankID High transaction.
Users are guaranteed to have seen and approved the authentication context in order to complete the authentication, even when falling back to BankID High.
Warning
The level of assurance in a BankID with biometrics flow remains the same (LoA=3) regardless of whether the user ended up falling back using BankID High internally.
Step-up¶
In certain scenarios, we will require a step-up be performed by the user. This is a security measure which requires the user to perform a BankID High authentication in addition to the biometric authentication.
Step-up to BankID High is an internal operation that uses BankID with biometrics as the internal BankID merchant, meaning the transaction is not registered on the merchant certificate, and is not billed as a BankID High transaction, unless specifically required by the merchant.
For details on how you can require a step-up as a merchant, see the page on forcing step-up.
Warning
The level of assurance in a BankID with biometrics flow remains the same (LoA=3) regardless of whether the user ended up stepping up using BankID High internally.
Limitations¶
BankID with biometrics does not support being embedded in an iframe.
Next step¶
Go to getting started to see how you can implement BankID with biometrics in your application.