Introduction¶
What is BankID with Biometrics?¶
BankID with Biometrics is a new way to authenticate using BankID leveraging WebAuthn for secure authentication. WebAuthn uses the device's security features, such as facial recognition, fingerprint recognition, or PIN entry, resulting in a swifter and smoother authentication experience compared to BankID High.
BankID with Biometrics offers a superior user experience, but is classified as having a lower Level of Assurance (LoA=3) than a BankID High authentication (LoA=4). See this page to determine whether using BankID with Biometrics is appropriate for you product from an trust perspective.
BankID with Biometrics is implemented as an OIDC service using BankID OIDC as an entry point.
Context / Permission Types¶
In addition to enabling a smoother authentication experience, BankID with Biometrics also supports displaying rich context information to the user depending on the type of the authentication, also referred to as the permission type. This context information is used to to provide the user with additional context about the authentication. There are many different permission types with different context data available. These permission types ranges from standard logins where the name of the merchant is presented, to fully-fledged PSD2 SCA compliant payment approvals.
See the Schemas section of the Permission API specification for all available permission types.
Info
Using a permission type other than authentication.v1 requires registering permissions upfront.
See the Authorization Code with upfront permissions or Client Initiated Backchannel Authentication flows for more details.
Info
Some permission types require additional scopes for your client. This is detailed in the Permission API spec.
Fallback¶
Not all BankID users have activated BankID with Biometrics yet. If a user without BankID with Biometrics is sent into a BankID with Biometrics flow, they will still be able to authenticate using their BankID High. This is referred to as a fallback or falling back to BankID High.
Fallback to BankID High is an internal operation that uses BankID with Biometrics as the internal BankID merchant, meaning the transaction is not registered on the merchant certificate, and is not billed as a BankID High transaction.
Users are guaranteed to have seen and approved the authentication context in order to complete the authentication, even when falling back to BankID High.
Warning
The level of assurance in a BankID with Biometrics flow remains the same (LoA=3) regardless of whether the user ended up falling back using BankID High internally.
Step-up¶
In certain scenarios, we will require a step-up be performed by the user. This is a security measure which requires the user to perform a BankID High authentication in addition to the biometric authentication.
Step-up to BankID High is an internal operation that uses BankID with Biometrics as the internal BankID merchant, meaning the transaction is not registered on the merchant certificate, and is not billed as a BankID High transaction, unless specifically required by the merchant using the acr parameter.
Warning
The level of assurance in a BankID with Biometrics flow remains the same (LoA=3) regardless of whether the user ended up stepping up using BankID High internally.
Limitations¶
BankID with Biometrics does not support being embedded in an iframe.
Next step¶
Go to getting started to see how you can implement BankID with Biometrics in your application.