This section and is sub-pages contains information regarding user experience design. Here, you'll find information about how BankID is presented to the end user, as well as some tips and tricks to keep in mind while setting up your BankID implementation.
A note on Identity providers
BankID currently offer two identity providers for end users:
- BankID Netcentric relies on a code device (issued to end user from their issuing bank) and a personal password, which the end user sets in the online bank. Some issuing banks have developed their own mobile-apps that replace their code device
- BankID on Mobile will prompt the end user to check a transaction reference on their phone, as well as entering a PIN-code
We are also currently working on a third IDP-option: a BankID App (BAPP). This is in a rollout phase now and will become more available during Q2 and Q3 2020.
For more information, please refer to our website.
Basic flow: End-user dialogues
As described in the message flow details of the authorization code grant, the end user interacts with BankID in three different stages, depending on the scopes given to indicate which service is requested.
- IDP selector: The end user selects the desired BankID identity provider (if the OIDC Client has not already requested a particular IDP via the
- Authentication: The end user provides credentials for the selected IDP method
- Consent dialogues: The end user provides consent to share data with the merchant (if requested by the merchant)
More information about the end user dialogues and flows can be found here: https://brand.vipps.no/d/DgLepABXUPY4/markedspakker#/markedspakker/bankid-identifisering
1 IDP selector
After initializing the authorize request, the end user will be shown the IDP selector dialogue, where the end user is given the choice between the supported identity providers. As described in the documentation for the authroize endpoint, the merchant may buypass this dialogue by including a
login_hint parameter to pre-select either BankID Netcentric or BankID on Mobile. See Login Hints under identity providers for more details.
After the end user has selected their preferred IDP, or in the case of preselection through login hints, the end user will authenticate with this IDP. As described in the section for identity providers, we currently offer BankID Netcentric and BankID on Mobile.
|Step||BankID Netcentric||BankID on Mobile|
Something that the end user "is"
End user types their national identity number
End user types their mobile number and birth date
Something that the end user "has"
End user supplies their one-time password, retrieved from their BankID code device
End user is shown reference words and is asked to check their mobile phone. If the reference words coincide, they can move on to next and final step
Something that the end user "knows"
End user supplies their personal password, which is managed at their issuing bank website
End user types their personal PIN code
The merchant may request additional end user data such as Norwegian National Identity Number (NNIN), address, email and phone number. This will prompt the user to give consent to share this information after they have completed the authentication. Note that the user may choose to decline any of the information that requires consent. See the userinfo endpoint for more information.
The consent dialogue views and the optional end user information, with the exception of Norwegian National Identity number, are considered experimental. The service can be used freely by merchants, but further development and feature request will not be prioritized going forward. We advice merchants that require information such as email, address and phone number to handle this in their own application as the user may choose to not provide this information through the BankID OIDC service.
nnin is the only userinfo scope that requires consent, the end user is simply asked if they want to share the NNIN with the merchant, in this case "OIDC Testklient":
The end user may choose to not share their NNIN with the merchant. It is up to the merchant to confirm that the information is provided and handle the result accordingly if it is required for onboarding a new customer.
The BankID OIDC service also supports the scope
nnin_altsub which is included in the ID token. It is important to know that
nnin_altsub can only be used in cases where you already know the end user's Norwegian National Identity Number. See digital onboarding for more information. Note that the merchant must have a legal reason to store and use Norwegian National Identity Numbers.
Address, email and phone number
If any userinfo scope that require consent other than
nnin is requested, i.e.
phone, the end user is presented with a form to provide the information.
The end user is presented with a view that presents the BankID userinfo solution.
The user has the option to skip this form which will return to the merchant with none of the requested information ,including NNIN if requested in addition to address, email or phone number.
The end user fills out the form and store the data with BankID for future use.
Left image: Empty form
Right image: Filled form
The end user chooses what information to share with the merchant.
Left image: Consent given to all (default)
Right image: No consent given
The OIDC Provider does not support pure app-based applications using a completely embedded (API-based) user-experience. A future release may include such support either via deep-linking between the OIDC Client app and a designated OIDC Provider App, or via integration of a OIDC Provider SDK into the OIDC Client app. However, this is not a priority in the short or medium term.