This section and is sub-pages contains information regarding user experience design. Here, you'll find information about how BankID is presented to the end user, as well as some tips and tricks to keep in mind while setting up your BankID implementation.
A note on Identity providers
BankID currently offer three identity providers for end users:
- BankID Netcentric relies on a code device (issued to end user from their issuing bank) or BankID-app, and a personal password, which the end user sets in the online bank. Some issuing banks have developed their own mobile-apps that replace their code device
- BankID on Mobile will prompt the end user to check a transaction reference on their phone, as well as entering a PIN-code
- BankID Substantial will allow biometric authentication on the users mobile device.
For more information, please refer to our website.
Basic flow: End-user dialogues
The end user interacts with BankID in three different stages, depending on the scopes given to indicate which service is requested.
- NNIN input and BankID method selector: The end user provides their NNIN (SSN) and/or selects the desired BankID method (depending on what is provided in the
- Authentication/Signing: The end user signs and/or provides credentials for the selected method
- (optional) Consent dialogues: The end user provides consent to share data with the merchant (if requested by the merchant)
1 BankID Method selector
After initializing the authorize request, the end user will be asked to enter their NNIN (if not provided by login hint), and then asked to choose the desired BankID method.
As described in the documentation for the authorize endpoint, the merchant may bypass this dialogue by including a
login_hint parameter to pre-select either BankID Netcentric or BankID on Mobile. See Login Hints under identity providers for more details.
After the end user has selected their preferred method, or in the case of preselection through login hints, the end user will authenticate themselves.
|BankID on Mobile
Something that the end user "is"
End user types their mobile number and birth date
Something that the end user "has"
End user supplies their one-time password, retrieved from their BankID code device, or using a mobile app.
End user is shown reference words and is asked to check their mobile phone. If the reference words coincide, they can move on to next and final step
Something that the end user "knows"
End user supplies their personal password, which is managed at their issuing bank website.
End user types their personal PIN code
The merchant may request additional end user data such as Norwegian National Identity Number (NNIN), address, email and phone number. This will prompt the user to give consent to share this information after they have completed the authentication. Note that the user may choose to decline any of the information that requires consent. See the userinfo endpoint for more information.
The consent dialogue views and the optional end user information, with the exception of Norwegian National Identity number, are considered experimental. The service can be used freely by merchants, but further development and feature request will not be prioritized going forward. We advice merchants that require information such as email, address and phone number to handle this in their own application as the user may choose to not provide this information through the BankID OIDC service.
nnin is the only userinfo scope that requires consent, the end user is simply asked if they want to share the NNIN with the merchant, in this case "OIDC Testklient":
The end user may choose to not share their NNIN with the merchant. It is up to the merchant to confirm that the information is provided and handle the result accordingly if it is required for onboarding a new customer.
The BankID OIDC service also supports the scope
nnin_altsub which is included in the ID token. It is important to know that
nnin_altsub can only be used in cases where you already know the end user's Norwegian National Identity Number. See digital onboarding for more information. Note that the merchant must have a legal reason to store and use Norwegian National Identity Numbers.
Address, email and phone number
If any userinfo scope that require consent other than
nnin is requested, i.e.
phone, the end user is presented with a form to provide the information.
The end user is presented with a view that presents the BankID userinfo solution.
The user has the option to skip this form which will return to the merchant with none of the requested information ,including NNIN if requested in addition to address, email or phone number.
The end user fills out the form and store the data with BankID for future use.
Left image: Empty form
Right image: Filled form
The end user chooses what information to share with the merchant.
Left image: Consent given to all (default)
Right image: No consent given