ZignSec

Some technical facts about the Swedish BankID

  • The auth/sign service initiation returns two main fields: orderRef and autostartToken. orderRef is the BankID’s session identifier used throughout the process.
  • AutoStartToken is necessary when starting the BankID app automatically via the custom BankID URL where the autostartToken also binds the BankID app instance with a specific initialized session.
  • You are normally allowed to start your BankID app on any device, without using the autostart url, in which case the PersonalNumber is working as the session binding element between the Bankid session and the app. In this scenario the PersonalNumber is a neccessary parameter in the initiation call.
  • To sum up – The merchant can initiate a bankID session either with or without setting the personal number parameter. If set – any BankID client registered with that personal number can immediately respond to the request. If PNr is not set – only the BankID app installed on the same device can respond and the app needs to be started with the autostart-token Url.
  • In production the merchant can set up their own merchant name to be displayed in the user’s BankID app without an extra fee.
  • In test you will see Zignsec as the merchant name
  • Any number of test users (with bankid app test certificates) can be created on a device/pc, in this case a list of users will appear in the BankID app (for unspecified logins on the same device).
  • Many devices/pc can use the same personal number.
  • The first BankID app to respond to a request becomes the “session owner/responder”.
  • In the BankID product every bank is responsible for issuing the actual end user certificate, there is no central controlling agency.
  • The same person can have multiple BankID accounts with the same personal number, but slightly different naming for example leaving out a middle name in one bank.
  • Normally the name fetched via the BankID app is not the full name set in the national population register.
  • Added support March 2019 for QR code / double verification. For improved assurance that the user’s login attempt only is valid within the current Zignsec login session QR code scanning is recommended. If activated, the login wait screen will include a QR code image that must be scanned with the BankID app before the login process can proceed in the BankID app. You activate the QR code / double verification by adding parameter RequireMents->AutoStartTokenRequired=Yes.
    Activated by adding parameter: "requirement": {"AutoStartTokenRequired": "Yes"}
    Result: bankid:///?autostarttoken=12758813-220f-4328-9d50-a7d9679479ea