BankID - se - Developers Documentation

## ID switching (Swedish: _ID-växling_) **ID switching** means using BankID (a strong e-ID) to **issue, activate, or confirm** another identity or login method that will later be used **instead of BankID**—for example a username/password login, a long-lived “remember me” session, or an account that can later be accessed with a weaker method. BankID describes ID switching as when BankID is used to **create a new/other ID method** or to **verify a user who then continues using another ID method**. ### Why it matters BankID is intended to be the **strong authentication step**. If a service “exchanges” a BankID login for something weaker (like passwords or persistent sessions), the overall security level drops and the risk of **account takeover** increases—because the user can later access the account without repeating the strong BankID step. ### Common examples (typically not allowed when BankID is involved) BankID highlights scenarios such as: - **Creating a username/password using BankID**, where future logins can be done with the password instead of BankID. - **Confirming the identity behind an existing account** that otherwise relies on another authentication method. - **Resetting passwords or credentials for other login methods** using a BankID authentication. - **Maintaining very long-lived logins** (permanent cookies / extended sessions) so the strong BankID login is effectively bypassed. ### Main rule When BankID is involved, you must **not switch identities**—a BankID identification must **not** be used to issue, bootstrap, or raise the trust level of another electronic identity or authentication method. ### What is allowed You may offer **multiple login methods side by side** (e.g., BankID, Freja eID+, Telia) as long as: - You **don’t switch mid-flow** (no “log in with BankID, then continue as password user” pattern), and - You **don’t tie the issuance or activation** of another login method to a BankID verification. ### Consequences of non-compliance Breaking the ID switching rule may be treated as a **material breach** and can lead to actions such as **certificate blocking** and/or **immediate termination** of the agreement.