How to prepare for Secure start in BankID

Secure start by Swedish BankID marks a significant step towards increased security. It will become mandatory for businesses that have integrated BankID from May 1, 2024, helping to protect users from identity fraud. 

In this blog post, we will cover:

• What Secure start is and why it is necessary
• The changes in the user experience
• The benefits of Secure start
• How to prepare your business for Secure start

What is Secure start?

Secure start is a new requirement by BankID, introduced to combat the increasing issue of identity fraud and phishing attacks.

To minimize the risk, there will be two mandatory changes to the user experience:

1. Autostart on the same device
2. Animated QR code on another device

Secure start must be implemented by May 1, 2024 for any business that uses BankID for authentication or signatures.

Why is Secure start necessary?

Far too often, people fall victim to online identity fraud. A 2019 study by the Swedish Statistics Authority showed that one in three people receive fraudulent emails through phishing attacks.

The process might look something like this:

1. A criminal acquires a person’s social security number and uses it to start the login process to access their bank account.
2. The criminal then contacts the person by phone, email, SMS, etc., asking them to identify themselves with their personal BankID.
3. The person falls into the trap and verifies their identity with their Swedish BankID.
4. The criminal now has access to the victim’s bank account.

In such cases, the criminal does not even need to be physically present to complete the above process.

How will the user experience be affected?

To prevent the above, two changes are coming.

1. Autostart on the same device

In the future, you will no longer be able to simply type in your social security number (SSN) to start the BankID verification process.

Hitting the “Start BankID” button will instead redirect the user to the BankID app on the same device. This ensures that it’s the same person who both starts the BankID verification process and completes it to get access. 

Autostart also streamlines the overall user experience.

2. Animated QR code on another device

When a user wants to verify their identity on another device, like a desktop or tablet, the person must use the BankID app to scan a QR code on that device’s screen.

Similar to Autostart, this adds an extra layer of security by ensuring that it’s the same person who initiates the BankID verification process and scans the QR code.

The process uses an animated QR code to reduce the risk of someone taking a screenshot of a static QR code for fraudulent purposes.

BankID is also able to see how old the QR code is, and the process will not work if the scanned code is too old.

BankID in telephone calls

BankID in telephone calls facilitates secure identification via a phone call initiated by the customer or the business. This is only relevant for companies that use BankID in telephone calls and the process looks as follows:

• The BankID app displays a phone icon and the company’s name
• A security pop-up appears, asking whether the user called the company. If they did not, the pop-up will warn the user and provide the option to cancel identification.

Criipto currently does not offer BankID in telephone calls.

Please reach out to us if you are interested in this feature and want to know more.

What are the benefits of Secure start?

BankID Secure start offers several benefits to both users and the companies relying on BankID for identification purposes. These include:

• Increased security: The primary objective of Secure start is to make user verification more secure, reducing the risk of fraudulent activities.
• Streamlined processes: Autostart and QR code simplify the verification process and make it more user-friendly.
• Safer digital environment: Secure start helps to make our digital society safer and more trustworthy as a whole.

If your BankID is integrated with Criipto, it's extremely easy to migrate to the new API and stay compliant with Secure start.

Preparing for Secure start with Criipto

1. In your account, navigate to Identity sources > SE BankID.
2. Toggle Disable SSN input.
3. Hit “Save.”

This will automatically update you to RP-API version 6, effectively preparing your business for Secure start.

Note: If you don’t take any action, your BankID integration will migrate automatically, which could potentially surprise some users.

Summary

BankID Secure start is the next big step in increasing the security of digital identification in Sweden.

To ensure the highest security standards, companies using Swedish BankID must prepare for the mandatory upgrade of RP-API version 6 by May 1, 2024.

This includes Autostart on the same device, QR code on another device, and BankID in telephone calls (for businesses that use this feature).

For more detailed information and implementation guidelines, visit BankID's website or sign up to our monthly newsletter (lower down on this page), where we will share news and updates about BankID.