Swedish BankID to eliminate phishing

Swedish BankID is the electronic identity (eID) with the broadest adoption globally and is being used everywhere, from government services to online retailers. However, to keep users safe, also in the future, companies accepting BankID logins must implement new security measures.

Specifically, to meet the new security requirements, the so-called Secure Start must be implemented and will be the only option available from May of 2024.

Secure Start, available to Criipto customers for quite a while now, has two components:

  1. The "another device" flow with the login process starting on the computer and completed on the phone will be possible only using the QR code option.

  2. The "same device" flow must use autostart, which automatically launches the BankID app with no option to move to another device.

From a user perspective, this means that all user authentication will happen on the mobile phone only. There will no longer be an option to enter the social security number, SSN, on the computer. And once starting a "same device" flow, there will also be no option to switch to a separate device.

Learn more about Secure start and how to prepare your business >


Security-wise, the move to QR codes and autostart effectively removes an entire class of phishing attacks. After May 2024, scammers will effectively be blocked from using other people's social security numbers to start a login flow while tricking the actual user into approving the login on their phone.

This is, of course, excellent news, although still a few years out before being enforced as the only option. 

The good news is that Criipto customers may - or rather should - switch to using QR codes and autostart as soon as possible:

  • Autostart happens automatically for web apps. For native apps, follow the documentation

To use the QR option, just supply the corresponding acr_value when making the authentication request (urn:grn:authn:se:bankid:another-device:qr).

The announcement from BankID is also available in both Swedish and English.

Our blog

Latest blog posts

The latest industry news, interviews, technologies, and resources.

An Introduction to Client Initiated Backchannel...

Traditional OpenID Connect authentication flows in web and mobile applications rely on browser redirects. Users typically start the authentication...

Passkeys: an Overview

Passkeys are a new kind of login credentials that entirely replace passwords.

Online Alcohol Sales in Finland: How to Ensure Age...

In Finland, there's a proposal to enable consumers to purchase alcohol online.

One crucial requirement for allowing the delivery of alcoholic...

View all posts

Sign up for our blog

Stay up to date on industry news and insights