Swedish BankID to eliminate phishing

Swedish BankID is the e-ID with the broadest adoption globally and is being used everywhere, from government services to online retailers. However, to keep users safe, also in the future, companies accepting BankID login must implement new security measures.

Specifically, to meet the new security requirements, the so-called Secure Start must be implemented and will be the only option available from May of 2024.

Secure Start, available to Criipto customers for quite a while now, has two components:

  1. The "another device" flow with the login process starting on the computer and completed on the phone will be possible only using the QR code option.
  2. The "same device" flow must use autostart, which automatically launches the BankID app with no option to move to another device.

From a user perspective, this means that all user authentication will happen on the mobile phone only. There will no longer be an option to enter the social security number, SSN, on the computer. And once starting a "same device" flow, there will also be no option to switch to a separate device.

seb-qr-en

Security-wise, the move to QR codes and autostart effectively removes an entire class of phishing attacks. After May 2024, scammers will effectively be blocked from using other people's social security numbers to start a login flow while tricking the actual user into approving the login on their phone.

This is, of course, excellent news, although still a few years out before being enforced as the only option. 

The good news is that Criipto customers may - or rather should - switch to using QR codes and autostart as soon as possible:

  • Autostart happens automatically for web apps. For native apps, follow the documentation

To use the QR option, just supply the corresponding acr_value when making the authentication request (urn:grn:authn:se:bankid:another-device:qr).

 

The announcement from BankID is avaialble in both Swedish and English.