Frequently Asked Questions

Last updated 8 months ago

What is an electronic ID (eID)?

In general, an eID (electronic ID) is a mechanism with which users can perform online authentication towards public services, banks and other institutions supporting such mechanisms. An eID is issued by a so-called trust service provider such as public authorities or banks, which give a level of guarantee of the physical identification performed by the user and the security mechanism backing the eID.

An eID is usually created by performing a physical one-time identification of the user at an official office (public institution, post office or bank), where the user is physically identified with a passport, and data from the passport (such as name, date of birth, social security number and potentially biometrics) are stored and made available to users digitally through the eID mechanism, so that they can be presented and proven to other services/service providers in a secure and easy way.

In addition to online authentication, many (but not necessarily all) eIDs also support the possibility to digitally sign documents, texts and other formats (for PKI based eID mechanisms). BankID in Norway and Sweden for instance, supports both authentication and signing capabilities.

What is PKI?

Often (but not always) the technology used in an eID is PKI-based (Public Key Infrastructure), meaning that the user is issued a digital certificate, keys and security modules by the trust service provider when the eID instance is created for the user. BankID in Norway is an example of a PKI-based eID mechanism, that links the data from the physical passport to the digital identity.

What is BankID?

Norwegian BankID is a centralized electronic identification and signature infrastructure and technology, owned by all Norwegian banks through the Norwegian BankID cooperation entity BankID Norge AS. BankID Norge AS is responsible for developing and operating the central trust infrastructure in BankID.

Swedish BankID is similar to the Norwegian one. Swedish BankID is the leading eID in Sweden, and has been developed by a number of large banks for use by members of the public, authorities and companies. Swedish BankID has 7,5 million active users. Many services are provided where citizens can use their BankID for digital identification as well as signing transactions and documents.

BankID is used by all Swedish and Norwegian banks and is the de-facto standard to log in to Internet banks, mobile apps etc., and to sign documents. BankID is used by the public authorities as a login mechanism for all public services, and BankID is also used as the preferred method for electronic ID and signatures in a wide range of areas in the private sector.

BankID is certified at the highest public authentication and non-repudiation level for electronic IDs in Norway (level 4), and is notified on the Norwegian eIDAS trust list (pending official notification in EU from Norwegian authorities when eIDAS is implemented in Norwegian legislation).

The verified ID data that are included in BankID are: full official name, date of birth, social security number and a unique BankID identifier mapping 1-1 with social security number (BankID PID).

Glossary

Advanced Electronic Signature: An advanced electronic signature is an electronic signature that has met the requirements set forth under EU Regulation No 910/2014 (eIDAS-regulation) on electronic identification and trust services for electronic transactions in the internal market

AES: Advanced Encryption Standard - a specification for the encryptionestablished of electronic data National Institute of Standards and Technology by the U.S. (NIST) in 2001

API: Application Programming Interface – an interface for making programmatic integration between different digital services

App: Application

Auth: Digital authentication. The process of verifying someone's identity digitally.

BankID: A level 4 / qualified electronic ID (eID) issued by banks in Norway, can be used for both identification and signatures

Certificate: an electronic "passport" that allows a person, computer or organization to exchange information securely over the Internet

EDI: Electronic Data Interface – an interface for exchanging data digitally

eID: Electronic ID to be used for either identifying a person or performing a digital signature

eIDAS: The Regulation (EU) N910/2014 on electronic identification and trust services for electronic transactions in the internal market

ETSI: European Telecommunications Standards Institute

HSM: Hardware Security Module

HTTP: Hypertext Transfer Protocol, an application protocol for distributed, collaborative, and hypermedia information systems.

JSON: JavaScript Object Notation, an open-standard file format that uses human-readable text to transmit data objects consisting of attribute–value pairs and array data types. Often used instead of XML.

OAuth: An open standard for access delegation, commonly used as a way for Internet users to grant websites or applications access to their information on other websites but without giving them the passwords.

OpenID Connect: OpenID Connect (OIDC) is an authentication layer on top of OAuth 2.0, an industry standard authorization framework. The standard is controlled by the OpenID Foundation, and is widely accepted and used by big players like Google and Facebook.

OTP: One-time password, a password that is valid for only one login session or transaction

PAdES: PDF Advanced Electronic Signature. A set of restrictions and extensions to PDF and ISO 32000-1 making it suitable for Advanced Electronic Signature. This is published by ETSI as TS 102 778.

PDF: Portable Document Format. A file format used to present documents in a manner independent of application software, hardware, and operating systems.

PID: A unique personal identifier used in the BankID framework (not considered as sensitive data)

PKI: Public Key Infrastructure - a set of roles, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates and manage public-key encryption. The purpose of a PKI is to facilitate the secure electronic transfer of information for a range of network activities such as e-commerce, internet banking and confidential email

Qualified Electronic Signature: A qualified electronic signature is an electronic signature that is compliant to EU Regulation No 910/2014 (eIDAS Regulation) for electronic transactions within the internal European market, and which in practice is performed using a qualified certificate

REST: Representational state transfer. A web service for providing interoperability between computer systems on the Internet

SDO: Signed Data Object. A standard file format for the electronic signatures produced by BankID, designed to act as a self-contained validation of electronic signatures.

Seal: Electronic Seal is designed to ensure the integrity and authenticity of documents sealed with it. A seal certificate contains information, which defines what exactly does “the authenticity” of the document imply.

Sign: Digital signature. The process of signing a document digitally.

SDK: Software Development Kit (or devkit). A set of software development tools that allows the creation of applications for a certain software package

SSO: Single-Sign-On – a mechanism to federate access across different websites and services

Token: An object (in software or in hardware) which represents the right to perform some operation (i.e. access token, security token, session token, etc.)

TLS: Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are cryptographic protocols that provide communications security over a computer network.

TSA: Time Stamp Authiority

URL: Uniform Resource Locator. Commonly known as a «link».

XML: Extensible Markup Language. This a standard machine-readable format used widely within banking and finance