source: https://8sidor.se/vardags/2022/11/nytt-bank-id-kan-komma/
It is surprising to many people that Sweden does not come up to the EU’s highest e-identification requirements. According to SvD, Sweden (together with Greece, Bulgaria, Cyprus and Rumania) only has the second highest eIDAS level.
What?! Why?
eIDAS is the EU regulation that concerns itself with e-identification. eIDAS’ problem with Sweden is that the Swedish state is not the guarantor of its citizens’ e-identity. We use BankID or FrejaID for our e-identification – but BankID is owned and controlled by banks, and Freja is listed on the stock market. These are not financially uninterested actors. In addition, if you don’t have a bank account (or if all that clicking and remembering another security code is too much), and you don’t have an e-identity issued by one of these private entities, it’s difficult to obtain even government services.
How does it work, anyway?
Using BankID is about the same whether you are logging in to the Swedish Tax Agency or buying toothpaste on line. Here’s a short summary: Say, for example, you want to buy something from Store.com. Likely, you have downloaded the BankID app from your bank (together with 89% of all Swedes in 2019). By doing so, you have chosen your bank as your e-identification issuer. At checkout, you enter your person number to start the identification process. Store.com asks you to choose a method to e-identify yourself, and you choose mobile BankID. Alternately, Store.com sends out a question to BankID’s servers asking if a bank there has your person number, and then asks you to login with BankID.
At this point, you grab your mobile, and tap in your security code. By using the right security code, you authenticate your identity to the identification certificate provider (your bank). This provider then runs some checks, for example, that your ID hasn’t been blocked. If it’s happy, the provider (your bank) then sends an ID certificate back to Store.com. Store.com, in turn, runs a quick check that the ID certificate provider is legitimate, and then authorizes your access or payment.
What state?
You’ll notice that the state has not been involved in this identity-confirming transaction. BankID was developed in 2002 when the major Swedish banks got together and started a company called Finansiell id-teknik. It’s been run independently, successfully and profitably since then. According to itself, bankid.com, BankID was used 6 billion times in 2021 (almost 200 times a second).
The BankID process described above, however, using your person number and a security code, comes to only a “substantial” level of assurance. (By level of assurance we mean level of online security.) It does not reach eIDAS’ “high” level of assurance. A high level of assurance involves registering in person at an office and thereafter using a smart card, like a state-issued, national ID, for ID certification.
Time for an upgrade
You might wonder what we are doing about this slightly embarrassing level of identification security. We’ll soon find out. DIGG, Sweden’s Agency for Digital Government, has been tasked to present its plan for upgrading Sweden’s e-identification status at the end of January. In its current form, at least, we might soon be waving BankID good-bye.