It's coupled to your phone's OS, so as it becomes even more mandatory you're stuck carrying around an iOS or Android device, even if your primary phone is something like a Librem 5.
It also doesn't support anyway to delegate access, either to people ("my partner should have access to this bank account") or computers ("I want to back up my incoming govt. messages automatically").
Not to mention that all providers of Mobile Bank ID (which, as you mentioned, is by far the most widely supported one) are private companies, mostly banks, which have no duty to take you on as a customer.
If you for whatever reason can't or won't get an account with a Swedish bank, you're effectively cut out from large parts of online services.
I really think the government needs to realize they should provide ID issuance digitally to ensure that no one is left out.
The rest of your post does not back up this claim IMO.
> It's coupled to your phone's OS, so as it becomes even more mandatory you're stuck carrying around an iOS or Android device, even if your primary phone is something like a Librem 5.
At least here in Norway you can get a standalone hardware 2-factor key.
> It also doesn't support anyway to delegate access, either to people ("my partner should have access to this bank account") or computers ("I want to back up my incoming govt. messages automatically").
I will happily admit banks aren't too good with this, but it isn't BankIDs fault.
BankID only handles authentication. Once I'm logged in I can easily delegate access to my account using my banks self service feature. If your bank doesn't let you it is their fault.
As for why it cannot be used by a machine I guess the reason is that use of BankID is considered the same as signature. So signing with someone elses BankID is considere forgery.
> You can get the key embedded on a smartcard, but it's still coupled to their proprietary driver (which only works on Windows or macOS, of course).
Maybe it is different where you live but the standalone hardware key I mention is standalone: You open the website, enter your national id, find your token generator, enter pin code for hardware token, read your token, type it into the bank web site, and enter your password ib a different field.
Nothing of this is linked to Windows or Mac, only to a reasonably modern browser.
And the thing you describe seems to be very very different and I'm confident there's only one BankID product in the Nordic countries, so either it is implemented in a very different way with your bank or we aren't talking about the same thing.
> It's also a separate API and not as widely supported as Mobile BankID.
Around here hardware tokens were supported before mobile BankID was even a thing. They are still available everywhere I log in.
---
As for why I care, I find that BankID is a good idea, reasonably implemented, so I don't think it is OK to trash it - unless I'm misunderstanding something, in which case I want to learn.
> Maybe it is different where you live but the standalone hardware key I mention is standalone: You open the website, enter your national id, find your token generator, enter pin code for hardware token, read your token, type it into the bank web site, and enter your password ib a different field.
That sounds completely different. "BankID På Kort" is basically the same experience as using an OpenPGP smartcard: it prompts you to insert the card, enter your PIN, and everything else is handled in the background.
Many banks here (and at least Nordea used the CC for this) also support manual challenge/response auth like you describe, but this is unrelated to BankID and seems to generally be considered deprecated.
> And the thing you describe seems to be very very different and I'm confident there's only one BankID product in the Nordic countries, so either it is implemented in a very different way with your bank or we aren't talking about the same thing.
From what I can tell, Swedish and Norwegian BankID are completely separate. NorBankID seems to be operated by Vipps[0] (a consortium of norwegian banks) and have existed since 2004, while SweBankID is owned by Finansiell ID-Teknik[1] (a consortium of swedish banks) since 2002.
They also don't share the logo, or seem to have any ties between their websites.
> Around here hardware tokens were supported before mobile BankID was even a thing. They are still available everywhere I log in.
Each bank generally had their own hardware tokens since before BankID (and still do).
Government services usually also support Telia's NetID (which is similar to BankID På Kort, but at least seems to provide a Linux driver).
However, BankID is also starting to become popular for services that would otherwise have been fine with plain old username/password authentication, rather than implementing U2F or TOTP. These services usually don't put a lot of thought into their implementation, and don't tend to implement alternative auth methods. Older services will support username/password for existing users, but expect it to be considered deprecated. Examples of this category would be Hallon (mobile network), Hemfrid (home cleaning service), or Kivra (crappy email without the federation).
> As for why I care, I find that BankID is a good idea, reasonably implemented, so I don't think it is OK to trash it
> That sounds completely different. "BankID På Kort" is basically the same experience as using an OpenPGP smartcard: it prompts you to insert the card, enter your PIN, and everything else is handled in the background.
Agreed, sounds completely different. We had some smartcard id system here as well, but last time I saw any of that in practical use for banking was 10 or so years ago, and even then it was standalone (battery driven, small enough to fit in my pocket) and not dependent on a PC with proprietary OS.
> Many banks here (and at least Nordea used the CC for this) also support manual challenge/response auth like you describe, but this is unrelated to BankID and seems to generally be considered deprecated.
I see. Around here this is official from BankID and it seems you need a "proper" physical BankID to even log into hour bank to issue a mobile BankID[0].
> From what I can tell, Swedish and Norwegian BankID are completely separate. NorBankID seems to be operated by Vipps [...] and have existed since 2004, while SweBankID is owned by Finansiell ID-Teknik[...]since 2002.
The Vipps situation might be a bit confusing, Vipps wasnt created until a few years ago but it is more or less universally loved by everyone, so it seems they have used that name to cover everything.
>They also don't share the logo, or seem to have any ties between their websites.
You are right. Good point. I'm not sure anymore that they are related.
> Government services usually also support Telia's NetID (which is similar to BankID På Kort, but at least seems to provide a Linux driver).
Around here the government have their own (MinID), but yu can also use buypass, COMMFIDES, or Norwegian BankID. I never see anyone using anything except MinID or BankID though.
> However, BankID is also starting to become popular for services that would otherwise have been fine with plain old username/password authentication, rather than implementing U2F or TOTP. These services usually don't put a lot of thought into their implementation, and don't tend to implement alternative auth methods. Older services will support username/password for existing users, but expect it to be considered deprecated. Examples of this category would be Hallon (mobile network), Hemfrid (home cleaning service), or Kivra (crappy email without the federation).
With a broken system that by design isn't cross platform like you describe this seems like a bad idea, yes.
>Don't let decent be the enemy of good.
Agree. That said I find the Norwegian implementation is good now after they got rid of the applets a few years ago, and even back then I was able to somehow get it to work - and it was about as broken on Windows as well ;-)
Today it Just Works across alll devices I use for work as well as at home: Linux laptops, Windows laptops, iPad, Android phone and probably whatever else as long as it has a any modern browser (I use FF mostly, but it seems to work in everything from IE and Edge to Opera and Chrome).
Summarized I guess the Norwegian BankID is good, and the Swedish one is bad?
Ugh, my Austrian bank is currently trying to force me into using a system like this. The "standard" way is via an Android or iOS app, the "alternative" is via a smartcard reader thing that seems to work with Windows only.
They claim that this is mandatory due to some EU regulation, but they conveniently forget to say what regulation that is supposed to be.
> It's the Payment Services Directive (PSD2). Username+PW is obsolete and insecure at least 20 years now.
That does not imply that banks must implement 2FA with their proprietary applications.
Banks could just implement TOTP (Time-based One-time Passwords, RFC 6238) or HOTP (HMAC-based One-time Passwords, RFC 4226) and let me choose how I generate my OTP. For example with an hardware OTP generator or an open source application.
Most banks are using PSD2 as a occasion to force their privacy-invading apps on their users.
Absolutely not, I heavily dislike SmartID and similar proprietary spyware as well. A TOTP HW token would be in my opinion more secure. The reason banks use it though is the convenience, having some identity tied to the apps is just a bonus for them.
You can install it on your PC or Mac instead if you want, and it is not the only e-ID in Sweden (alas the others aren't so widely adopted, but that should change if/when the new government ID happens).
Access delegation not being part of BankID itself is a feature not a deficiency, it would undermine the concept of secure digital ID if someone else could digitally impersonate you with it. Instead, services can choose whether they let you allow someone to log in for you.
> You can install it on your PC or Mac if you want.
1. Same problem. There is still no Linux client, for example.
2. It's a different API. Most services specifically require Mobile BankID these days. Desktop (regular) BankID won't work there.
3. Many applications are only useful on the go, such as Swish.
> Access delegation not being part of BankID itself is a feature not a deficiency, it would undermine the concept of secure digital ID if someone else could digitally impersonate you with it.
Different kinds of services have different security requirements. If multiple people live together then it makes sense that any of them should be able to send requests to their cleaning service.
There is also already a clear precedent to allow delegation of access that require strong authentication IRL. For example, PostNord allows you to retrieve someone else's mail as long as you provide ID for both yourself and the recipient. You can issue a Fullmakt which authorizes someone to take legally binding actions on your behalf. Hell, you can even vote by delegate.[0]
Why should those rights not extend into the digital world?
> Instead, services can choose whether they let you allow someone to log in for you.
And they don't, because they are lazy and think BankID has magically solved all of their authentication woes.
> It's a different API. Most services specifically require Mobile BankID these days. Desktop (regular) BankID won't work there.
I'm not sure which point you're referring to with the mention of differing API. Mobile BankID is the same API as regular BankID (but services can choose which they accept); as for other Swedish e-ID services, there are aggregator services.
Re: most, really? There are some that don't accept non-mobile BankID, but it is uncommon in my experience.
> There is also already a clear precedent to allow delegation of access that require strong authentication IRL.
Sure, but what does that have to do with BankID itself? Both in-person and online, it is the service that decides whether someone else can act for you. And various services do offer this: I can let others access my tax records or prescription medicine records online.
I don't think it's unreasonable for services to want to know who they're dealing with. In real life, if someone else shows my ID at postnord, they have to show their own ID too.
> I don't think it's unreasonable for services to want to know who they're dealing with. In real life, if someone else shows my ID at postnord, they have to show their own ID too.
BankID could have designed their API such that "person performing the action" and "subject the action applies to" are different fields.
But even that is unnecesary. Who actually requested the action only concerns the subject, not the third party carrying it out. BankID could simply log "Delegate A requested entity B to perform action C on behalf of subject D" and show it to D, while keeping B completely in the dark.
It would likely be very problematic for the security model as it is crucial that you only sign your own requests that you understand what they do. I guess you can technically sign someone else's request made with your identification number today as most service don't use QR codes for presence verification. In general I am also not sure that further expanding, and blurring the line, of what you can do with BankID is a good idea. If anything I would like more limits.
> There is also already a clear precedent to allow delegation of access that require strong authentication IRL. For example, PostNord allows you to retrieve someone else's mail as long as you provide ID for both yourself and the recipient.
They have the same service in their app with BankID + QR code (at least for packages).
It wouldn't work, because services using BankID want a (presumably contractually-obligated) assurance that only that particular person is using the service. If someone else can be authorised use your ID, it undermines that.
They could still add such a feature of course, but they would need to inform and have the co-operation of services when someone else is using the ID, so it wouldn't be widely supported.
Person A initiates and signs request to delegate for Person B. Person B receives the delegation request and signs it, which produces a positive response. The response (containing Person B's signature= is then 'wrapped' in Person A's request and is only sent on the to destination.
>Same problem. There is still no Linux client, for example.
There was[0]. Maybe you can revive it, since it is a pain-point?
>It's a different API.
Having read the BankId specs, they're "different" APIs in only in how the session is initiated. You're still challenged to enter the PIN for the certificate, which prompts the response to the authentication request. In other words, BankId and Mobile Bank Id are presenting the same exact set of data back to the session initiator.
>Most services specifically require Mobile BankID these days. Desktop (regular) BankID won't work there.
I have, as of yet, to run into anything that would not take BankId or Mobile Bank Id.
> There was[0]. Maybe you can revive it, since it is a pain-point?
No. This is a problem that was intentionally caused by Finansiell ID-teknik, and I'm not going to get into cat-and-mouse game to fix their for-profit product.
> Having read the BankId specs, they're "different" APIs in only in how the session is initiated. You're still challenged to enter the PIN for the certificate, which prompts the response to the authentication request. In other words, BankId and Mobile Bank Id are presenting the same exact set of data back to the session initiator.
They're different in that a service that takes Mobile BankID does not automatically support the desktop version, or vice versa. Whether the API is similar after that doesn't matter.
> I have, as of yet, to run into anything that would not take BankId or Mobile Bank Id.
Off the top of my head, Swish and Hemfrid only accept Mobile BankID, with no alternate authentication options. Swedbank accepts Mobile BankID or their custom OTP hardware token, but not desktop BankID.
>No. This is a problem that was intentionally caused by Finansiell ID-teknik, and I'm not going to get into cat-and-mouse game to fix their for-profit product.
You're - literally - on "Hacker News" complaining about the lack of a product. You were given one that you could easily fix to suit your aforementioned needs/demands and was a principal complaint against BankId but, instead, you want BankId to write the Linux app for you because... ...profits? This makes no sense; especially, when you would already have a hefty baseline of code to work with.
>They're different in that a service that takes Mobile BankID does not automatically support the desktop version, or vice versa.
Does not automatically doesn't - implicitly - mean that it's disallowed. You seem to be confusing the two concepts, here.
>Whether the API is similar after that doesn't matter.
We're - literally - talking about the API being the same because you made it a point that it was different. Either it matters or it doesn't. Pick one.
>Off the top of my head, Swish and Hemfrid only accept Mobile BankID, with no alternate authentication options. Swedbank accepts Mobile BankID or their custom OTP hardware token, but not desktop BankID.
O.k.? We're still in the swamplands of those are problems created by the app developers and not BankId, correct..? I'm not sure I'm following how the app designers' decisions are the fault of BankId...
> You're - literally - on "Hacker News" complaining about the lack of a product. You were given one that you could easily fix to suit your aforementioned needs/demands and was a principal complaint against BankId but, instead, you want BankId to write the Linux app for you because... ...profits? This makes no sense; especially, when you would already have a hefty baseline of code to work with.
That's like saying jailbreaking makes iOS respect the consumer. It's a temporary hack that makes it tolerable to use... for a few days until the next mandatory update comes out and breaks everything again.
You won't get lasting improvement without changing the mindset of the powers that be.
> Does not automatically doesn't - implicitly - mean that it's disallowed. You seem to be confusing the two concepts, here.
You're saying service developers can put in the work to support both desktop and mobile BankID. I'm saying most of them are lazy and don't bother. Those two statements are not incompatible.
> We're - literally - talking about the API being the same because you made it a point that it was different. Either it matters or it doesn't. Pick one.
Similar and compatible are very different things.
Then again, this whole subdiscussion is irrelevant anyway, because desktop BankID is still crap for the same reasons as Mobile BankID.
> O.k.? We're still in the swamplands of those are problems created by the app developers and not BankId, correct..? I'm not sure I'm following how the app designers' decisions are the fault of BankId...
If BankID had spent more than two seconds designing their API boundaries then the app developers wouldn't have had to care about supporting both in the first place.
>You won't get lasting improvement without changing the mindset of the powers that be.
I'm confused: Do you believe that whining about it on HN will accomplish that?
>You're saying service developers can put in the work to support both desktop and mobile BankID. I'm saying most of them are lazy and don't bother. Those two statements are not incompatible.
I am, am I? I thought I was saying that you're being assumptive because that's actually what I was saying: You're equating a potential to an emphatic and it doesn't work that way.
>Similar and compatible are very different things.
Now you're just being obtuse and ignoring the entire premise that they're the same - much less have you decidedly chosen whether it matters or not.
>Then again, this whole subdiscussion is irrelevant anyway...
Then why are you replying to it? I think she doth protest too much!
>If BankID had spent more than two seconds designing their API boundaries then the app developers wouldn't have had to care about supporting both in the first place.
According to you, they did design their API boundaries because they're "different APIs". As a byproduct, they must've spent more than two-second designing it to accomplish that, yeah?
The mental gymnastics you're performing must be tiring. I feel for you, I really do.
I do have to concede that you are correct in one point: The whole sub-discussion is irrelevant, namely because your opinion is obviously in the minority and you can't maintain a static viewpoint on anything so far - except to say "bankid sucks"; which isn't substantive.
If you ever change your mind about fixing your problem, I believe this might help in that endeavour:
Nordea requires Mobile BankID to log into their online banking, but they also let you log in with a card reader and do the challenge/response codes thing. I assume desktops/laptops aren't secure enough for their taste.
Handelsbanken allows both. I think the mobile app is pretty static, however, after you sign in with Mobile Bank Id. I still wouldn't call that a "disallow", more of an intentional UI convenience for users that want #easyMode.
