Welcome back

It's always good to see you back here! Join us around our campfire.

Remember me

Reset password

Enter the email associated with your account and we'll send an email with instructions to reset your password

Check your email

We have sent a password recover instructions to your email.

In June of last year the EU Commission proposed a “trusted and secure Digital Identity for all Europeans” in the form of a digital identity framework, designed to provide universally recognisable identities throughout Europe. 

Here in the Nordics we’ve had eID solutions since the early 2000s. In this post I’ll write about the opportunities that have been enabled through eID and how the lessons we’ve learned here might be applied to the new EU framework.

While the Scandinavian eID solutions have major technical differences, they generally go under the label “BankID”, as the banks have had an important role in the implementation of the services, which makes them particularly interesting from an Open Banking perspective.


BankID in a practical use-case

After a slow start, eID has become incredibly pervasive in the Nordics. An example I like to use is how access to widely adopted eID has enabled streamlining the process of selling used cars. Traditionally, doing a private sale of a car (C2C) was a complicated affair, with contracts, payments, liens and ownership issues, with risks for both seller and buyer.

A few years ago the process was been greatly simplified and secured by using free apps, typically offered by the banks:

  • The contract is signed by both parties. As both seller and buyer are required to use BankID they are strongly authenticated.
  • The bank handles the money transfer after the contract is signed. The bank also checks if there are any liens on the car.
  • The app helps you fill out the ownership transfer with the governmental vehicle registry, which also uses BankID.
  • If you have a car toll agreement for the car it is automatically transferred to the new owner of the car.
  • You typically get one-month free car insurance.
  • And, of course, the bank providing the app offers you a pre-approved loan if you need it.

During the process, both the seller and the buyer have to identify themselves using their electronic IDs several times, but the cost of the entire process is minimal, as everything is automated. The benefit to the banks is obvious: They provide a valuable service to their (potentially new) customers, and enabling the sale is a great opportunity to sell loans, insurance and various other services.


A brief history of eID in the Nordics

The history of the various eID solutions in use through the Nordics is a complex topic, but they can all be traced back to roughly the same time and challenges. 

Around the year 2000 there was a general realization that banks needed to secure their own authentication mechanisms and online payments. With most end-users running Windows98 and banks using text messaging for authentication, the situation was quite dire. In addition, new regulations, such as the EU’s Electronic Signatures Directive (1999/93/EC) put new requirements on the governments on how to identify citizens when interacting with the government. 

Nordic countries took different paths: In Sweden the initial solution was “BankID on file”, which was a computer based solution. In Norway the solution was initially to use a dongle, then on to a SIM card based solution, which can be activated online. While Sweden has mostly moved to a smartphone based bankID, Norway is still mostly using this SIM card based solution, as not all banks support the smartphone app.

A shared similarity between the countries is that the banks in each country joined together to agree on a shared authentication platform, with support from the individual governments saying that they would approve the platform for communication with the government. 

Here in Norway the process started in the year 2000, with the first authentications happening in 2004. Sweden was a bit earlier, with the first authentications happening in 2003. Even with BankID being pushed by all the banks and government authorities, it took quite a while before it got truly pervasive. 

In Norway the first non-government/non-banking authentications happened roughly in 2010, at a time when slightly less than half the population had activated BankID. The reason for the slow start is clearly down to network effects: There is no reason to add new services before a significant percentage of the population has access, and there is no reason for people to activate a new service before there are useful services on it. Still, once it got past that point adoption truly accelerated, with a lot of existing and new services starting to use BankID to automate their services.


The EU Digital Identity Framework (2021)

The 1999 EU directive, which inspired the Nordics, was replaced in 2014 by eIDAS, which mainly dealt with using certificates for identification. The 2021 proposal builds on eIDAS, but is much more ambitious. As defined in Article 1:

(c) establishes a legal framework for electronic signatures, electronic seals, electronic time stamps, electronic documents, electronic registered delivery services, certificate services for website authentication, electronic archiving and electronic attestation of attributes, the management of remote electronic signature and seal creation devices, and electronic ledgers.

In practice, this extends eIDAS to also cover document management and sharing, attribute sharing (education diplomas, licenses, and personal information), and electronic ledgers where transactions can be registered. The goal is to help a citizen of one country to more easily move to a new country in Europe, whether that’s signing up for (and potentially authenticating) a banking account, having their license electronically recognised, or renting an apartment. All of this is planned to be provided through app-based solutions, which should work both online and offline, and across the EU/EEC member states.

This is much more ambitious than the Norwegian BankID, which in its SIM based solution only supports authenticating your government ID number through knowing your own mobile phone number, date of birth, and a PIN with optional password as the knowledge factor.


Challenges and Benefits

A couple of years after the initial eIDAS regulation came into force, the company I work for, Okay AS, seriously considered implementing support in our own Strong Customer Authentication (SCA) offering. But, because it was clear that eIDAS didn’t have much traction, we soon gave up on the idea. The new regulation is clearly better in the way it extends outside of the public sector, which can help drive adoption. An additional benefit is that it has the potential to help avoid fragmented eID implementations across Europe and stave off the “big tech” competitors in the space such as Facebook.

However, it is important to note that the revised framework is extremely ambitious from a system design point of view. Just being able to transfer and interpret attributes, such as an “education diploma”, is a difficult enough problem within a single country, not to mention across European borders. On the other hand, if done correctly, the benefits can be similarly huge. The extremely simple form of eID that we’ve had in the Nordic countries has had a strong positive impact, both on companies that can launch totally new services, and on its citizens who don’t have to go through cumbersome KYC procedures. Simply put, because the revised eIDAS directive is more ambitious, the impact it can have can be correspondingly larger. 

The main driver for BankID was that all the banks were using it as their preferred authentication method. Of course, having an eID that works with the public sector is also useful, but with tax returns becoming mostly automatic in the early 2000s, easier communication with the government didn’t drive adoption to any high degree. The real benefits for companies to adopt eID appear when eID is available for a large percentage of the population. It is not clear yet what the big driver will be for the revised eIDAS directive, but as it is planned to be launched in 2030, there is still some time to figure it out.


Will the eID Become Required for a Normal Life?

According to the EU commission, the digital identity wallet will always be “at the choice of the user”. But as we’ve seen over the last few years, many companies in the Nordics have made eID a requirement for signing up for their service. There are two reasons for this: first, some services, such as payment and loan services, can have high know-your-customer (KYC) costs. Second, for companies with very low margins, it can be worth it to limit the potential customer group only to those with a valid eID, as that makes it easier to automate the entire process. Another factor is that many startups have built business models that only make sense if identifying the customer is cheap and immediate, such as the car sale example above. 

Some practical consequences of this is that by not having an eID, you limit your access to commercial services, and losing access to your eID is incredibly inconvenient. It can be very problematic if you’re unable to log into your bank, do your taxes online, or even use an app to park your car. In itself, this doesn’t have to be a big problem for most people, but it raises topics such as the right to be anonymous and the right of non-citizens to access services. In any case: Once a cheap and easily available eID solution becomes pervasive it is optimistic to think that there won’t be new services that limit their user base to the eID solution.

Regardless of the scope and the potential challenges I believe that there is enormous potential in offering eID services across Europe (and the world). But, in order to get the user base to a sufficient level there needs to be someone driving the adoption. Banks and issuers have a real opportunity to provide this service, but this requires cooperation from both banks and governments. I believe the Open Banking community can have an important role to play here.


[The author of this article, Erik Vasaasen, is CTO at Okay]

Join us at our upcoming Campfire next 17th March, where we will be discussing Digital Identity in the World of Open Banking with first-class industry experts such as: