BankID & Vipps Research

BankID and Vipps Login Authentication Research

Research Date: 2026-02-15 Project: Drop Fintech App Purpose: Evaluate feasibility of integrating BankID and Vipps as authentication methods

Executive Summary

Both BankID and Vipps Login are viable authentication options for Drop. Both support OIDC/OAuth2 integration with Next.js, have test environments, and can serve dual purposes as both authentication and PSD2 Strong Customer Authentication (SCA).

Critical Timeline Note: BankID is undergoing major changes with an April 1, 2026 deadline for migration to new infrastructure.

Key Considerations:

BankID requires Norwegian bank account and 10 business days for production access
Vipps has lower per-transaction costs (DKK 0.00-0.40 vs DKK 0.65-0.89)
Both services can be accessed via aggregators (Idura/Signicat) which simplify integration
Both meet PSD2 SCA requirements

1. Norwegian BankID

What is it?

BankID is Norway's leading electronic identification system, issued through Norwegian banks. It enables secure authentication and digital signatures. BankID supports both traditional methods and the newer BankID with Biometrics (app-based solution using WebAuthn).

Major Change in 2026: BankID is moving to a single issuer (Stø AS) with critical infrastructure changes taking effect April 1, 2026. All integrations must migrate to the new Digital Trust Platform and OIDC-based approach before this deadline.

Integration Method

Protocol: OpenID Connect (OIDC) / OAuth 2.0
Flow: Authorization Code Flow with PKCE (Proof Key for Code Exchange)
Redirect-based: Yes, user redirected to BankID login
Next.js Compatibility: Yes, Auth.js/NextAuth supports BankID NO provider
Implementation: Use well-known OIDC libraries

Technical Requirements:

Set acr_values to urn:bankid:bis for biometric authentication
Verify ID token's acr claim includes "LOA=3" (Level of Assurance 3)
Scopes: openid, profile, nnin_altsub (for Norwegian national identity number)
Generate nonce and code_verifier for security

Reference Implementation: GitHub - BankID OIDC Integration Examples

Requirements to Get Access

Mandatory Prerequisites:

Company must be a customer of a Norwegian bank (within BankID network)
Person signing the contract must have personal eID (Norwegian BankID, Swedish BankID, or Danish MitID)
Completed "Getting Ready for Production" guide (step 5) to obtain production domain
Register application in BankID Developer Portal (freely available)

Application Information Required:

Company information
General contact person
Person authorized to sign agreement
Norwegian bank details
Technical contacts (credentials delivery, blocking/revoking access)
Display name for login app
Production domain URL

Agreement Process:

Submit application information
Provider sends online agreement for signing
Signed agreement forwarded to your bank for processing
Bank issues client credentials

Cost

Direct from BankID Norge (Reseller Model):

One-time establishment fee: NOK 100,000
Fixed monthly fee: NOK 8,300
Per-transaction costs: Not clearly specified in direct model

Via Idura/Criipto Aggregator:

Monthly platform fee: €65–€390 (tier-dependent: Small/Medium/Large)
Biometric BankID (app): DKK 0.65 per login
Traditional BankID: DKK 0.89 per login
Billing: Monthly consumption + subscription

NEEDS VERIFICATION: Direct BankID pricing may have changed. Contact BankID Norge for current 2026 pricing.

Technical Complexity

Difficulty Level: Medium

Pros:

Standard OIDC implementation
Extensive documentation available
Auth.js/NextAuth built-in support
Code examples available on GitHub

Cons:

April 1, 2026 migration deadline adds urgency
Must handle migration to new Digital Trust Platform
PAdES transition required for document signing (Jan-Mar 2026)
More complex setup vs simpler OAuth providers

Estimated Integration Time: 2-4 weeks (including testing and certification)

Timeline

Application to Production:

Bank processing time: Up to 10 business days after signed agreement
Total estimated timeline: 2-4 weeks (including application, bank processing, credential issuance)

Critical Dates:

January 1, 2026: PAdES transition begins for Enterprise/Express API
March 31, 2026: Final deadline for PAdES migration
April 1, 2026: Old BankID Server and OIDC signing from Stø discontinued

Action Required: Complete migration to Digital Trust Platform before April 1, 2026.

Sandbox/Test Environment

Test Access: Freely available

Test Environment Details:

Register application in BankID Developer Portal (free)
Preprod app access: Request via support portal or through BankID partner
Self-service test user portal: ra-preprod.bankidnorge.no
Default test credentials: OTP password and qwer1234
Test users: Generate Norwegian national identity numbers (NNIN) for testing

Testing Tools:

Available at tools.bankid.no
Supports authentication, signing, password change
Document types: plain text, PDF, XML
Can be embedded via iframe or direct link

Support: developer@bankidnorge.no

PSD2 Relevance

SCA Compliance: YES - Fully compliant

BankID with biometrics is approved for payments and meets Strong Customer Authentication (SCA) requirements according to PSD2 and 3D Secure standards.

Technical Details:

Level of Assurance: "Substantial" (eIDAS standard)
Authentication: WebAuthn-based biometrics (built-in phone/computer biometrics)
Security: BankID never accesses biometric data; receives signed confirmation from Apple/Google
PSD2 Integration: Netcompany Banking Services supports 1-SCA (single strong customer authentication) using BankID for Norway

Use Cases for Drop:

User authentication/login
PSD2 payment authorization (SCA)
Combined auth + payment flow

Alternative Providers

Aggregator Services (Recommended):

Idura (formerly Criipto)
- Bundles BankID + Vipps + other Nordic eIDs
- Single integration point for multiple providers
- Pricing: €65-€390/month + per-transaction fees
- Website: idura.eu
Signicat
- Largest BankID provider in Norway (established 2007)
- Enterprise-focused solution
- Offers authentication + digital signatures
- Pricing: Contact for quote
- Website: signicat.com
Curity
- Identity platform with Norwegian BankID support
- OIDC authenticator approach
- Enterprise-grade solution
- Website: curity.io

Recommendation: For Drop's use case (fintech startup), Idura offers the best balance of simplicity, cost-effectiveness, and multi-provider support.

What is it?

Vipps is Norway's #1 mobile payment provider with near-ubiquitous adoption. Vipps Login is an authentication service that allows users to log in using their mobile number. The brand split: Vipps (Norway/Sweden) and MobilePay (Denmark/Finland) use the same API under Vipps MobilePay.

Integration Method

Protocol: OpenID Connect (OIDC) / OAuth 2.0
Flow: Browser-based redirect flow (user-initiated or merchant-initiated)
Authentication: API keys (obtained via Vipps MobilePay business portal)
Next.js Compatibility: Yes, Auth.js/NextAuth supports Vipps MobilePay provider
Age Requirement: Users must be 15+ years old

Implementation Example:

import NextAuth from "next-auth"
import Vipps from "next-auth/providers/vipps"

export const { handlers, auth, signIn, signOut } = NextAuth({
  providers: [Vipps],
})

Test Mode Override:

Vipps({ issuer: "https://apitest.vipps.no/access-management-1.0/access/" })

Key Endpoint:

User info: GET:/vipps-userinfo-api/userinfo (returns consented user data)
Token endpoint: Standard OIDC token exchange

Requirements to Get Access

Application Process:

Order product at vippsmobilepay.com
Complete "Login checklist" for direct integration
Partner application review
Receive test credentials via email (test phone number + national identity number)

Company Requirements:

NEEDS VERIFICATION: Minimum company requirements not specified in documentation
Likely requires Norwegian business registration

Technical Setup:

Access business portal: portal.vippsmobilepay.com
Obtain API keys for authentication
Configure redirect URIs

Cost

Per-Transaction Pricing:

Via Idura Aggregator:

Monthly platform fee: €65–€390 (tier-dependent)
Per-transaction: Vipps MobilePay invoices directly based on "active users" pricing model
NEEDS VERIFICATION: Current 2026 active users pricing structure

Notes:

Most cost-effective authentication option
Free basic login is suitable for initial authentication
SSN access (DKK 0.40) needed for age/identity verification

Technical Complexity

Difficulty Level: Low-Medium

Pros:

Standard OIDC/OAuth2 implementation
Excellent documentation
Auth.js built-in support
Well-known integration libraries recommended
Active GitHub repositories with examples
Widespread usage in Norway (proven reliability)

Cons:

Test environment has no SLA/uptime guarantee
Support limited to Norwegian office hours for test environment
Separate test and production API keys required

Estimated Integration Time: 1-2 weeks

Timeline

Application to Production:

NEEDS VERIFICATION: Specific timeline not documented
Process: Order product → Partner review → Credentials issued
Estimated: Likely 1-2 weeks based on industry standards

Recommendation: Contact Vipps developer support for exact onboarding timeline.

Sandbox/Test Environment

Test Environment: Merchant Test (MT) - Available to all API merchants

Access Details:

All partners/merchants with API access have test environment access
Test server: https://apitest.vipps.no
Portal access: portal.vippsmobilepay.com → "For developers" → "Test users"
Test app: iOS and Android apps that mirror production (connect to MT environment)

Test User Credentials:

Provided via email after partner review
Includes test phone number and national identity number
PIN for "Verify your number": 1236
PIN for "Enter your code": 1236

Limitations:

No SLA or uptime guarantee
No fixes outside Norwegian office hours
Completely separate from production (different API keys)

Suitable For: Websites, e-commerce, apps, loyalty programs

PSD2 Relevance

SCA Compliance: YES - Fully compliant

Vipps has implemented PSD2-compliant Strong Customer Authentication with regulatory-approved delegated SCA from card issuers.

Technical Details:

Two-factor authentication: PIN or biometrics + device possession
No additional 3D Secure required (Verified by Visa, Mastercard ID Check)
Security handled when user logs into Vipps/MobilePay app
Wallet-based payment method with built-in SCA layer

Use Cases for Drop:

User authentication/login
PSD2 payment authorization
Simplified payment flow (no separate 3DS step needed)

Advantage: Vipps SCA is transparent to users (already authenticated in app), creating smoother UX than traditional 3DS flows.

Alternative Providers

Same aggregators as BankID:

Idura (formerly Criipto)
- Bundles Vipps with BankID and other eIDs
- Single integration, multiple auth methods
- Transparent pricing model
Signicat
- Enterprise solution
- Combined authentication suite
- Contact for pricing

Recommendation: If implementing both BankID AND Vipps, use Idura aggregator to manage both via single integration point.

3. Aggregator Comparison

Why Use an Aggregator?

Benefits:

Single integration point for multiple eID providers
Simplified SDK/API (abstraction layer)
Unified billing and reporting
Faster time-to-market
Reduced maintenance burden
Future-proof (easy to add more eID methods)

Trade-offs:

Additional monthly platform fee (€65-€390)
Dependency on third-party service
Potential slight latency increase

Idura (Criipto) - Recommended

What is it: European eID verification platform (formerly Criipto, rebranded to Idura)

Supported eIDs:

Norwegian BankID (Traditional + Biometric)
Vipps Login
Swedish BankID
Danish MitID
Finnish eID
30+ other European eIDs

Pricing Structure:

Platform fee: €65/month (Small), €140/month (Medium), €390/month (Large)
Norwegian BankID: DKK 0.65 (biometric) or DKK 0.89 (traditional) per login
Vipps: DKK 0.00 (no SSN) or DKK 0.40 (with SSN) per login
Swedish BankID: DKK 0.10 per login

Technical:

OIDC/OAuth2 standard
SDKs available
Good documentation
Test environment included

Best For: Drop's use case - need both BankID + Vipps with potential Nordic expansion

Signicat - Enterprise Alternative

What is it: Europe's largest eID and signature provider (established 2007)

Position: Largest BankID provider in Norway

Pricing: Contact for quote (not publicly listed)

Best For: Large enterprises, complex compliance needs, high-volume applications

Direct Integration vs Aggregator

Reasoning:

Supports both BankID and Vipps through one integration
Transparent pricing (€140/month Medium tier likely sufficient)
Future-proof for Nordic expansion
Faster development (proven SDK)
Lower maintenance burden
Cost-effective at expected volume (<10,000 logins/month)

Break-even Analysis:

Idura Medium: €140/month + per-transaction fees
Direct BankID: NOK 8,300/month (€750) + NOK 100,000 setup (€9,000)
Conclusion: Idura cheaper until very high volumes (50,000+ logins/month)

4. Implementation Recommendations

Recommended Approach

Phase 1: Email + Password (MVP)

Implement JWT-based auth with jose (already planned)
Collect email, validate age/residency through form
Manual verification initially

Phase 2: Add BankID (Primary eID)

Integrate via Idura
Use BankID for identity verification (name, SSN, address)
Automatic age verification (18+)
Satisfies regulatory requirements
Serves as SCA for PSD2 payments

Phase 3: Add Vipps Login (Alternative)

Same Idura integration (minimal additional work)
Offer choice: BankID or Vipps
Vipps likely preferred by users (more familiar, used daily)
Free basic login reduces costs

Phase 4: Optimize Flow

Optional: Allow email/password for returning users
Require BankID/Vipps for first-time verification
Re-verify periodically (e.g., annually) via eID

Technical Architecture

Recommended Stack:

Next.js 16 App Router
├─ Auth.js (NextAuth v5) - OIDC client
├─ Idura Verify - eID aggregator
│  ├─ Norwegian BankID
│  └─ Vipps Login
├─ jose - JWT signing/verification
└─ PostgreSQL - user sessions

Flow:

User clicks "Log in with BankID" or "Log in with Vipps"
Next.js redirects to Idura OIDC endpoint
Idura redirects to BankID/Vipps
User authenticates
Idura returns to callback with ID token
Next.js validates token, extracts claims (name, SSN, email)
Create/update user in database
Issue JWT session token (jose)
User authenticated

Security Considerations:

Store Idura client credentials in environment variables
Validate ID token signature
Check acr claim for LOA=3
Verify age from birthdate/SSN
Log all authentication events
Implement rate limiting

Timeline Estimate

Development Timeline:

Week 1-2: Idura account setup, test environment configuration
Week 3-4: Next.js Auth.js integration, BankID flow
Week 5: Vipps Login integration
Week 6-7: Testing, edge cases, error handling
Week 8: Production deployment, monitoring

Total: 8 weeks to production-ready dual eID authentication

Cost Projection (First Year)

Assumptions:

1,000 users in year 1
50% use BankID, 50% use Vipps
Average 12 logins/user/year
Idura Medium tier: €140/month

Calculation:

Platform fee: €140 × 12 = €1,680
BankID logins: 500 users × 12 logins × DKK 0.65 = DKK 3,900 (€470)
Vipps logins: 500 users × 12 logins × DKK 0.40 = DKK 2,400 (€290)
Total Year 1: €2,440

At Scale (10,000 users):

Platform fee: €1,680
BankID: €4,700
Vipps: €2,900
Total: €9,280/year

Conclusion: Cost scales linearly with users, remains affordable for fintech startup.

5. Risks and Mitigations

BankID Migration Risk (Critical)

Risk: April 1, 2026 deadline for Digital Trust Platform migration

Impact: Service disruption if not migrated in time

Mitigation:

If integrating via Idura: Migration handled by aggregator
If direct integration: Prioritize migration work immediately
Test new platform in preprod before March 31
Recommendation: Use Idura to offload migration risk

Age Verification Accuracy

Risk: Users might bypass age check with email/password

Mitigation:

Require BankID/Vipps for account activation
Email/password only for returning users
Periodic re-verification (annual)
Flag accounts without eID verification

User Adoption

Risk: Users unfamiliar with eID login may abandon signup

Mitigation:

Clear onboarding instructions
Video tutorial for first-time users
Support contact readily available
Fallback to manual verification if needed

Service Availability

Risk: BankID/Vipps downtime prevents login

Mitigation:

Multiple authentication options (BankID + Vipps)
Cache authentication status (JWT sessions)
Monitor provider status pages
Implement graceful degradation

Regulatory Changes

Risk: PSD2/eIDAS requirements may change

Mitigation:

Use compliant providers (BankID/Vipps are regulated)
Stay informed via provider newsletters
Idura handles compliance updates
Legal review of authentication flow

6. Questions Needing Verification

The following points require direct contact with providers for confirmation:

BankID Direct Pricing: Current 2026 per-transaction costs (NOK 8,300/month model unclear on variable costs)
Vipps Timeline: Exact onboarding timeline from application to production
Vipps Active Users Model: Current 2026 pricing structure for active users billing
Idura Large Tier: Volume thresholds for Small/Medium/Large tiers
Minimum Requirements: Specific business registration requirements for Vipps merchant account
SCA Dual-Use: Confirm BankID/Vipps can be used for BOTH login and payment authorization in same session
April 2026 Migration: Detailed requirements if integrating direct BankID (not via aggregator)

7. Final Recommendation

Recommendation: Implement BOTH BankID and Vipps via Idura aggregator

Justification:

Regulatory Compliance: BankID satisfies identity verification (18+, Norwegian resident)
User Preference: Vipps more familiar, offers free login option
PSD2 Dual-Use: Both serve as authentication AND SCA for payments
Cost-Effective: Idura cheaper than direct integration until high volume
Risk Mitigation: Idura handles April 2026 BankID migration
Future-Proof: Easy to add Swedish/Danish eIDs for Nordic expansion
Development Speed: Faster implementation with proven SDK

Implementation Priority:

Phase 1: Email/Password (MVP launch)
Phase 2: BankID via Idura (compliance requirement)
Phase 3: Vipps via Idura (user convenience)

Next Steps:

Contact Idura sales for Medium tier quote and setup
Register test account and explore SDK documentation
Validate integration with Next.js 16 App Router
Architect user database schema (with eID verification fields)
Implement BankID flow first (higher priority for compliance)
Add Vipps as alternative option
Load test authentication flow
Production deployment with monitoring

Sources

BankID Sources

Vipps Sources

PSD2/SCA Sources

Aggregator Sources

Report Prepared By: John (AI Director) Last Updated: 2026-02-15 Status: Research complete, awaiting approval for implementation

Revision #5
Created 2026-02-18 08:44:55 UTC by John
Updated 2026-05-25 07:26:18 UTC by John

BankID & Vipps Research

BankID and Vipps Login Authentication Research

Executive Summary

1. Norwegian BankID

What is it?

Integration Method

Requirements to Get Access

Cost

Technical Complexity

Timeline

Sandbox/Test Environment

PSD2 Relevance

Alternative Providers

2. Vipps Login

What is it?

Integration Method

Requirements to Get Access

Cost

Technical Complexity

Timeline

Sandbox/Test Environment

PSD2 Relevance

Alternative Providers

3. Aggregator Comparison

Why Use an Aggregator?

Idura (Criipto) - Recommended

Signicat - Enterprise Alternative

Direct Integration vs Aggregator

4. Implementation Recommendations

Recommended Approach

Technical Architecture

Timeline Estimate

Cost Projection (First Year)

5. Risks and Mitigations

BankID Migration Risk (Critical)

Age Verification Accuracy

User Adoption

Service Availability

Regulatory Changes

6. Questions Needing Verification

7. Final Recommendation

Sources

BankID Sources

Vipps Sources

PSD2/SCA Sources

Aggregator Sources