# BankID & Vipps Research # BankID and Vipps Login Authentication Research **Research Date:** 2026-02-15 **Project:** Drop Fintech App **Purpose:** Evaluate feasibility of integrating BankID and Vipps as authentication methods --- ## Executive Summary Both BankID and Vipps Login are viable authentication options for Drop. Both support OIDC/OAuth2 integration with Next.js, have test environments, and can serve dual purposes as both authentication and PSD2 Strong Customer Authentication (SCA). **Critical Timeline Note:** BankID is undergoing major changes with an April 1, 2026 deadline for migration to new infrastructure. **Key Considerations:** - BankID requires Norwegian bank account and 10 business days for production access - Vipps has lower per-transaction costs (DKK 0.00-0.40 vs DKK 0.65-0.89) - Both services can be accessed via aggregators (Idura/Signicat) which simplify integration - Both meet PSD2 SCA requirements --- ## 1. Norwegian BankID ### What is it? BankID is Norway's leading electronic identification system, issued through Norwegian banks. It enables secure authentication and digital signatures. BankID supports both traditional methods and the newer BankID with Biometrics (app-based solution using WebAuthn). **Major Change in 2026:** BankID is moving to a single issuer (Stø AS) with critical infrastructure changes taking effect April 1, 2026. All integrations must migrate to the new Digital Trust Platform and OIDC-based approach before this deadline. ### Integration Method - **Protocol:** OpenID Connect (OIDC) / OAuth 2.0 - **Flow:** Authorization Code Flow with PKCE (Proof Key for Code Exchange) - **Redirect-based:** Yes, user redirected to BankID login - **Next.js Compatibility:** Yes, Auth.js/NextAuth supports BankID NO provider - **Implementation:** Use well-known OIDC libraries **Technical Requirements:** - Set `acr_values` to `urn:bankid:bis` for biometric authentication - Verify ID token's `acr` claim includes "LOA=3" (Level of Assurance 3) - Scopes: `openid`, `profile`, `nnin_altsub` (for Norwegian national identity number) - Generate nonce and code_verifier for security **Reference Implementation:** [GitHub - BankID OIDC Integration Examples](https://github.com/BankIDNorge/oidc-integration-examples) ### Requirements to Get Access **Mandatory Prerequisites:** 1. Company must be a customer of a Norwegian bank (within BankID network) 2. Person signing the contract must have personal eID (Norwegian BankID, Swedish BankID, or Danish MitID) 3. Completed "Getting Ready for Production" guide (step 5) to obtain production domain 4. Register application in BankID Developer Portal (freely available) **Application Information Required:** - Company information - General contact person - Person authorized to sign agreement - Norwegian bank details - Technical contacts (credentials delivery, blocking/revoking access) - Display name for login app - Production domain URL **Agreement Process:** 1. Submit application information 2. Provider sends online agreement for signing 3. Signed agreement forwarded to your bank for processing 4. Bank issues client credentials ### Cost **Direct from BankID Norge (Reseller Model):** - One-time establishment fee: NOK 100,000 - Fixed monthly fee: NOK 8,300 - Per-transaction costs: Not clearly specified in direct model **Via Idura/Criipto Aggregator:** - Monthly platform fee: €65–€390 (tier-dependent: Small/Medium/Large) - Biometric BankID (app): DKK 0.65 per login - Traditional BankID: DKK 0.89 per login - Billing: Monthly consumption + subscription **NEEDS VERIFICATION:** Direct BankID pricing may have changed. Contact BankID Norge for current 2026 pricing. ### Technical Complexity **Difficulty Level:** Medium **Pros:** - Standard OIDC implementation - Extensive documentation available - Auth.js/NextAuth built-in support - Code examples available on GitHub **Cons:** - April 1, 2026 migration deadline adds urgency - Must handle migration to new Digital Trust Platform - PAdES transition required for document signing (Jan-Mar 2026) - More complex setup vs simpler OAuth providers **Estimated Integration Time:** 2-4 weeks (including testing and certification) ### Timeline **Application to Production:** - Bank processing time: Up to 10 business days after signed agreement - Total estimated timeline: 2-4 weeks (including application, bank processing, credential issuance) **Critical Dates:** - **January 1, 2026:** PAdES transition begins for Enterprise/Express API - **March 31, 2026:** Final deadline for PAdES migration - **April 1, 2026:** Old BankID Server and OIDC signing from Stø discontinued **Action Required:** Complete migration to Digital Trust Platform before April 1, 2026. ### Sandbox/Test Environment **Test Access:** Freely available **Test Environment Details:** - Register application in BankID Developer Portal (free) - Preprod app access: Request via support portal or through BankID partner - Self-service test user portal: ra-preprod.bankidnorge.no - Default test credentials: OTP password and qwer1234 - Test users: Generate Norwegian national identity numbers (NNIN) for testing **Testing Tools:** - Available at tools.bankid.no - Supports authentication, signing, password change - Document types: plain text, PDF, XML - Can be embedded via iframe or direct link **Support:** developer@bankidnorge.no ### PSD2 Relevance **SCA Compliance:** YES - Fully compliant BankID with biometrics is approved for payments and meets Strong Customer Authentication (SCA) requirements according to PSD2 and 3D Secure standards. **Technical Details:** - Level of Assurance: "Substantial" (eIDAS standard) - Authentication: WebAuthn-based biometrics (built-in phone/computer biometrics) - Security: BankID never accesses biometric data; receives signed confirmation from Apple/Google - PSD2 Integration: Netcompany Banking Services supports 1-SCA (single strong customer authentication) using BankID for Norway **Use Cases for Drop:** 1. User authentication/login 2. PSD2 payment authorization (SCA) 3. Combined auth + payment flow ### Alternative Providers **Aggregator Services (Recommended):** 1. **Idura (formerly Criipto)** - Bundles BankID + Vipps + other Nordic eIDs - Single integration point for multiple providers - Pricing: €65-€390/month + per-transaction fees - Website: [idura.eu](https://idura.eu/) 2. **Signicat** - Largest BankID provider in Norway (established 2007) - Enterprise-focused solution - Offers authentication + digital signatures - Pricing: Contact for quote - Website: [signicat.com](https://www.signicat.com/) 3. **Curity** - Identity platform with Norwegian BankID support - OIDC authenticator approach - Enterprise-grade solution - Website: [curity.io](https://curity.io/) **Recommendation:** For Drop's use case (fintech startup), Idura offers the best balance of simplicity, cost-effectiveness, and multi-provider support. --- ## 2. Vipps Login ### What is it? Vipps is Norway's #1 mobile payment provider with near-ubiquitous adoption. Vipps Login is an authentication service that allows users to log in using their mobile number. The brand split: Vipps (Norway/Sweden) and MobilePay (Denmark/Finland) use the same API under Vipps MobilePay. **Scope:** Login API confirms customer identity and provides access to verified data: name, birthdate, social security number, address, email, phone number. ### Integration Method - **Protocol:** OpenID Connect (OIDC) / OAuth 2.0 - **Flow:** Browser-based redirect flow (user-initiated or merchant-initiated) - **Authentication:** API keys (obtained via Vipps MobilePay business portal) - **Next.js Compatibility:** Yes, Auth.js/NextAuth supports Vipps MobilePay provider - **Age Requirement:** Users must be 15+ years old **Implementation Example:** ```javascript import NextAuth from "next-auth" import Vipps from "next-auth/providers/vipps" export const { handlers, auth, signIn, signOut } = NextAuth({ providers: [Vipps], }) ``` **Test Mode Override:** ```javascript Vipps({ issuer: "https://apitest.vipps.no/access-management-1.0/access/" }) ``` **Key Endpoint:** - User info: GET:/vipps-userinfo-api/userinfo (returns consented user data) - Token endpoint: Standard OIDC token exchange ### Requirements to Get Access **Application Process:** 1. Order product at vippsmobilepay.com 2. Complete "Login checklist" for direct integration 3. Partner application review 4. Receive test credentials via email (test phone number + national identity number) **Company Requirements:** - NEEDS VERIFICATION: Minimum company requirements not specified in documentation - Likely requires Norwegian business registration **Technical Setup:** - Access business portal: portal.vippsmobilepay.com - Obtain API keys for authentication - Configure redirect URIs ### Cost **Per-Transaction Pricing:** - Login without SSN: DKK 0.00 (FREE) - Login with SSN: DKK 0.40 **Via Idura Aggregator:** - Monthly platform fee: €65–€390 (tier-dependent) - Per-transaction: Vipps MobilePay invoices directly based on "active users" pricing model - NEEDS VERIFICATION: Current 2026 active users pricing structure **Notes:** - Most cost-effective authentication option - Free basic login is suitable for initial authentication - SSN access (DKK 0.40) needed for age/identity verification ### Technical Complexity **Difficulty Level:** Low-Medium **Pros:** - Standard OIDC/OAuth2 implementation - Excellent documentation - Auth.js built-in support - Well-known integration libraries recommended - Active GitHub repositories with examples - Widespread usage in Norway (proven reliability) **Cons:** - Test environment has no SLA/uptime guarantee - Support limited to Norwegian office hours for test environment - Separate test and production API keys required **Estimated Integration Time:** 1-2 weeks ### Timeline **Application to Production:** - NEEDS VERIFICATION: Specific timeline not documented - Process: Order product → Partner review → Credentials issued - Estimated: Likely 1-2 weeks based on industry standards **Recommendation:** Contact Vipps developer support for exact onboarding timeline. ### Sandbox/Test Environment **Test Environment:** Merchant Test (MT) - Available to all API merchants **Access Details:** - All partners/merchants with API access have test environment access - Test server: https://apitest.vipps.no - Portal access: portal.vippsmobilepay.com → "For developers" → "Test users" - Test app: iOS and Android apps that mirror production (connect to MT environment) **Test User Credentials:** - Provided via email after partner review - Includes test phone number and national identity number - PIN for "Verify your number": 1236 - PIN for "Enter your code": 1236 **Limitations:** - No SLA or uptime guarantee - No fixes outside Norwegian office hours - Completely separate from production (different API keys) **Suitable For:** Websites, e-commerce, apps, loyalty programs ### PSD2 Relevance **SCA Compliance:** YES - Fully compliant Vipps has implemented PSD2-compliant Strong Customer Authentication with regulatory-approved delegated SCA from card issuers. **Technical Details:** - Two-factor authentication: PIN or biometrics + device possession - No additional 3D Secure required (Verified by Visa, Mastercard ID Check) - Security handled when user logs into Vipps/MobilePay app - Wallet-based payment method with built-in SCA layer **Use Cases for Drop:** 1. User authentication/login 2. PSD2 payment authorization 3. Simplified payment flow (no separate 3DS step needed) **Advantage:** Vipps SCA is transparent to users (already authenticated in app), creating smoother UX than traditional 3DS flows. ### Alternative Providers **Same aggregators as BankID:** 1. **Idura (formerly Criipto)** - Bundles Vipps with BankID and other eIDs - Single integration, multiple auth methods - Transparent pricing model 2. **Signicat** - Enterprise solution - Combined authentication suite - Contact for pricing **Recommendation:** If implementing both BankID AND Vipps, use Idura aggregator to manage both via single integration point. --- ## 3. Aggregator Comparison ### Why Use an Aggregator? **Benefits:** 1. Single integration point for multiple eID providers 2. Simplified SDK/API (abstraction layer) 3. Unified billing and reporting 4. Faster time-to-market 5. Reduced maintenance burden 6. Future-proof (easy to add more eID methods) **Trade-offs:** 1. Additional monthly platform fee (€65-€390) 2. Dependency on third-party service 3. Potential slight latency increase ### Idura (Criipto) - Recommended **What is it:** European eID verification platform (formerly Criipto, rebranded to Idura) **Supported eIDs:** - Norwegian BankID (Traditional + Biometric) - Vipps Login - Swedish BankID - Danish MitID - Finnish eID - 30+ other European eIDs **Pricing Structure:** - Platform fee: €65/month (Small), €140/month (Medium), €390/month (Large) - Norwegian BankID: DKK 0.65 (biometric) or DKK 0.89 (traditional) per login - Vipps: DKK 0.00 (no SSN) or DKK 0.40 (with SSN) per login - Swedish BankID: DKK 0.10 per login **Technical:** - OIDC/OAuth2 standard - SDKs available - Good documentation - Test environment included **Best For:** Drop's use case - need both BankID + Vipps with potential Nordic expansion ### Signicat - Enterprise Alternative **What is it:** Europe's largest eID and signature provider (established 2007) **Position:** Largest BankID provider in Norway **Pricing:** Contact for quote (not publicly listed) **Best For:** Large enterprises, complex compliance needs, high-volume applications ### Direct Integration vs Aggregator **For Drop, Recommend:** Idura Aggregator **Reasoning:** 1. Supports both BankID and Vipps through one integration 2. Transparent pricing (€140/month Medium tier likely sufficient) 3. Future-proof for Nordic expansion 4. Faster development (proven SDK) 5. Lower maintenance burden 6. Cost-effective at expected volume (<10,000 logins/month) **Break-even Analysis:** - Idura Medium: €140/month + per-transaction fees - Direct BankID: NOK 8,300/month (€750) + NOK 100,000 setup (€9,000) - Conclusion: Idura cheaper until very high volumes (50,000+ logins/month) --- ## 4. Implementation Recommendations ### Recommended Approach **Phase 1: Email + Password (MVP)** - Implement JWT-based auth with jose (already planned) - Collect email, validate age/residency through form - Manual verification initially **Phase 2: Add BankID (Primary eID)** - Integrate via Idura - Use BankID for identity verification (name, SSN, address) - Automatic age verification (18+) - Satisfies regulatory requirements - Serves as SCA for PSD2 payments **Phase 3: Add Vipps Login (Alternative)** - Same Idura integration (minimal additional work) - Offer choice: BankID or Vipps - Vipps likely preferred by users (more familiar, used daily) - Free basic login reduces costs **Phase 4: Optimize Flow** - Optional: Allow email/password for returning users - Require BankID/Vipps for first-time verification - Re-verify periodically (e.g., annually) via eID ### Technical Architecture **Recommended Stack:** ``` Next.js 16 App Router ├─ Auth.js (NextAuth v5) - OIDC client ├─ Idura Verify - eID aggregator │ ├─ Norwegian BankID │ └─ Vipps Login ├─ jose - JWT signing/verification └─ PostgreSQL - user sessions ``` **Flow:** 1. User clicks "Log in with BankID" or "Log in with Vipps" 2. Next.js redirects to Idura OIDC endpoint 3. Idura redirects to BankID/Vipps 4. User authenticates 5. Idura returns to callback with ID token 6. Next.js validates token, extracts claims (name, SSN, email) 7. Create/update user in database 8. Issue JWT session token (jose) 9. User authenticated **Security Considerations:** - Store Idura client credentials in environment variables - Validate ID token signature - Check `acr` claim for LOA=3 - Verify age from birthdate/SSN - Log all authentication events - Implement rate limiting ### Timeline Estimate **Development Timeline:** - Week 1-2: Idura account setup, test environment configuration - Week 3-4: Next.js Auth.js integration, BankID flow - Week 5: Vipps Login integration - Week 6-7: Testing, edge cases, error handling - Week 8: Production deployment, monitoring **Total:** 8 weeks to production-ready dual eID authentication ### Cost Projection (First Year) **Assumptions:** - 1,000 users in year 1 - 50% use BankID, 50% use Vipps - Average 12 logins/user/year - Idura Medium tier: €140/month **Calculation:** - Platform fee: €140 × 12 = €1,680 - BankID logins: 500 users × 12 logins × DKK 0.65 = DKK 3,900 (€470) - Vipps logins: 500 users × 12 logins × DKK 0.40 = DKK 2,400 (€290) - **Total Year 1:** €2,440 **At Scale (10,000 users):** - Platform fee: €1,680 - BankID: €4,700 - Vipps: €2,900 - **Total:** €9,280/year **Conclusion:** Cost scales linearly with users, remains affordable for fintech startup. --- ## 5. Risks and Mitigations ### BankID Migration Risk (Critical) **Risk:** April 1, 2026 deadline for Digital Trust Platform migration **Impact:** Service disruption if not migrated in time **Mitigation:** - If integrating via Idura: Migration handled by aggregator - If direct integration: Prioritize migration work immediately - Test new platform in preprod before March 31 - **Recommendation:** Use Idura to offload migration risk ### Age Verification Accuracy **Risk:** Users might bypass age check with email/password **Mitigation:** - Require BankID/Vipps for account activation - Email/password only for returning users - Periodic re-verification (annual) - Flag accounts without eID verification ### User Adoption **Risk:** Users unfamiliar with eID login may abandon signup **Mitigation:** - Clear onboarding instructions - Video tutorial for first-time users - Support contact readily available - Fallback to manual verification if needed ### Service Availability **Risk:** BankID/Vipps downtime prevents login **Mitigation:** - Multiple authentication options (BankID + Vipps) - Cache authentication status (JWT sessions) - Monitor provider status pages - Implement graceful degradation ### Regulatory Changes **Risk:** PSD2/eIDAS requirements may change **Mitigation:** - Use compliant providers (BankID/Vipps are regulated) - Stay informed via provider newsletters - Idura handles compliance updates - Legal review of authentication flow --- ## 6. Questions Needing Verification The following points require direct contact with providers for confirmation: 1. **BankID Direct Pricing:** Current 2026 per-transaction costs (NOK 8,300/month model unclear on variable costs) 2. **Vipps Timeline:** Exact onboarding timeline from application to production 3. **Vipps Active Users Model:** Current 2026 pricing structure for active users billing 4. **Idura Large Tier:** Volume thresholds for Small/Medium/Large tiers 5. **Minimum Requirements:** Specific business registration requirements for Vipps merchant account 6. **SCA Dual-Use:** Confirm BankID/Vipps can be used for BOTH login and payment authorization in same session 7. **April 2026 Migration:** Detailed requirements if integrating direct BankID (not via aggregator) --- ## 7. Final Recommendation **Recommendation:** Implement BOTH BankID and Vipps via Idura aggregator **Justification:** 1. **Regulatory Compliance:** BankID satisfies identity verification (18+, Norwegian resident) 2. **User Preference:** Vipps more familiar, offers free login option 3. **PSD2 Dual-Use:** Both serve as authentication AND SCA for payments 4. **Cost-Effective:** Idura cheaper than direct integration until high volume 5. **Risk Mitigation:** Idura handles April 2026 BankID migration 6. **Future-Proof:** Easy to add Swedish/Danish eIDs for Nordic expansion 7. **Development Speed:** Faster implementation with proven SDK **Implementation Priority:** 1. Phase 1: Email/Password (MVP launch) 2. Phase 2: BankID via Idura (compliance requirement) 3. Phase 3: Vipps via Idura (user convenience) **Next Steps:** 1. Contact Idura sales for Medium tier quote and setup 2. Register test account and explore SDK documentation 3. Validate integration with Next.js 16 App Router 4. Architect user database schema (with eID verification fields) 5. Implement BankID flow first (higher priority for compliance) 6. Add Vipps as alternative option 7. Load test authentication flow 8. Production deployment with monitoring --- ## Sources ### BankID Sources - [Norwegian BankID Integration Using the OIDC Authenticator | Curity](https://curity.io/resources/learn/norwegian-bankid/) - [Norwegian BankID - STØ Changes | Signicat](https://www.signicat.com/about/norwegian-bankid-sto-changes-and-their-effects-on-signicat-solutions) - [Norwegian BankID Developer Pages | Signicat](https://developer.signicat.com/enterprise/identity-methods/norwegian-bankid.html) - [GitHub - BankID API Documentation](https://github.com/judofyr/bankid-api) - [Integration Guide for Norwegian BankID | Signicat](https://developer.signicat.com/identity-methods/nbid/integration-guide/) - [Auth.js | Bankid No](https://authjs.dev/reference/core/providers/bankid-no) - [BankID Norge Pricing](https://bankid.no/en/company/pricing) - [Norwegian BankID - Easy Authentication & Signatures | Idura](https://idura.eu/electronic-identities/norwegian-bankid) - [BankID Norway Developer Portal](https://confluence.bankidnorge.no/confluence/display/DEVPUB) - [Testing - BankID Documentation](https://developer.bankid.no/bankid-with-biometrics/testing/) - [OpenID Connect Authorization Code Flow](https://developer.bankid.no/bankid-with-biometrics/flows/code/) - [GitHub - BankID OIDC Integration Examples](https://github.com/BankIDNorge/oidc-integration-examples) - [BankID: Norway's Digital ID System Explained - Life in Norway](https://www.lifeinnorway.net/bankid-norway/) ### Vipps Sources - [Introduction to the Login API | Vipps MobilePay Developer Docs](https://developer.vippsmobilepay.com/docs/APIs/login-api/) - [Login API | Vipps MobilePay Developer Docs](https://developer.vippsmobilepay.com/api/login) - [Vipps Login Integration - Norwegian Authentication | spektr](https://www.spektr.com/integration/vipps) - [API Platform Overview | Vipps MobilePay Developer Docs](https://developer.vippsmobilepay.com/docs/APIs) - [Vipps Login - Convenient eID Authentication | Idura](https://idura.eu/electronic-identities/vipps) - [Vipps MobilePay · GitHub](https://github.com/vippsas) - [Login | Vipps MobilePay Pricing](https://vippsmobilepay.com/en-NO/pricing/login) - [Auth.js | Vipps MobilePay](https://authjs.dev/getting-started/providers/vipps-mobilepay) - [Integrate Login from a Website | Vipps MobilePay Developer Docs](https://developer.vippsmobilepay.com/docs/APIs/login-api/api-guide/browser-flow-integration/) - [Vipps MobilePay Test Environment](https://developer.vippsmobilepay.com/docs/knowledge-base/test-environment/) ### PSD2/SCA Sources - [PSD2 and Strong Customer Authentication | Criipto](https://www.criipto.com/blog/strong-customer-authentication) - [FAQ Biometrics | BankID](https://bankid.no/en/company/faq-biometrics) - [PSD2 News | Netcompany](https://netcompany.com/netcompany-banking-services/psd2/psd2-news/) - [Direct Integration and PSP Integration | Vipps MobilePay](https://developer.vippsmobilepay.com/docs/knowledge-base/direct-vs-psp/) - [Strong Customer Authentication | Frisbii Docs](https://docs.frisbii.com/docs/strong-customer-authentication) ### Aggregator Sources - [Pricing Idura Verify](https://idura.eu/pricing/criipto-verify) - [Pricing - Signicat](https://www.signicat.com/pricing) - [Electronic Identities | Criipto](https://www.criipto.com/electronic-identities) - [Partners - Authentication | BankID](https://bankid.no/en/company/bankid-partners/partners-authentication) - [Criipto (BankID, Vipps) - Seamless Insure](https://www.seamless.insure/portfolio-item/criipto-bankid-vipps/) --- **Report Prepared By:** John (AI Director) **Last Updated:** 2026-02-15 **Status:** Research complete, awaiting approval for implementation