BankID & Vipps Research BankID and Vipps Login Authentication Research Research Date: 2026-02-15 Project: Drop Fintech App Purpose: Evaluate feasibility of integrating BankID and Vipps as authentication methods Executive Summary Both BankID and Vipps Login are viable authentication options for Drop. Both support OIDC/OAuth2 integration with Next.js, have test environments, and can serve dual purposes as both authentication and PSD2 Strong Customer Authentication (SCA). Critical Timeline Note: BankID is undergoing major changes with an April 1, 2026 deadline for migration to new infrastructure. Key Considerations: BankID requires Norwegian bank account and 10 business days for production access Vipps has lower per-transaction costs (DKK 0.00-0.40 vs DKK 0.65-0.89) Both services can be accessed via aggregators (Idura/Signicat) which simplify integration Both meet PSD2 SCA requirements 1. Norwegian BankID What is it? BankID is Norway's leading electronic identification system, issued through Norwegian banks. It enables secure authentication and digital signatures. BankID supports both traditional methods and the newer BankID with Biometrics (app-based solution using WebAuthn). Major Change in 2026: BankID is moving to a single issuer (Stø AS) with critical infrastructure changes taking effect April 1, 2026. All integrations must migrate to the new Digital Trust Platform and OIDC-based approach before this deadline. Integration Method Protocol: OpenID Connect (OIDC) / OAuth 2.0 Flow: Authorization Code Flow with PKCE (Proof Key for Code Exchange) Redirect-based: Yes, user redirected to BankID login Next.js Compatibility: Yes, Auth.js/NextAuth supports BankID NO provider Implementation: Use well-known OIDC libraries Technical Requirements: Set acr_values to urn:bankid:bis for biometric authentication Verify ID token's acr claim includes "LOA=3" (Level of Assurance 3) Scopes: openid , profile , nnin_altsub (for Norwegian national identity number) Generate nonce and code_verifier for security Reference Implementation: GitHub - BankID OIDC Integration Examples Requirements to Get Access Mandatory Prerequisites: Company must be a customer of a Norwegian bank (within BankID network) Person signing the contract must have personal eID (Norwegian BankID, Swedish BankID, or Danish MitID) Completed "Getting Ready for Production" guide (step 5) to obtain production domain Register application in BankID Developer Portal (freely available) Application Information Required: Company information General contact person Person authorized to sign agreement Norwegian bank details Technical contacts (credentials delivery, blocking/revoking access) Display name for login app Production domain URL Agreement Process: Submit application information Provider sends online agreement for signing Signed agreement forwarded to your bank for processing Bank issues client credentials Cost Direct from BankID Norge (Reseller Model): One-time establishment fee: NOK 100,000 Fixed monthly fee: NOK 8,300 Per-transaction costs: Not clearly specified in direct model Via Idura/Criipto Aggregator: Monthly platform fee: €65–€390 (tier-dependent: Small/Medium/Large) Biometric BankID (app): DKK 0.65 per login Traditional BankID: DKK 0.89 per login Billing: Monthly consumption + subscription NEEDS VERIFICATION: Direct BankID pricing may have changed. Contact BankID Norge for current 2026 pricing. Technical Complexity Difficulty Level: Medium Pros: Standard OIDC implementation Extensive documentation available Auth.js/NextAuth built-in support Code examples available on GitHub Cons: April 1, 2026 migration deadline adds urgency Must handle migration to new Digital Trust Platform PAdES transition required for document signing (Jan-Mar 2026) More complex setup vs simpler OAuth providers Estimated Integration Time: 2-4 weeks (including testing and certification) Timeline Application to Production: Bank processing time: Up to 10 business days after signed agreement Total estimated timeline: 2-4 weeks (including application, bank processing, credential issuance) Critical Dates: January 1, 2026: PAdES transition begins for Enterprise/Express API March 31, 2026: Final deadline for PAdES migration April 1, 2026: Old BankID Server and OIDC signing from Stø discontinued Action Required: Complete migration to Digital Trust Platform before April 1, 2026. Sandbox/Test Environment Test Access: Freely available Test Environment Details: Register application in BankID Developer Portal (free) Preprod app access: Request via support portal or through BankID partner Self-service test user portal: ra-preprod.bankidnorge.no Default test credentials: OTP password and qwer1234 Test users: Generate Norwegian national identity numbers (NNIN) for testing Testing Tools: Available at tools.bankid.no Supports authentication, signing, password change Document types: plain text, PDF, XML Can be embedded via iframe or direct link Support: developer@bankidnorge.no PSD2 Relevance SCA Compliance: YES - Fully compliant BankID with biometrics is approved for payments and meets Strong Customer Authentication (SCA) requirements according to PSD2 and 3D Secure standards. Technical Details: Level of Assurance: "Substantial" (eIDAS standard) Authentication: WebAuthn-based biometrics (built-in phone/computer biometrics) Security: BankID never accesses biometric data; receives signed confirmation from Apple/Google PSD2 Integration: Netcompany Banking Services supports 1-SCA (single strong customer authentication) using BankID for Norway Use Cases for Drop: User authentication/login PSD2 payment authorization (SCA) Combined auth + payment flow Alternative Providers Aggregator Services (Recommended): Idura (formerly Criipto) Bundles BankID + Vipps + other Nordic eIDs Single integration point for multiple providers Pricing: €65-€390/month + per-transaction fees Website: idura.eu Signicat Largest BankID provider in Norway (established 2007) Enterprise-focused solution Offers authentication + digital signatures Pricing: Contact for quote Website: signicat.com Curity Identity platform with Norwegian BankID support OIDC authenticator approach Enterprise-grade solution Website: curity.io Recommendation: For Drop's use case (fintech startup), Idura offers the best balance of simplicity, cost-effectiveness, and multi-provider support. 2. Vipps Login What is it? Vipps is Norway's #1 mobile payment provider with near-ubiquitous adoption. Vipps Login is an authentication service that allows users to log in using their mobile number. The brand split: Vipps (Norway/Sweden) and MobilePay (Denmark/Finland) use the same API under Vipps MobilePay. Scope: Login API confirms customer identity and provides access to verified data: name, birthdate, social security number, address, email, phone number. Integration Method Protocol: OpenID Connect (OIDC) / OAuth 2.0 Flow: Browser-based redirect flow (user-initiated or merchant-initiated) Authentication: API keys (obtained via Vipps MobilePay business portal) Next.js Compatibility: Yes, Auth.js/NextAuth supports Vipps MobilePay provider Age Requirement: Users must be 15+ years old Implementation Example: import NextAuth from "next-auth" import Vipps from "next-auth/providers/vipps" export const { handlers, auth, signIn, signOut } = NextAuth({ providers: [Vipps], }) Test Mode Override: Vipps({ issuer: "https://apitest.vipps.no/access-management-1.0/access/" }) Key Endpoint: User info: GET:/vipps-userinfo-api/userinfo (returns consented user data) Token endpoint: Standard OIDC token exchange Requirements to Get Access Application Process: Order product at vippsmobilepay.com Complete "Login checklist" for direct integration Partner application review Receive test credentials via email (test phone number + national identity number) Company Requirements: NEEDS VERIFICATION: Minimum company requirements not specified in documentation Likely requires Norwegian business registration Technical Setup: Access business portal: portal.vippsmobilepay.com Obtain API keys for authentication Configure redirect URIs Cost Per-Transaction Pricing: Login without SSN: DKK 0.00 (FREE) Login with SSN: DKK 0.40 Via Idura Aggregator: Monthly platform fee: €65–€390 (tier-dependent) Per-transaction: Vipps MobilePay invoices directly based on "active users" pricing model NEEDS VERIFICATION: Current 2026 active users pricing structure Notes: Most cost-effective authentication option Free basic login is suitable for initial authentication SSN access (DKK 0.40) needed for age/identity verification Technical Complexity Difficulty Level: Low-Medium Pros: Standard OIDC/OAuth2 implementation Excellent documentation Auth.js built-in support Well-known integration libraries recommended Active GitHub repositories with examples Widespread usage in Norway (proven reliability) Cons: Test environment has no SLA/uptime guarantee Support limited to Norwegian office hours for test environment Separate test and production API keys required Estimated Integration Time: 1-2 weeks Timeline Application to Production: NEEDS VERIFICATION: Specific timeline not documented Process: Order product → Partner review → Credentials issued Estimated: Likely 1-2 weeks based on industry standards Recommendation: Contact Vipps developer support for exact onboarding timeline. Sandbox/Test Environment Test Environment: Merchant Test (MT) - Available to all API merchants Access Details: All partners/merchants with API access have test environment access Test server: https://apitest.vipps.no Portal access: portal.vippsmobilepay.com → "For developers" → "Test users" Test app: iOS and Android apps that mirror production (connect to MT environment) Test User Credentials: Provided via email after partner review Includes test phone number and national identity number PIN for "Verify your number": 1236 PIN for "Enter your code": 1236 Limitations: No SLA or uptime guarantee No fixes outside Norwegian office hours Completely separate from production (different API keys) Suitable For: Websites, e-commerce, apps, loyalty programs PSD2 Relevance SCA Compliance: YES - Fully compliant Vipps has implemented PSD2-compliant Strong Customer Authentication with regulatory-approved delegated SCA from card issuers. Technical Details: Two-factor authentication: PIN or biometrics + device possession No additional 3D Secure required (Verified by Visa, Mastercard ID Check) Security handled when user logs into Vipps/MobilePay app Wallet-based payment method with built-in SCA layer Use Cases for Drop: User authentication/login PSD2 payment authorization Simplified payment flow (no separate 3DS step needed) Advantage: Vipps SCA is transparent to users (already authenticated in app), creating smoother UX than traditional 3DS flows. Alternative Providers Same aggregators as BankID: Idura (formerly Criipto) Bundles Vipps with BankID and other eIDs Single integration, multiple auth methods Transparent pricing model Signicat Enterprise solution Combined authentication suite Contact for pricing Recommendation: If implementing both BankID AND Vipps, use Idura aggregator to manage both via single integration point. 3. Aggregator Comparison Why Use an Aggregator? Benefits: Single integration point for multiple eID providers Simplified SDK/API (abstraction layer) Unified billing and reporting Faster time-to-market Reduced maintenance burden Future-proof (easy to add more eID methods) Trade-offs: Additional monthly platform fee (€65-€390) Dependency on third-party service Potential slight latency increase Idura (Criipto) - Recommended What is it: European eID verification platform (formerly Criipto, rebranded to Idura) Supported eIDs: Norwegian BankID (Traditional + Biometric) Vipps Login Swedish BankID Danish MitID Finnish eID 30+ other European eIDs Pricing Structure: Platform fee: €65/month (Small), €140/month (Medium), €390/month (Large) Norwegian BankID: DKK 0.65 (biometric) or DKK 0.89 (traditional) per login Vipps: DKK 0.00 (no SSN) or DKK 0.40 (with SSN) per login Swedish BankID: DKK 0.10 per login Technical: OIDC/OAuth2 standard SDKs available Good documentation Test environment included Best For: Drop's use case - need both BankID + Vipps with potential Nordic expansion Signicat - Enterprise Alternative What is it: Europe's largest eID and signature provider (established 2007) Position: Largest BankID provider in Norway Pricing: Contact for quote (not publicly listed) Best For: Large enterprises, complex compliance needs, high-volume applications Direct Integration vs Aggregator For Drop, Recommend: Idura Aggregator Reasoning: Supports both BankID and Vipps through one integration Transparent pricing (€140/month Medium tier likely sufficient) Future-proof for Nordic expansion Faster development (proven SDK) Lower maintenance burden Cost-effective at expected volume (<10,000 logins/month) Break-even Analysis: Idura Medium: €140/month + per-transaction fees Direct BankID: NOK 8,300/month (€750) + NOK 100,000 setup (€9,000) Conclusion: Idura cheaper until very high volumes (50,000+ logins/month) 4. Implementation Recommendations Recommended Approach Phase 1: Email + Password (MVP) Implement JWT-based auth with jose (already planned) Collect email, validate age/residency through form Manual verification initially Phase 2: Add BankID (Primary eID) Integrate via Idura Use BankID for identity verification (name, SSN, address) Automatic age verification (18+) Satisfies regulatory requirements Serves as SCA for PSD2 payments Phase 3: Add Vipps Login (Alternative) Same Idura integration (minimal additional work) Offer choice: BankID or Vipps Vipps likely preferred by users (more familiar, used daily) Free basic login reduces costs Phase 4: Optimize Flow Optional: Allow email/password for returning users Require BankID/Vipps for first-time verification Re-verify periodically (e.g., annually) via eID Technical Architecture Recommended Stack: Next.js 16 App Router ├─ Auth.js (NextAuth v5) - OIDC client ├─ Idura Verify - eID aggregator │ ├─ Norwegian BankID │ └─ Vipps Login ├─ jose - JWT signing/verification └─ PostgreSQL - user sessions Flow: User clicks "Log in with BankID" or "Log in with Vipps" Next.js redirects to Idura OIDC endpoint Idura redirects to BankID/Vipps User authenticates Idura returns to callback with ID token Next.js validates token, extracts claims (name, SSN, email) Create/update user in database Issue JWT session token (jose) User authenticated Security Considerations: Store Idura client credentials in environment variables Validate ID token signature Check acr claim for LOA=3 Verify age from birthdate/SSN Log all authentication events Implement rate limiting Timeline Estimate Development Timeline: Week 1-2: Idura account setup, test environment configuration Week 3-4: Next.js Auth.js integration, BankID flow Week 5: Vipps Login integration Week 6-7: Testing, edge cases, error handling Week 8: Production deployment, monitoring Total: 8 weeks to production-ready dual eID authentication Cost Projection (First Year) Assumptions: 1,000 users in year 1 50% use BankID, 50% use Vipps Average 12 logins/user/year Idura Medium tier: €140/month Calculation: Platform fee: €140 × 12 = €1,680 BankID logins: 500 users × 12 logins × DKK 0.65 = DKK 3,900 (€470) Vipps logins: 500 users × 12 logins × DKK 0.40 = DKK 2,400 (€290) Total Year 1: €2,440 At Scale (10,000 users): Platform fee: €1,680 BankID: €4,700 Vipps: €2,900 Total: €9,280/year Conclusion: Cost scales linearly with users, remains affordable for fintech startup. 5. Risks and Mitigations BankID Migration Risk (Critical) Risk: April 1, 2026 deadline for Digital Trust Platform migration Impact: Service disruption if not migrated in time Mitigation: If integrating via Idura: Migration handled by aggregator If direct integration: Prioritize migration work immediately Test new platform in preprod before March 31 Recommendation: Use Idura to offload migration risk Age Verification Accuracy Risk: Users might bypass age check with email/password Mitigation: Require BankID/Vipps for account activation Email/password only for returning users Periodic re-verification (annual) Flag accounts without eID verification User Adoption Risk: Users unfamiliar with eID login may abandon signup Mitigation: Clear onboarding instructions Video tutorial for first-time users Support contact readily available Fallback to manual verification if needed Service Availability Risk: BankID/Vipps downtime prevents login Mitigation: Multiple authentication options (BankID + Vipps) Cache authentication status (JWT sessions) Monitor provider status pages Implement graceful degradation Regulatory Changes Risk: PSD2/eIDAS requirements may change Mitigation: Use compliant providers (BankID/Vipps are regulated) Stay informed via provider newsletters Idura handles compliance updates Legal review of authentication flow 6. Questions Needing Verification The following points require direct contact with providers for confirmation: BankID Direct Pricing: Current 2026 per-transaction costs (NOK 8,300/month model unclear on variable costs) Vipps Timeline: Exact onboarding timeline from application to production Vipps Active Users Model: Current 2026 pricing structure for active users billing Idura Large Tier: Volume thresholds for Small/Medium/Large tiers Minimum Requirements: Specific business registration requirements for Vipps merchant account SCA Dual-Use: Confirm BankID/Vipps can be used for BOTH login and payment authorization in same session April 2026 Migration: Detailed requirements if integrating direct BankID (not via aggregator) 7. Final Recommendation Recommendation: Implement BOTH BankID and Vipps via Idura aggregator Justification: Regulatory Compliance: BankID satisfies identity verification (18+, Norwegian resident) User Preference: Vipps more familiar, offers free login option PSD2 Dual-Use: Both serve as authentication AND SCA for payments Cost-Effective: Idura cheaper than direct integration until high volume Risk Mitigation: Idura handles April 2026 BankID migration Future-Proof: Easy to add Swedish/Danish eIDs for Nordic expansion Development Speed: Faster implementation with proven SDK Implementation Priority: Phase 1: Email/Password (MVP launch) Phase 2: BankID via Idura (compliance requirement) Phase 3: Vipps via Idura (user convenience) Next Steps: Contact Idura sales for Medium tier quote and setup Register test account and explore SDK documentation Validate integration with Next.js 16 App Router Architect user database schema (with eID verification fields) Implement BankID flow first (higher priority for compliance) Add Vipps as alternative option Load test authentication flow Production deployment with monitoring Sources BankID Sources Norwegian BankID Integration Using the OIDC Authenticator | Curity Norwegian BankID - STØ Changes | Signicat Norwegian BankID Developer Pages | Signicat GitHub - BankID API Documentation Integration Guide for Norwegian BankID | Signicat Auth.js | Bankid No BankID Norge Pricing Norwegian BankID - Easy Authentication & Signatures | Idura BankID Norway Developer Portal Testing - BankID Documentation OpenID Connect Authorization Code Flow GitHub - BankID OIDC Integration Examples BankID: Norway's Digital ID System Explained - Life in Norway Vipps Sources Introduction to the Login API | Vipps MobilePay Developer Docs Login API | Vipps MobilePay Developer Docs Vipps Login Integration - Norwegian Authentication | spektr API Platform Overview | Vipps MobilePay Developer Docs Vipps Login - Convenient eID Authentication | Idura Vipps MobilePay · GitHub Login | Vipps MobilePay Pricing Auth.js | Vipps MobilePay Integrate Login from a Website | Vipps MobilePay Developer Docs Vipps MobilePay Test Environment PSD2/SCA Sources PSD2 and Strong Customer Authentication | Criipto FAQ Biometrics | BankID PSD2 News | Netcompany Direct Integration and PSP Integration | Vipps MobilePay Strong Customer Authentication | Frisbii Docs Aggregator Sources Pricing Idura Verify Pricing - Signicat Electronic Identities | Criipto Partners - Authentication | BankID Criipto (BankID, Vipps) - Seamless Insure Report Prepared By: John (AI Director) Last Updated: 2026-02-15 Status: Research complete, awaiting approval for implementation