Skip to main content

BankID & Vipps Research

BankID and Vipps Login Authentication Research

Research Date: 2026-02-15 Project: Drop Fintech App Purpose: Evaluate feasibility of integrating BankID and Vipps as authentication methods

Executive Summary

Both BankID and Vipps Login are viable authentication options for Drop. Both support OIDC/OAuth2 integration with Next.js, have test environments, and can serve dual purposes as both authentication and PSD2 Strong Customer Authentication (SCA).

Critical Timeline Note: BankID is undergoing major changes with an April 1, 2026 deadline for migration to new infrastructure.

Key Considerations:

  • BankID requires Norwegian bank account and 10 business days for production access
  • Vipps has lower per-transaction costs (DKK 0.00-0.40 vs DKK 0.65-0.89)
  • Both services can be accessed via aggregators (Idura/Signicat) which simplify integration
  • Both meet PSD2 SCA requirements

1. Norwegian BankID

What is it?

BankID is Norway's leading electronic identification system, issued through Norwegian banks. It enables secure authentication and digital signatures. BankID supports both traditional methods and the newer BankID with Biometrics (app-based solution using WebAuthn).

Major Change in 2026: BankID is moving to a single issuer (Stø AS) with critical infrastructure changes taking effect April 1, 2026. All integrations must migrate to the new Digital Trust Platform and OIDC-based approach before this deadline.

Integration Method

  • Protocol: OpenID Connect (OIDC) / OAuth 2.0
  • Flow: Authorization Code Flow with PKCE (Proof Key for Code Exchange)
  • Redirect-based: Yes, user redirected to BankID login
  • Next.js Compatibility: Yes, Auth.js/NextAuth supports BankID NO provider
  • Implementation: Use well-known OIDC libraries

Technical Requirements:

  • Set acr_values to urn:bankid:bis for biometric authentication
  • Verify ID token's acr claim includes "LOA=3" (Level of Assurance 3)
  • Scopes: openid, profile, nnin_altsub (for Norwegian national identity number)
  • Generate nonce and code_verifier for security

Reference Implementation: GitHub - BankID OIDC Integration Examples

Requirements to Get Access

Mandatory Prerequisites:

  1. Company must be a customer of a Norwegian bank (within BankID network)
  2. Person signing the contract must have personal eID (Norwegian BankID, Swedish BankID, or Danish MitID)
  3. Completed "Getting Ready for Production" guide (step 5) to obtain production domain
  4. Register application in BankID Developer Portal (freely available)

Application Information Required:

  • Company information
  • General contact person
  • Person authorized to sign agreement
  • Norwegian bank details
  • Technical contacts (credentials delivery, blocking/revoking access)
  • Display name for login app
  • Production domain URL

Agreement Process:

  1. Submit application information
  2. Provider sends online agreement for signing
  3. Signed agreement forwarded to your bank for processing
  4. Bank issues client credentials

Cost

Direct from BankID Norge (Reseller Model):

  • One-time establishment fee: NOK 100,000
  • Fixed monthly fee: NOK 8,300
  • Per-transaction costs: Not clearly specified in direct model

Via Idura/Criipto Aggregator:

  • Monthly platform fee: €65–€390 (tier-dependent: Small/Medium/Large)
  • Biometric BankID (app): DKK 0.65 per login
  • Traditional BankID: DKK 0.89 per login
  • Billing: Monthly consumption + subscription

NEEDS VERIFICATION: Direct BankID pricing may have changed. Contact BankID Norge for current 2026 pricing.

Technical Complexity

Difficulty Level: Medium

Pros:

  • Standard OIDC implementation
  • Extensive documentation available
  • Auth.js/NextAuth built-in support
  • Code examples available on GitHub

Cons:

  • April 1, 2026 migration deadline adds urgency
  • Must handle migration to new Digital Trust Platform
  • PAdES transition required for document signing (Jan-Mar 2026)
  • More complex setup vs simpler OAuth providers

Estimated Integration Time: 2-4 weeks (including testing and certification)

Timeline

Application to Production:

  • Bank processing time: Up to 10 business days after signed agreement
  • Total estimated timeline: 2-4 weeks (including application, bank processing, credential issuance)

Critical Dates:

  • January 1, 2026: PAdES transition begins for Enterprise/Express API
  • March 31, 2026: Final deadline for PAdES migration
  • April 1, 2026: Old BankID Server and OIDC signing from Stø discontinued

Action Required: Complete migration to Digital Trust Platform before April 1, 2026.

Sandbox/Test Environment

Test Access: Freely available

Test Environment Details:

  • Register application in BankID Developer Portal (free)
  • Preprod app access: Request via support portal or through BankID partner
  • Self-service test user portal: ra-preprod.bankidnorge.no
  • Default test credentials: OTP password and qwer1234
  • Test users: Generate Norwegian national identity numbers (NNIN) for testing

Testing Tools:

  • Available at tools.bankid.no
  • Supports authentication, signing, password change
  • Document types: plain text, PDF, XML
  • Can be embedded via iframe or direct link

Support: [email protected]

PSD2 Relevance

SCA Compliance: YES - Fully compliant

BankID with biometrics is approved for payments and meets Strong Customer Authentication (SCA) requirements according to PSD2 and 3D Secure standards.

Technical Details:

  • Level of Assurance: "Substantial" (eIDAS standard)
  • Authentication: WebAuthn-based biometrics (built-in phone/computer biometrics)
  • Security: BankID never accesses biometric data; receives signed confirmation from Apple/Google
  • PSD2 Integration: Netcompany Banking Services supports 1-SCA (single strong customer authentication) using BankID for Norway

Use Cases for Drop:

  1. User authentication/login
  2. PSD2 payment authorization (SCA)
  3. Combined auth + payment flow

Alternative Providers

Aggregator Services (Recommended):

  1. Idura (formerly Criipto)

    • Bundles BankID + Vipps + other Nordic eIDs
    • Single integration point for multiple providers
    • Pricing: €65-€390/month + per-transaction fees
    • Website: idura.eu

  2. Signicat

    • Largest BankID provider in Norway (established 2007)
    • Enterprise-focused solution
    • Offers authentication + digital signatures
    • Pricing: Contact for quote
    • Website: signicat.com

  3. Curity

    • Identity platform with Norwegian BankID support
    • OIDC authenticator approach
    • Enterprise-grade solution
    • Website: curity.io

Recommendation: For Drop's use case (fintech startup), Idura offers the best balance of simplicity, cost-effectiveness, and multi-provider support.

2. Vipps Login

What is it?

Vipps is Norway's #1 mobile payment provider with near-ubiquitous adoption. Vipps Login is an authentication service that allows users to log in using their mobile number. The brand split: Vipps (Norway/Sweden) and MobilePay (Denmark/Finland) use the same API under Vipps MobilePay.

Scope: Login API confirms customer identity and provides access to verified data: name, birthdate, social security number, address, email, phone number.

Integration Method

  • Protocol: OpenID Connect (OIDC) / OAuth 2.0
  • Flow: Browser-based redirect flow (user-initiated or merchant-initiated)
  • Authentication: API keys (obtained via Vipps MobilePay business portal)
  • Next.js Compatibility: Yes, Auth.js/NextAuth supports Vipps MobilePay provider
  • Age Requirement: Users must be 15+ years old

Implementation Example:

import NextAuth from "next-auth"
import Vipps from "next-auth/providers/vipps"

export const { handlers, auth, signIn, signOut } = NextAuth({
  providers: [Vipps],
})

Test Mode Override:

Vipps({ issuer: "https://apitest.vipps.no/access-management-1.0/access/" })

Key Endpoint:

  • User info: GET:/vipps-userinfo-api/userinfo (returns consented user data)
  • Token endpoint: Standard OIDC token exchange

Requirements to Get Access

Application Process:

  1. Order product at vippsmobilepay.com
  2. Complete "Login checklist" for direct integration
  3. Partner application review
  4. Receive test credentials via email (test phone number + national identity number)

Company Requirements:

  • NEEDS VERIFICATION: Minimum company requirements not specified in documentation
  • Likely requires Norwegian business registration

Technical Setup:

  • Access business portal: portal.vippsmobilepay.com
  • Obtain API keys for authentication
  • Configure redirect URIs

Cost

Per-Transaction Pricing:

  • Login without SSN: DKK 0.00 (FREE)
  • Login with SSN: DKK 0.40

Via Idura Aggregator:

  • Monthly platform fee: €65–€390 (tier-dependent)
  • Per-transaction: Vipps MobilePay invoices directly based on "active users" pricing model
  • NEEDS VERIFICATION: Current 2026 active users pricing structure

Notes:

  • Most cost-effective authentication option
  • Free basic login is suitable for initial authentication
  • SSN access (DKK 0.40) needed for age/identity verification

Technical Complexity

Difficulty Level: Low-Medium

Pros:

  • Standard OIDC/OAuth2 implementation
  • Excellent documentation
  • Auth.js built-in support
  • Well-known integration libraries recommended
  • Active GitHub repositories with examples
  • Widespread usage in Norway (proven reliability)

Cons:

  • Test environment has no SLA/uptime guarantee
  • Support limited to Norwegian office hours for test environment
  • Separate test and production API keys required

Estimated Integration Time: 1-2 weeks

Timeline

Application to Production:

  • NEEDS VERIFICATION: Specific timeline not documented
  • Process: Order product → Partner review → Credentials issued
  • Estimated: Likely 1-2 weeks based on industry standards

Recommendation: Contact Vipps developer support for exact onboarding timeline.

Sandbox/Test Environment

Test Environment: Merchant Test (MT) - Available to all API merchants

Access Details:

  • All partners/merchants with API access have test environment access
  • Test server: https://apitest.vipps.no
  • Portal access: portal.vippsmobilepay.com → "For developers" → "Test users"
  • Test app: iOS and Android apps that mirror production (connect to MT environment)

Test User Credentials:

  • Provided via email after partner review
  • Includes test phone number and national identity number
  • PIN for "Verify your number": 1236
  • PIN for "Enter your code": 1236

Limitations:

  • No SLA or uptime guarantee
  • No fixes outside Norwegian office hours
  • Completely separate from production (different API keys)

Suitable For: Websites, e-commerce, apps, loyalty programs

PSD2 Relevance

SCA Compliance: YES - Fully compliant

Vipps has implemented PSD2-compliant Strong Customer Authentication with regulatory-approved delegated SCA from card issuers.

Technical Details:

  • Two-factor authentication: PIN or biometrics + device possession
  • No additional 3D Secure required (Verified by Visa, Mastercard ID Check)
  • Security handled when user logs into Vipps/MobilePay app
  • Wallet-based payment method with built-in SCA layer

Use Cases for Drop:

  1. User authentication/login
  2. PSD2 payment authorization
  3. Simplified payment flow (no separate 3DS step needed)

Advantage: Vipps SCA is transparent to users (already authenticated in app), creating smoother UX than traditional 3DS flows.

Alternative Providers

Same aggregators as BankID:

  1. Idura (formerly Criipto)

    • Bundles Vipps with BankID and other eIDs
    • Single integration, multiple auth methods
    • Transparent pricing model

  2. Signicat

    • Enterprise solution
    • Combined authentication suite
    • Contact for pricing

Recommendation: If implementing both BankID AND Vipps, use Idura aggregator to manage both via single integration point.

3. Aggregator Comparison

Why Use an Aggregator?

Benefits:

  1. Single integration point for multiple eID providers
  2. Simplified SDK/API (abstraction layer)
  3. Unified billing and reporting
  4. Faster time-to-market
  5. Reduced maintenance burden
  6. Future-proof (easy to add more eID methods)

Trade-offs:

  1. Additional monthly platform fee (€65-€390)
  2. Dependency on third-party service
  3. Potential slight latency increase

Idura (Criipto) - Recommended

What is it: European eID verification platform (formerly Criipto, rebranded to Idura)

Supported eIDs:

  • Norwegian BankID (Traditional + Biometric)
  • Vipps Login
  • Swedish BankID
  • Danish MitID
  • Finnish eID
  • 30+ other European eIDs

Pricing Structure:

  • Platform fee: €65/month (Small), €140/month (Medium), €390/month (Large)
  • Norwegian BankID: DKK 0.65 (biometric) or DKK 0.89 (traditional) per login
  • Vipps: DKK 0.00 (no SSN) or DKK 0.40 (with SSN) per login
  • Swedish BankID: DKK 0.10 per login

Technical:

  • OIDC/OAuth2 standard
  • SDKs available
  • Good documentation
  • Test environment included

Best For: Drop's use case - need both BankID + Vipps with potential Nordic expansion

Signicat - Enterprise Alternative

What is it: Europe's largest eID and signature provider (established 2007)

Position: Largest BankID provider in Norway

Pricing: Contact for quote (not publicly listed)

Best For: Large enterprises, complex compliance needs, high-volume applications

Direct Integration vs Aggregator

For Drop, Recommend: Idura Aggregator

Reasoning:

  1. Supports both BankID and Vipps through one integration
  2. Transparent pricing (€140/month Medium tier likely sufficient)
  3. Future-proof for Nordic expansion
  4. Faster development (proven SDK)
  5. Lower maintenance burden
  6. Cost-effective at expected volume (<10,000 logins/month)

Break-even Analysis:

  • Idura Medium: €140/month + per-transaction fees
  • Direct BankID: NOK 8,300/month (€750) + NOK 100,000 setup (€9,000)
  • Conclusion: Idura cheaper until very high volumes (50,000+ logins/month)

4. Implementation Recommendations

Phase 1: Email + Password (MVP)

  • Implement JWT-based auth with jose (already planned)
  • Collect email, validate age/residency through form
  • Manual verification initially

Phase 2: Add BankID (Primary eID)

  • Integrate via Idura
  • Use BankID for identity verification (name, SSN, address)
  • Automatic age verification (18+)
  • Satisfies regulatory requirements
  • Serves as SCA for PSD2 payments

Phase 3: Add Vipps Login (Alternative)

  • Same Idura integration (minimal additional work)
  • Offer choice: BankID or Vipps
  • Vipps likely preferred by users (more familiar, used daily)
  • Free basic login reduces costs

Phase 4: Optimize Flow

  • Optional: Allow email/password for returning users
  • Require BankID/Vipps for first-time verification
  • Re-verify periodically (e.g., annually) via eID

Technical Architecture

Next.js 16 App Router
├─ Auth.js (NextAuth v5) - OIDC client
├─ Idura Verify - eID aggregator
│  ├─ Norwegian BankID
│  └─ Vipps Login
├─ jose - JWT signing/verification
└─ PostgreSQL - user sessions

Flow:

  1. User clicks "Log in with BankID" or "Log in with Vipps"
  2. Next.js redirects to Idura OIDC endpoint
  3. Idura redirects to BankID/Vipps
  4. User authenticates
  5. Idura returns to callback with ID token
  6. Next.js validates token, extracts claims (name, SSN, email)
  7. Create/update user in database
  8. Issue JWT session token (jose)
  9. User authenticated

Security Considerations:

  • Store Idura client credentials in environment variables
  • Validate ID token signature
  • Check acr claim for LOA=3
  • Verify age from birthdate/SSN
  • Log all authentication events
  • Implement rate limiting

Timeline Estimate

Development Timeline:

  • Week 1-2: Idura account setup, test environment configuration
  • Week 3-4: Next.js Auth.js integration, BankID flow
  • Week 5: Vipps Login integration
  • Week 6-7: Testing, edge cases, error handling
  • Week 8: Production deployment, monitoring

Total: 8 weeks to production-ready dual eID authentication

Cost Projection (First Year)

Assumptions:

  • 1,000 users in year 1
  • 50% use BankID, 50% use Vipps
  • Average 12 logins/user/year
  • Idura Medium tier: €140/month

Calculation:

  • Platform fee: €140 × 12 = €1,680
  • BankID logins: 500 users × 12 logins × DKK 0.65 = DKK 3,900 (€470)
  • Vipps logins: 500 users × 12 logins × DKK 0.40 = DKK 2,400 (€290)
  • Total Year 1: €2,440

At Scale (10,000 users):

  • Platform fee: €1,680
  • BankID: €4,700
  • Vipps: €2,900
  • Total: €9,280/year

Conclusion: Cost scales linearly with users, remains affordable for fintech startup.

5. Risks and Mitigations

BankID Migration Risk (Critical)

Risk: April 1, 2026 deadline for Digital Trust Platform migration

Impact: Service disruption if not migrated in time

Mitigation:

  • If integrating via Idura: Migration handled by aggregator
  • If direct integration: Prioritize migration work immediately
  • Test new platform in preprod before March 31
  • Recommendation: Use Idura to offload migration risk

Age Verification Accuracy

Risk: Users might bypass age check with email/password

Mitigation:

  • Require BankID/Vipps for account activation
  • Email/password only for returning users
  • Periodic re-verification (annual)
  • Flag accounts without eID verification

User Adoption

Risk: Users unfamiliar with eID login may abandon signup

Mitigation:

  • Clear onboarding instructions
  • Video tutorial for first-time users
  • Support contact readily available
  • Fallback to manual verification if needed

Service Availability

Risk: BankID/Vipps downtime prevents login

Mitigation:

  • Multiple authentication options (BankID + Vipps)
  • Cache authentication status (JWT sessions)
  • Monitor provider status pages
  • Implement graceful degradation

Regulatory Changes

Risk: PSD2/eIDAS requirements may change

Mitigation:

  • Use compliant providers (BankID/Vipps are regulated)
  • Stay informed via provider newsletters
  • Idura handles compliance updates
  • Legal review of authentication flow

6. Questions Needing Verification

The following points require direct contact with providers for confirmation:

  1. BankID Direct Pricing: Current 2026 per-transaction costs (NOK 8,300/month model unclear on variable costs)
  2. Vipps Timeline: Exact onboarding timeline from application to production
  3. Vipps Active Users Model: Current 2026 pricing structure for active users billing
  4. Idura Large Tier: Volume thresholds for Small/Medium/Large tiers
  5. Minimum Requirements: Specific business registration requirements for Vipps merchant account
  6. SCA Dual-Use: Confirm BankID/Vipps can be used for BOTH login and payment authorization in same session
  7. April 2026 Migration: Detailed requirements if integrating direct BankID (not via aggregator)

7. Final Recommendation

Recommendation: Implement BOTH BankID and Vipps via Idura aggregator

Justification:

  1. Regulatory Compliance: BankID satisfies identity verification (18+, Norwegian resident)
  2. User Preference: Vipps more familiar, offers free login option
  3. PSD2 Dual-Use: Both serve as authentication AND SCA for payments
  4. Cost-Effective: Idura cheaper than direct integration until high volume
  5. Risk Mitigation: Idura handles April 2026 BankID migration
  6. Future-Proof: Easy to add Swedish/Danish eIDs for Nordic expansion
  7. Development Speed: Faster implementation with proven SDK

Implementation Priority:

  1. Phase 1: Email/Password (MVP launch)
  2. Phase 2: BankID via Idura (compliance requirement)
  3. Phase 3: Vipps via Idura (user convenience)

Next Steps:

  1. Contact Idura sales for Medium tier quote and setup
  2. Register test account and explore SDK documentation
  3. Validate integration with Next.js 16 App Router
  4. Architect user database schema (with eID verification fields)
  5. Implement BankID flow first (higher priority for compliance)
  6. Add Vipps as alternative option
  7. Load test authentication flow
  8. Production deployment with monitoring

Sources

BankID Sources

Vipps Sources

PSD2/SCA Sources

Aggregator Sources

Report Prepared By: John (AI Director) Last Updated: 2026-02-15 Status: Research complete, awaiting approval for implementation

Back to top