BankID: a Norwegian National Electronic ID Infrastructure
BankID is an electronic ID infrastructure offering a secure and cost-effective Internet security solution for identification and electronic signatures. It enables Norwegian citizens to identify themselves and digitally sign documents from authorities, companies and other organizations on the Internet by using the BankID electronic identification and signature system. The solution is used in Internet Banking applications, e-commerce, e-government and public & private services. BankID’s services are based on qualified certificates.
Banks within the Norwegian financial community were looking at new ways to expand their role as a trusted business partner to the Internet. The challenge was to design a security standard bringing multiple users on multiple platforms together. Public Key Infrastructure was seen as the best option to fulfil the requirements of confidentiality and non-repudiation allowing authentication to safeguard the integrity of information.
The banks established an organ COI (BankID Common operational infrastructure) in 2001 provided by BBS (The Norwegian Banks’ Payments and Clearing Centre) to ensure efficient cooperation for developing and maintaining a national PKI infrastructure. They made mutual agreements concerning standards and quality levels and chose for the Bank ID scheme because it is a cost efficient solution where costs are spread on a large number of banks. Although collaborating about the infrastructure, the banks compete in the marketplace with BankID, both in the retail- and corporate market segment.
BankID went live in 2004 and on-line banks were the first users to use BankID for identification and signatures. At present 1.5 million users have signed up for BankID with their online bank. The final aim is to reach all e-banking users in Norway, which amounts to approximately 2,5 million users.
DnB NOR wants to issue all its online users with a BankID by the end of 2009. Another aim is to significantly increase the number of merchants from today’s number of 260. For 2008 it’s expected that more than 150 million identification- and signature transactions will be processed by BankID.
Strong 2-factor authentication enabling innovative PKI design
BankID requires no smartcard infrastructure, smartcard readers or any proprietary software on the end-users’ PC. The DnB NOR customers’ private key is stored in a central electronic vault and it’s safeguarded by their DIGIPASS and static password. This design provides a high level of user friendliness; reduces costs significantly and maintains the required level of security. In 2006 the BankID scheme won the EEMA Excellence Award for its design.
Banks and merchants are provided with a BankID Server which executes all cryptographic functions. End users communicate with merchant and BankID infrastructure by an applet which is downloaded every time the end users want to perform an identification and/or signing process.
The bank’s customer gets issued with a personal certificate whereas the merchant or public office receives a merchant certificate from his bank. The Bank ID scheme validates all certificates issued by the customers’ and the merchant’s bank. This then allows customers and merchants to conduct their business in a secure way through authentication and signatures. The customer’s identity is guaranteed by the member bank, issuing the BankID.
The BankID scheme provides strong authentication and secure digital credentials for end-users to safeguard their sensitive and confidential information. It also provides a greater security as users’ credentials are validated in real-time, giving fraudsters virtual no chance to intercept vital information.
A simple, user-friendly, efficient and cost reducing solution
The benefits of the national electronic ID infrastructure are obvious. Customers can sign virtually all types of contracts online, but BankID is not only used for ordering services and products. It can (and will be) used for stock market transactions, loans & credits and insurance services. “Signing online contracts with BankID provides significant cost reductions and will also increase customer satisfaction”, says Geir Øiestad, Head of Internet Banking at DnB Nor.
We have received a lot of positive feedback from our customers experiencing the safe and simple use of BankID throughout merchants on the Internet requiring only one password and one DIGIPASS.
Choosing OneSpan Strong Authentication
DnB NOR worked with different One-Time Passwords for their retail customers. To simplify the handling process and to reduce costs in the long term, the bank was on the lookout for one single authentication method which would meet all the demands from the BankID scheme, and at the same time provide user-friendliness and low costs.
“We inventoried all of our different authentication products and evaluated them in terms of cost, security, user friendliness, administration and support”, says Geir Øiestad.
The study revealed that DIGIPASS GO 3 received the highest scores. In the end, the DIGIPASS GO 3 solution represented the best economy based on a 3 year life time cycle.
The customer user test showed that clients were also delighted about GO3. The bank didn’t want to burden their customers with a long and complex logon procedure; therefore DIGIPASS GO 3 was the ideal solution. The DIGIPASS authentication software is incorporated into the portable DIGIPASS GO 3. With a touch of a button, customers can generate a unique dynamic password granting them access to the bank’s online applications. “We decided to use DIGIPASS GO 3 for all our retail customers and DIGIPASS 250 for our corporate clients. Because we now distribute one single authentication method, our administration and support was also simplified and we could offer a transparent service”, says Geir Øiestad. “Experience so far learns us that customers are very positive about the device, that it’s very user friendly and mobile.”
One small disadvantage DnB NOR noticed, is that some customers hold their DIGIPASS upside down. Because of the large quantities distributed by DnB NOR, flexibility and availability of stock, the bank chose to work with a standardized version of the DIGIPASS instead of a customized casing. The lack of a text or company logo sometimes confuses the customers how to hold the device
Customer satisfaction increased, administrative handling and cost decreased and DnB NOR’s support services find it easier to train their employees now they chose one single authentication method. Reactions on DIGIPASS GO 3 are positive and very few DIGIPASS devices experienced technical problems.
Objective
DnB NOR needed to implement a security solution for BankID that would meet all of BankID’s security requirements. Previously, the company worked with different types of systems and security devices for their retail customers. Some customers even had several different devices.
Challenge
DnB NOR wanted to implement one single authentication method to simplify handling which would lead to more satisfied customers and would also reduce costs in the long term. A better and clearer logon process would also reduce calls to the bank’s call centre.
Solution
DnB NOR found in OneSpan’s DIGIPASS GO 3 the security solution to suit theirs and their customers’ needs. DIGIPASS GO 3 is a simple and user-friendly authentication device, offering a high security level compliant with BankID’s security standards.
