Signing documents using eID-mechanisms such as BankID is a great way to digitize and streamline business processes. Another great advantage of signing with eID, is the strong link between the document and the identity of the signer, because a secure identification is implicitly done when the document is signed.
BankID is today primarily used as an authentication method to log in to different web applications such as online banking, government services, etc. As a rule of thumb, a secure authentication process should involve at least two so-called “factors”, meaning that a user is granted access only after successfully presenting two or more pieces of evidence (two-factor authentication, or 2FA). There are three common factors used for authentication: something you know (such as a password or PIN), something you have (such as a smart card) and something you are (such as a fingerprint or other biometric method). Both authentication and signing with eID requires the use two such factors.
The Norwegian BankID infrastructure has to separate mechanisms for authentication, netcentric BankID and BankID on mobile. Netcentric BankID utilizes a one-time-password generated from a hardware token (commonly known as “kodebrikke” in Norwegian) as the “have factor” and a password as the “know factor”. With BankID on mobile, the have factor is the mobile phone (or actually the SIM-card), and the know factor is a four digit PIN.
Today, if you are required to sign a PDF document with BankID, an active regular (netcentric) BankID is required. BankID on mobile does not support native signing of PDF-documents, only short texts. This is a problem, because many people are only using BankID on mobile and have thrown away their hardware token and/or forgotten their password for netcentric BankID. The netcentric BankID might also have expired if they have stopped using it for a long period of time. This is more common than one might think, because most people feel BankID on mobile is more user friendly and they don’t want to carry the hardware token around with them.
In order to solve this problem, Idfy has developed a solution where we present the document for the signer in our own responsive document viewer. The signer then signes a hash that is uniquely linked to the document presented. This hash is signed using the native signing capability of BankID on mobile. This way, the signer only has to have a working BankID on mobile, and only has to input phone number, date of birth and their four digit PIN. This makes it incredibly simple to sign a document, and the signature conversion rate improves significantly.