Document toolboxDocument toolbox

Authentication

Owned by S (Deactivated)
07 Sept 2017
7 min read

In order to improve readability, the authentication flow has been split into two separate diagrams, focusing on two different use cases within the authentication flow.

These use cases are

  • Standard authentication flow (2.1)
  • Authentication including a user-initiated or forced password change (2.3) 

In addition, this chapter describes the flow if the merchant application has initiated the BankID client using UserProfile.

Standard authentication flow

The following flow chart documents the transitions involved in the authentication flow, and ignores use cases involving cancellation of the BankID transaction and password change.

 

  1. At startup, the loading page dialog is presented.
  2. D01 is the dialog where the user enters the User-ID, unless the merchant application has implemented UserProfile.
  3. The user has entered no User-ID or one that is too short (less than 11 digits), and the E22 dialog is displayed.
  4. The last used HA service will be used, unless in one of the following situations:
    1. If the user has a new HA service that is never used, a HA List will be presented.
    2. If user has both a PersonBankID and an EmployeeBankID – the user must select which BankID Type and a related HA service to be used in order to continue.
    3. If HA2 is selected, the dialog D07_ha will be displayed until the user interaction with the mobile device is finished.
    4. If BIM HA is selected and the user only has one BIM HA service, pressing the call-to-action button will cause the dialog D07 to be displayed until the user interaction with the mobile device is finished. The user can go back to choose another HA service (7).
    5. If BIM HA is selected and the user has multiple BIM HA services, the user will be prompted to enter his mobile phone number before the D07 dialog is displayed, until the user interaction with the mobile device is finished.
  5. If the end user has more than one HA service available and at least one of those have not been used, a HA List is provided to the user to choose from. The list is sorted:
    1. New HA service(s) are first in list
    2. HA service in user profile is second in list
    3. The rest of the HA service(s) are ordered by last used
  6. The user has selected a HA service in the list.
    1. If HA2 is selected, the dialog D07_ha will be displayed until the user interaction with the mobile device is finished.
    2. If BIM HA is selected and the user only has one BIM HA service, pressing the call-to-action button will cause the dialog D07 to be displayed until the user interaction with the mobile device is finished. The user can go back to choose another HA service.
    3. If BIM HA is selected and the user has multiple BIM HA services, the user will be prompted to enter his mobile phone number before the D07 dialog is displayed, until the user interaction with the mobile device is finished.
  7. The user can go back to choose another HA service in the list from D03_b, D03_cr_e, D03_m, D03_n and D07_ha.
  8. Either the HA code or the User-ID is incorrect, and the user is returned to the initial step in the flow and displayed the E19_1 "Incorrect data entered" dialog.
  9. Depending on the HA service selected by the user and the type of BankID in use, one of the listed dialogs will request the user to input his BankID password.
  10. If BIM HA is selected and the user only has one BIM HA service, pressing the call-to-action button will cause the dialog D07 to be displayed until the user interaction with the mobile device is finished. If the user has multiple BIM HA services, the user will be prompted to enter his mobile phone number before the D07 dialog is displayed.
  11. As the user has completed the interaction with the mobile device, one of the listed dialogs will request the user to input his BankID password.
  12. The user entered the wrong password, but the HA code and the User-ID were correct.
  13. The user entered the UserID, HA code and password correctly, and is authenticated.
    1. If a callback method was provided in the initialisation of the BankID client, this method will be called and the client will terminate.
    2. If no callback method was provided, but a NextURL was provided by the client, the document containing the BankID 2.0 client will be redirected to the NextURL and the client will terminate.
    3. If no callback method and no NextURL were provided, the client will terminate silently.

Cancelling Authentication in the different states are described in chapter 2.4

Authentication using User Profile

If the merchant application initiates the BankID 2.0 using UserProfile (entry of User-ID and/or HA service in the merchant application so that re-entry of these inputs is unnecessary), the user will enter the application in one of the HA service dialogs.
If the user provides an incorrect HA code after initiating the BankID transaction with UserProfile, the standard authentication flow is resumed, the user returned to the User-ID, and displayed the E19_1
"Incorrect data entered" dialog.

Authentication with user-initiated or forced password change


The flow chart documents the transitions involved in the authentication flow if the user chooses to initiate a password change from within the BankID 2.0 client's menu, or if a flag has been set forcing the user to change his/her password.
This flow chart ignores use cases where the authentication flow is interrupted by incorrect input by the end user, causing the client to transition to previous dialogs in the authentication flow.

  1. At startup, the loading page dialog is presented.
  2. D01 is the dialog where the user enters the User-ID, unless the merchant application has implemented UserProfile (see chpt. 2.2)
  3. The last used HA service will be used, unless in one of the following situations:
    1. If the user has a new HA service that is never used, a HA List will be presented.
    2. If user has both a PersonBankID and an EmployeeBankID – the user must select which BankID Type and a related HA service to be used in order to continue.
    3. If HA2 is selected, the dialog D07_ha will be displayed until the user interaction with the mobile device is finished.
    4. If BIM HA is selected and the user only has one BIM HA service, pressing the call-to-action button will cause the dialog D07 to be displayed until the user interaction with the mobile device is finished. The user can go back to choose another HA service (6).
    5. If BIM HA is selected and the user has multiple BIM HA services, the user will be prompted to enter his mobile phone number before the D07 dialog is displayed, until the user interaction with the mobile device is finished.
  4. If the end user has more than one HA service available and at least one of those have not been used, a HA List is provided to the user to choose from. The list is sorted:
    1. New HA service(s) are first in list
    2. HA service in user profile is second in list
    3. The rest of the HA service(s) are ordered by last used
  5. The user has selected a HA service in the list.
    1. If HA2 is selected, the dialog D07_ha will be displayed until the user interaction with the mobile device is finished.
    2. If BIM HA is selected and the user only has one BIM HA service, pressing the call-to-action button will cause the dialog D07 to be displayed until the user interaction with the mobile device is finished. The user can go back to choose another HA service.
    3. If BIM HA is selected and the user has multiple BIM HA services, the user will be prompted to enter his mobile phone number before the D07 dialog is displayed, until the user interaction with the mobile device is finished.
  6. The user can go back to choose another HA service in the list from D03_b, D03_cr_e, D03_m, D03_n and D07_ha.
  7. Depending on the HA service selected by the user and the type of BankID in use, one of the listed dialogs will request the user to input his BankID password.
  8. If BIM HA is selected and the user only has one BIM HA service, pressing the call-to-action button will cause the dialog D07 to be displayed until the user interaction with the mobile device is finished. If the user has multiple BIM HA services, the user will be prompted to enter his mobile phone number before the D07 dialog is displayed.
  9. As the user has completed the interaction with the mobile device, one of the listed dialogs will request the user to input his BankID password.
  10. The user has initiated a password change by selecting "Change password" in the BankID 2.0 client's menu at any previous step in the authentication flow.
  11. A flag has been set by the issuing bank for the user to renew his/her password, resulting that the user is displayed a dialog informing the user of the need to change the BankID password.
  12. The user has pressed the call-to-action button in the dialog informing the user of a need to change password.
  13. The users new password does not match the criteria, or was not confirmed correctly.
  14. The I03 dialog is displayed, confirming to the user that the password has been changed.
  15. The user ticked the "Keep existing password" checkbox in the "Change password" dialog. (Only available if the password change is user-initiated). The user is authenticated.
    1. If a callback method was provided in the initialisation of the BankID client, this method will be called and the client will terminate.
    2. If no callback method was provided, but a NextURL was provided by the client, the document containing the BankID 2.0 client will be redirected to the NextURL and the client will terminate.
    3. If no callback method and no NextURL were provided, the client will terminate silently.
  16. The user is authenticated after a successful password change.
    1. If a callback method was provided in the initialisation of the BankID client, this method will be called and the client will terminate.
    2. If no callback method was provided, but a NextURL was provided by the client, the document containing the BankID 2.0 client will be redirected to the NextURL and the client will terminate.
    3. If no callback method and no NextURL were provided, the client will terminate silently.

 

Cancelling authentication

There is no flow chart for cancelling the authentication transaction, but all dialogs have a "Cancel BankID" menu item. If the end user selects this menu item from anywhere inside the authentication flow, a transition is made to a confirmation dialog (C03), asking the user to confirm the cancellation. If the user chooses to confirm, the transaction is aborted.

  1. If a callback method was provided in the initialisation of the BankID client, this method will be called and the client will terminate.
  2. If no callback method was provided, but a NextURL was provided by the client, the document containing the BankID 2.0 client will be redirected to the NextURL and the client will terminate.
  3. If no callback method and no NextURL were provided, the client will terminate silently.