Self-Service Account Recovery for BankID
€11 million projected yearly savings for BankID BankAxept (Bidbax) with self-service account recovery using ReadID's NFC-based identity verification for their 4.7 million users across Norway.
"The chipped document is the most critical part of the process. We will never go back to the old way of account recovery."
Ove Morten Stalheim
Product Manager, BankID Norway
To get a BankID, you need to verify that you are a real person and part of the national population registry with a valid Norwegian or other nation's identity document. BankID had two variants: BankID mobile and BankID net-centric.
BankID mobile, which involved use of a private key stored on the phone's SIM card bound to a person's identity, has been phased out in favour of the BankID net-centric. BankID net-centric, from now on referred to as BankID in this case study, is a centrally stored credential protected by two factor authentication.
The authenticators are a knowledge element (password) and a possession element in the form of a physical code generator or a bespoke iOS/Android app with a device-bound credential.
The challenge
The closure of BankID mobile in 2023 led to a situation where users who lost their authenticators were left with no alternative means to prove who they are remotely at a sufficient level of digital assurance.
BankID were facing high contact centre costs and a time-intensive process during the account recovery procedure. If the user wanted to reset their password, the process of waiting for a contact centre agent and answering security questions took an average time of 10 minutes, a huge cost to both the users and the banks.
Therefore, BankID BankAxept (Bidbax), the organisation behind BankID, decided to transition to self service account recovery by creating a seamless and fast way for end users to verify their identity remotely at the highest level of assurance. To do so, they needed a form of identity document verification that fulfilled eIDAS High requirements.
The search for the solution
Optical document verification technologies were dismissed due to cost and security concerns.
"With optical there is no guarantee that the image is real and has not been replaced." - Ove Morten Stalheim, BankID Product Manager
The rise of generative AI, and the knowledge that large ID document databases are sold on the dark web, meant fraudsters could easily bypass optical checks with a manipulated image. These concerns led Bidbax to research alternative methods of identity verification.
NFC document chip authentication aligned perfectly to BankID’s standing as a Public Key Infrastructure solution. The cryptography inNFC chips verifies data integrity, authenticity, and detects any cloning attempt.
The solution Bidbax selected also needed to be eIDAS compliant to the eIDAS High assurance level, and after extensive vulnerability modelling, NFC chip verification and facial biometrics were selected for remote self-service verification owing to its ability to defend from scalable attacks.
"We needed that dialogue between the device and the document chip - NFC is the only physical document verification that works remotely." - Ove Morten Stalheim, BankID Product Manager
Success for Bidbax in implementing self-service account recovery would mean a significant reduction in contact centre call volume and time taken during the password reset process. Higher conversion rates would offer proof of an improved user experience. The selected solution needed to also fit BankID’s core value of centralisation and be easily implementable across all participating banks.
"The total number of calls regarding BankID has dropped by 35% per month from the last quarter of 2024. Self-service account recovery has made a big contribution to this. Both customers and agents are happier while we have made huge savings."
Erlend Sunder, Director Payments and Infrastructure
Eika, Issuer of BankID
ISO/IEC 27001 certified
ISO/IEC 27701 certified
eIDAS module certifications
SOC2 type 2
Cyber Essentials Plus
