The BankID-service that we in Norway are dependent on for essentially everything, does not work anymore. I have been using the BankID-app for 1,5 years now without issues, but now they are enforcing biometric authentication (previously you got a pop-up where you just clicked on it to confirm it is actually you).

So, to activate the new biometric feature, the app opens a in-app vanadium window (incognito). You then get a prompt that says: "Do you want to store this passkey outside of incognito?". If you then click on yes, a biometric windows labelled Google Play Services pop up. If i use my fingerprint on it, this GPS-window accept it, but I then get sent back to the app and it tells me that I have to update the phone to use this function.

I presume that the GmsCompatConfig is not handling this correctly, but I would like to know from someone in the team @ GrapheneOS have any idea of what is going ln and if it is possible to fix. I tried to enable Javascript in the vanadium-window, but it had no effect.

versjon 4.2.2
no.vipps.bankid
versionCode 1730904452
targetSdk 35
minSdk 26
Installed: 19. apr. 2023; 17:33
Updated: 8. nov. 2024; 10:52

OS version: 2024110700

    the Vanadium opening links in incognito tabs might be a problem. Have you tried a different browser like Brave (set as default)?

    Edit: or better yet, try this:
    Go to chrome://flags in Vanadium
    Search for "Incognito"
    An option called "Allow third party to open Custom Tabs Incognito mode" should pop up.
    Set it to "Disabled"
    Restart Vanadium, then try again.

    Panda-na

    I'm aware that the Norwegian BankID app has a passkey feature, which they call "faster BankID" ("raskere BankID" in Norwegian), and I've admittedly never got it to work on GrapheneOS. But

    Panda-na now they are enforcing biometric authentication

    I'm not seeing this. I updated to version 4.2.2 with an identical versioncode that you provided and the app functions just like before, i.e. the "faster BankID" feature is very much optional. I authenticated with a bank just now to test, and I get no message about having to set up biometric authentication.

    Where are you seeing the message about biometrics being enforced? Is it perhaps during registration of the app?

          fid02 I checked again, and it works like normal now. I discovered that there was an issue with BankID centrally, so that was what caused my issue. But I did not see anything in the media at the time, and it seemed to be a problem for me for a longer time than others.

          Still, it's probably not too long before they make the "faster BankID" feature mandatory, idk. I see a lot of this in my bank, they are hiding more and more features behind techniques for identifying me (sending a picture of my face, activating biometrics etc.).

          https://www.digi.no/nyhetsstudio/bankid-appen-fungerer-igjen/61294

              Panda-na Thanks for reporting back.

              Panda-na Still, it's probably not too long before they make the "faster BankID" feature mandatory, idk.

              I'm not very convinced that they will. Their FIDO2 passkey functionality ("faster BankID") does not even comply with their own highest level of assurance of authentication security – and BankID readily states that businesses should direct users towards password-based MFA if more than "substantial" authentication security is required. [source 1] [source 2]. Probably for that reason, hardly any banks use it for anything other than verifying smaller payments.

              For all of BankID's marketing about security against phishing, there's nothing stopping a random person from phoning me up and getting me to approve that "faster BankID" verification prompt on my phone: in my usage on stock PixelOS, there was never any verification of user proximity. Yes, you have to confirm that a verification code matches a code on the device you are signing in with, but that hardly adds any phishing-resistance compared to a password, as that random person can simply manipulate me into confirming that code anyway.

              Of course, they could decide to make registering the "faster BankID" feature mandatory for app users, even if most people never use it. That would be weird, but sure, why not.

                    By the way, if anyone wants to have a go at debugging the passkey functionality of the BankID app, you can use BankID's demo site, which doesn't require an account/ID: https://bidaletheiacurrent-tester.azurewebsites.net/ – tap on "Sign up with Aletheia".

                    I suspect that BankID is using some form of OS integrity check, but I don't have evidence of this. I'm not entirely convinced. Note that every functionality apart from their passkeys work fine on GrapheneOS. I will direct a question towards BankID about this.

                    Note that BankID specifically disallows storing your passkey in password managers and external devices, so there's no use attempting to get it to do that. [source]