"Raskere BankID": BankID (Norway) bans passwordless sign-in on GrapheneOS

fid02

Most GrapheneOS users in Norway will know what app and feature I'm referring to, but for people who don't know: BankID (Norway) is an app used for authentication to all digital public services, and hundreds of businesses also use it to confirm customers' identities before they are allowed to sign in to their service or sign a document/contract. The app moreover has a feature called "faster BankID" ("raskere BankID") which uses FIDO2 to allow people to authenticate with biometrics for some services instead of using a password + push notification*. While the rest of the app works fine on GrapheneOS, "faster BankID" has never worked because the app is using the Play Integrity API when users sign up for the feature:

According to BankID, "faster BankID" relies on Google to approve of the operating system's "security" which means that, in BankID's words, "modified" phones might not be able to use the feature. In effect, GrapheneOS users are banned from using passwordless sign-in with BankID simply because GrapheneOS does not license Google Mobile Services (GMS).

BankID readily admits on their website that they outsource the work of performing operating system "security" checks to Google (my translation):

Some Android phones lack technical support, or so-called 'key attestation', which is required in order to activate biometrics. This is when Google confirms the security of the key management. For instance, if one modifies one's phone, it might occur that Google cannot accept it.

I have confirmed this with my bank's customer support, whom also added (my translation):

If you have GrapheneOS installed on your phone, it has to be removed. Instead, a "standard OS" must be used.

This of course has nothing to do with security, as GrapheneOS is objectively a more secure OS than Google's PixelOS.

While this is only a subfeature of the app, it's nevertheless a convenience feature that GrapheneOS users are blocked from using, and BankID ought to be made aware that this is not a secure way of attesting to an OS' security. There's also always the chance that they might extend the usage of Play Integrity to the rest of the app, which would be bad for GrapheneOS users in Norway, so BankID ought to receive pushback for this.

Here's what you can do if you're affected:

From the following page: https://grapheneos.org/articles/attestation-compatibility-guide#apps-banning-grapheneos:

In addition to leaving feedback for these apps on the Play Store, file support requests and leave feedback on third party review sites. Ask them to stop banning GrapheneOS and explain that it's a much more secure OS than what they permit which does not lose any of the standard security model. Explain that they can use the hardware key attestation API to verify that a device is running GrapheneOS to permit it alongside an OS licensing Google apps as they do with the Play Integrity API already. Make sure to push back against false claims that it has something to do with compatibility or security issues. The only reason they aren't permitting it is because we do not license Google Mobile Services (GMS) and these apps are enforcing Google's business interests rather than security.

Important that you link to the attestation compatibility guide so that you can show them that there's a way to allow GrapheneOS while still upholding the ban on other aftermarket operating systems if BankID wants to do that.

Note that BankID does not have a direct support line for private individuals, so you'll have to send the feedback to your bank and ask them to forward it to BankID.

For users who don't use the app, you can test signing up to "faster BankID" using an official demo for it on this website (select "sign up with Aletheia"): https://bidaletheiacurrent-tester.azurewebsites.net/

More information on the Play Integrity API can be found here: https://grapheneos.social/@GrapheneOS/112878067304840664

*At least for now, there's fortunately still the option of carrying a code chip around with you instead of relying on the app.

fid02

fid02 the app is using the Play Integrity API when users sign up for the feature

I might've been wrong about BankID Norway using the Play Integrity API in strong mode during activation of the passkey feature ("faster BankID"). They are clearly outsourcing an integrity check to Google, according to their own documentation, but they might not be using the Play Integrity API in strong mode for this. I deeply apologise for the mistake.

The app is still not allowing the feature to be used with GrapheneOS, so practically it doesn't matter much how it's doing that; can still rightly complain to them about it.

Here are my findings so far:

– With Sandboxed Google Play's new system for notifying users of Play Integrity API usage, it notifies the user that BankID is using the Play Integrity API when the user starts the app and occasionally during normal usage and when the app is in the background. However, it does not detect Play Integrity API usage when attempting to enroll with faster BankID. It is of course possible that the app does a precheck using the API when the app is launched, and blocks the sign-up based on those results; who knows.

– It was always clear from system logs that the app was using the Play Integrity API for… something, so this is not a surprise. It's also listed in the app's "Licenses for open source code".

– Blocking the app from using the Play Integrity API apparently changes nothing

–

fid02 For users who don't use the app, you can test signing up to "faster BankID" using an official demo for it on this website (select "sign up with Aletheia"): https://bidaletheiacurrent-tester.azurewebsites.net/

If I revoke the Network permission for Play services, I am able to successfully enroll in "faster BankID" using this demo site. That at least indicates that there's no bug or limitation with Sandboxed Google Play that's hindering compatibility. (Revoking the Network permission for Play services does not trick the app, however; it merely shows a message that the service is unavailable).

The app is clearly using the Play Integrity API but perhaps not enforcing strong mode to ban non-GMS licensed operating systems, but doing it some other way which still involves some Google service.

HMC

fid02 Is there an option for a dongle for people who don't have a phone?

cdflasdkesalkjfkdfkjsdajfd

The future of GrapheneOS and the rest of custom ROMs is darker than ever, unfortunately.

fid02

cdflasdkesalkjfkdfkjsdajfd GrapheneOS is an operating system, not a "ROM".

de0u

cdflasdkesalkjfkdfkjsdajfd The future of GrapheneOS and the rest of custom ROMs is darker than ever, unfortunately.

This claim might turn out to be true eventually (many things might!), but at present it does not appear to be substantiated. For example:

I believe that within the past year Apple was forced to add alternate app stores to iOS,
I believe that within the past year a UK bank, Starling, that had rejected GrapeneOS switched to allowing it.

With reference to this particular thread:

The original poster is seeking backers for a campaign to fix something that did not previously work. This thread is about hopefully improving a situation, not about a situation that has recently become worse. Thus this thread is not evidence about the future being "darker".

Panda-na

It's unfortunate. @fid02 Thank you for doing this. I will make sure to do the same with my banks.

p-marg

I have reached out multiple times regarding support for GrapheneOS, as I live in Norway, but I have not received any response.

p-marg

Can you link me directly to where it is stated that alternative operating systems are not supported? My app functions perfectly; the only limitation I face is with the optional fingerprint authentication feature. I can use BankID without any issues, and I just successfully logged into Helsenorge and my bank.

The optional fingerprint authentication feature is designed for easier sign-ins, allowing users to not enter their BankID password each time. However, aside from this optional feature, the app operates with no issues for me.

fid02

p-marg Can you link me directly to where they state alternative operating system are not supported, my app works fine, only thing I can't use is the optional Fingerprint authentication via the app, I can use BankID fine no problems at all, i just signed into Helsenorge, and my Bank without issues.

Could you please read the first post in its entirety, including the thread's title? I have already written about this.

p-marg

fid02 Ah they don’t allow direct links to that specific topic, even though it appears possible when you hover over them. Anyway I found it under 'Jeg har en Android-telefon, men får ikke aktivert biometri. Hva kan være galt?' To me it just sounds like the optional faster login via Fingerprint. I can still enter my social security number on a login page and confirm it through the app.

Yeah i came of to a bad start, i see you also mention it as a sub feature, my bad lol

fid02

p-marg To me it just sounds like the optional faster login via Fingerprint.

Yes, as I have stated in the title and the post, BankID is enforcing Play Integrity for the feature called "raskere BankID". The feature is known to users because there's a permanent ad for it in the app if you haven't enabled it.

Edit: didn't see your edit before now. Glad it's cleared up!

p-marg

I have reminders on my phone to send them a message every month about this wherever i can, so dumb of them not to support GrapheneOS.

Also, I often click the "Give Feedback" button in the app!

p-marg

fid02 Yeah, I often find myself starting off on the wrong foot when I hear about BankID Norway and GrapheneOS. I realize I sometimes jump to conclusions without fully reading the entire posts. Since BankID is essential for me, I tend to feel quite sensitive about this topic, haha.

AlphaElwedritsch

If Google doesn't change its mind or a workaround will be found, things will soon look really bleak...

fid02

The original poster is seeking backers for a campaign to fix something that did not previously work.

Correct. It appears that faster BankID has never actually functioned on GrapheneOS from since the feature was launched, so one might deduce that the Play Integrity API was used for it from the get-go.

fid02

andrej567 Try with latest grapheneos at the end of this week, once you get the stable update 2025012700. there could be some hope in it.

↓

fid02 With Sandboxed Google Play's new system for notifying users of Play Integrity API usage, it notifies the user that BankID is using the Play Integrity API

fid02 Blocking the app from using the Play Integrity API apparently changes nothing

andrej567

Try with latest grapheneos at the end of this week, once you get the stable update 2025012700. there could be some hope in it.

andrej567

fid02 my hope was, that if the app uses the same silly lib as revolut does, that checks for build user name and detects graphnene and rejects it, this should not work anymore. Or it will be clear at least that the norwegian app really uses play integrity and not something else

fid02

HMC Is there an option for a dongle for people who don't have a phone?

Yes, thankfully. I think banks still hand them out free of charge when you sign up for BankID.

lbschenkel

@fid02: So the Norwegian version never allowed fingerprint without Integrity?

The Swedish version of BankID is more lax. It allows the usage of fingerprint without issue (but I only enabled it for identification, not signing). At least in non-activation flows it does not use Integrity API at all, at least I haven't seen any notification so far in latest GOS.

I dread the day they will decide to adopt it. I don't know the situation in Norway, but in Sweden if you can't use BankID you're almost like an undocumented person. And to add insult to injury, there's no dongle alternative...

fid02

lbschenkel So the Norwegian version never allowed fingerprint without Integrity?

Has never allowed activating the fingerprint feature unless the OS passes a check performed by Google. Not clear if it's Play Integrity or not for this specific check, but they state they're using a Google service to perform the check.