"Raskere BankID": BankID (Norway) bans passwordless sign-in on GrapheneOS

DeletedUser370

The original poster is seeking backers for a campaign to fix something that did not previously work.

Correct. It appears that faster BankID has never actually functioned on GrapheneOS from since the feature was launched, so one might deduce that the Play Integrity API was used for it from the get-go.

DeletedUser370

DeletedUser370 the app is using the Play Integrity API when users sign up for the feature

I might've been wrong about BankID Norway using the Play Integrity API in strong mode during activation of the passkey feature ("faster BankID"). They are clearly outsourcing an integrity check to Google, according to their own documentation, but they might not be using the Play Integrity API in strong mode for this. I deeply apologise for the mistake.

The app is still not allowing the feature to be used with GrapheneOS, so practically it doesn't matter much how it's doing that; can still rightly complain to them about it.

Here are my findings so far:

– With Sandboxed Google Play's new system for notifying users of Play Integrity API usage, it notifies the user that BankID is using the Play Integrity API when the user starts the app and occasionally during normal usage and when the app is in the background. However, it does not detect Play Integrity API usage when attempting to enroll with faster BankID. It is of course possible that the app does a precheck using the API when the app is launched, and blocks the sign-up based on those results; who knows.

– It was always clear from system logs that the app was using the Play Integrity API for… something, so this is not a surprise. It's also listed in the app's "Licenses for open source code".

– Blocking the app from using the Play Integrity API apparently changes nothing

–

DeletedUser370 For users who don't use the app, you can test signing up to "faster BankID" using an official demo for it on this website (select "sign up with Aletheia"): https://bidaletheiacurrent-tester.azurewebsites.net/

If I revoke the Network permission for Play services, I am able to successfully enroll in "faster BankID" using this demo site. That at least indicates that there's no bug or limitation with Sandboxed Google Play that's hindering compatibility. (Revoking the Network permission for Play services does not trick the app, however; it merely shows a message that the service is unavailable).

The app is clearly using the Play Integrity API but perhaps not enforcing strong mode to ban non-GMS licensed operating systems, but doing it some other way which still involves some Google service.

DeletedUser370

andrej567 Try with latest grapheneos at the end of this week, once you get the stable update 2025012700. there could be some hope in it.

↓

DeletedUser370 With Sandboxed Google Play's new system for notifying users of Play Integrity API usage, it notifies the user that BankID is using the Play Integrity API

DeletedUser370 Blocking the app from using the Play Integrity API apparently changes nothing

andrej567

Try with latest grapheneos at the end of this week, once you get the stable update 2025012700. there could be some hope in it.

andrej567

DeletedUser370 my hope was, that if the app uses the same silly lib as revolut does, that checks for build user name and detects graphnene and rejects it, this should not work anymore. Or it will be clear at least that the norwegian app really uses play integrity and not something else

HMC

DeletedUser370 Is there an option for a dongle for people who don't have a phone?

DeletedUser370

HMC Is there an option for a dongle for people who don't have a phone?

Yes, thankfully. I think banks still hand them out free of charge when you sign up for BankID.

lbschenkel

@DeletedUser370: So the Norwegian version never allowed fingerprint without Integrity?

The Swedish version of BankID is more lax. It allows the usage of fingerprint without issue (but I only enabled it for identification, not signing). At least in non-activation flows it does not use Integrity API at all, at least I haven't seen any notification so far in latest GOS.

I dread the day they will decide to adopt it. I don't know the situation in Norway, but in Sweden if you can't use BankID you're almost like an undocumented person. And to add insult to injury, there's no dongle alternative...

DeletedUser370

lbschenkel So the Norwegian version never allowed fingerprint without Integrity?

Has never allowed activating the fingerprint feature unless the OS passes a check performed by Google. Not clear if it's Play Integrity or not for this specific check, but they state they're using a Google service to perform the check.

DeletedUser370

To be clear, again: the fingerprint feature is not required to use the app. Some readers of the thread seem to misunderstand this (they haven't used the app?). It's just a convenience feature. It doesn't even meet BankID's own security requirements; only password + MFA does that (according to their website). It's of course concerning that they're doing this, since it indicates a willingness to adopt it, which could be extended to the rest of the app in the future – hence why I made this thread to encourage users to complain to them about it. The latest version of GrapheneOS will notify users that it's using the Play Integrity API so perhaps that will encourage more users to reach out to them. But currently most of the app works fine on GrapheneOS.

lbschenkel

DeletedUser370 In Norway does that dongle work as an alternative to BankID itself (or is it a form of BankID)? In Sweden the banks give this dongle, but it's only useful for logging in into the bank itself or to enrol into BankID. Everything else requires you using the BankID app, and the dongle cannot be used for that.

At least in Denmark they do offer the dongle option. But in Sweden there's no such thing. It's mind-blowing to me, but that's how it is...

DeletedUser370

lbschenkel In Norway does that dongle work as an alternative to BankID itself (or is it a form of BankID)?

The dongle is part of BankID and can be used every time you authenticate with BankID. You don't need the app. Some banks also offer a dongle as an alternative to BankID, in addition to it being able to be used with BankID. So on the whole the situation is currently a good one for GrapheneOS users. Just this passkey/fingerprint feature that doesn't work. Would be nice if it did but it's not awful that it doesn't.

lbschenkel

The dongle is part of BankID and can be used every time you authenticate with BankID.

That is good. Same as Denmark then. Unfortunately that is not the case in Sweden. There is no BankID in dongle form. There is the mobile app, BankID on bank card (card reader in computer), and BankID "on file" (app in computer). These two later forms are mostly historical, many banks no longer or never offered them, I'm not even sure if you can get a new one in these forms nowadays.

That puts us GrapheneOS users in Sweden in a very precarious position. If Swedish BankID ever decides to use Play Integrity, it's game over. There's no practical alternative. You either have to carry multiple phones (because you will need to use it at some point on-the-go) or you have to give up on GOS and use stock again.

DeletedUser370

If Swedish BankID ever decides to use Play Integrity, it's game over. There's no practical alternative. You either have to carry multiple phones (because you will need to use it at some point on-the-go) or you have to give up on GOS and use stock again.

I looked it up, and it turns out that the academic term "complete joke" is a good one here.

andzhi4

DeletedUser370 That on the other hand would be a solid foundation for a campaign against such practices

andrej567

andzhi4 Weird attitude in Sweden. what if you cannot afford a smartphone? or have Arthritis? or are just being old. I am 50 and i do on smartphone only the absolute necessary stuff. my fingers are dry and thick, touching the screen for me is suffering. I prefer my 32" pc screen and mouse...

lbschenkel

andrej567 I agree, it's weird attitude. Sweden can be too progressive and only look at the upside but forget or dismiss the drawbacks.

There are two competing solutions in this space (both private, but state-certified): BankID, owned and controlled by the banks, and Freja e-ID. Both are just smartphone apps. (I have both.) You basically need one or the other to authenticate on any important service (and many only accept BankID, some of them accept both). To authenticate with government services both are accepted, but you still need to use one of the two — and, as I said, both are apps.

So yes, if you actually want to be a citizen in Sweden and be able to deal with your own government, you need to have money to buy a smartphone, a contractual relationship with a foreign company (smartphone provider), an account with them that is in good standing (good luck if you ever get banned for some reason) so you can access their store, and then install the app and enrol yourself with government ID or by scheduling a in-person appointment with your bank.

At least the Danes and the Norwegians had the good sense to provide a token alternative. Sweden washes their hands.

dc32f0cfe84def651e0e

lbschenkel No eID identity card with chip?

lbschenkel

The ID card provided to citizens by the police does not have e-ID. The other ID you can get through the tax office used to (not sure if it still does), but only via a PC with a card reader and only works with government websites. Never saw any private entity accepting that, ever.

In practice the only true universal authenticator is BankID, which is guaranteed to be accepted by anyone.

p-marg

I have no issues with this app now, and I set it up on my new 9a a few weeks ago, and activating BankID worked as expected, and I could even enable the “Faster BankID” feature.

As long as I keep DCL via memory allowed and native code debugging are enabled, I haven’t had any problems, and as I always do, I have been regularly sharing the attestation compatibility article with them every few months!

App installed from Google Play store on separate user profile!

Eudyptula

p-marg What major Android version are you on and which browser are you using for Webview?

I'm on GOS 15 and use Brave as my Webview browser. I checked the options you mentioned and they were both "default (allowed)" for the BankID app. However, I still get the same error as I always got, so there must be somethikg unique to your devicebor setup that allows it to work. 🤔 My device is a Pixel 8 Pro, perhaps that's why?

I installed the app on the default user as I don't use user profiles. I'm not sure why that should make a different (hope it doesn't). It would defeat the purpose of a faster BankID if I had to log into a different user to get the benefits of it and then log back in to the one I'm actually using. I'm not sure, but I think setting up additional users sips more battery too

DeletedUser370

p-marg I have no issues with this app now, and I set it up on my new 9a a few weeks ago, and activating BankID worked as expected, and I could even enable the “Faster BankID” feature.

I can confirm that faster BankID now works fine. I used it now to sign in to a bank. This is fantastic. Thanks for letting us know.

Looks like BankID is fully compatible with GrapheneOS now. I'm curious what changed.

To anyone who don't know what "faster BankID" is, it's now called "BankID with screen lock", and you can find the option to register it in the app's settings.

I’m running the latest GrapheneOS build (205070800) on my Pixel 9a, using Vanadium, and I’ve installed the BankID app via Google Play on a secondary user profile.

I have the same setup, except that I'm using a 6a.

Eudyptula I think it's unlikely that BankID requires that you run it in a secondary profile, considering that I've never heard of an app that requires that.

Please note that you likely need Play services in order to use "BankID with screen lock". It uses Play services for that feature. I'm 99% sure that it requires it. You can see a Play services dialog asking you to confirm with your screen lock when you register and use the feature. So if you don't have Play services, then you'll likely need to install it (if you want to use that feature).

Eudyptula What major Android version are you on and which browser are you using for Webview?

When setting up "BankID with screen lock", BankID uses the web browser that you have set as your default web browser. (It opens a web page in a Custom tab). That might or might not work with Brave, I don't know.

« Previous Page Next Page »