NFC-based IDV with liveness delivers zero fraud, fewer support calls for BankID Norway

With 4.7 million enrolled users in a country of roughly 5.6 million people, BankID Norway is one of the most widely adopted digital identity schemes in the world. In 2025 alone, the platform processed close to 901 million transactions, covering everything from tax filings and student loan applications to legal name changes and divorce proceedings. But scale exposes identity verification to threats, meaning that authentication alone is not enough.

At a recent webinar, BankID Norway’s Ove Morten joined Joe Palmer, president of iProov, and Megan Shamas, CMO at FIDO Alliance, to discuss how the platform has evolved its approach to authentication and why combining passkeys with biometric liveness verification has become central to that strategy. 

Device-bound passkeys, which are phishing-resistant by design, can effectively secure user logins. Passkeys offer a high degree of cryptographic certainty: When a passkey is presented, it can be confirmed as originating from the same Secure Enclave or Trusted Execution Environment (TEE) where it was originally created.

However, problems can arise when a device is lost or when another person has access to it. Processes such as account recovery have a weaker security lever, and attackers know that, according to iProov President Joe Palmer.

“You’re only as strong as your weakest link,” says Palmer.

Having a cryptographically verifiable identity, based on biometric and biographic data in an identity document, and combining that with the highest-assurance level of biometric liveness results in high-level security that allows remote account recoveries and device re-binding, he notes.

For BankID Norway, that insight prompted investment in NFC-based biometric identity verification. Since mid-2024, the process uses the chip embedded in a user’s passport or national ID card, reads the cryptographically signed data it contains, and combines that with an iProov biometric liveness check to confirm the person presenting the document is its legitimate owner. The NFC scanning capability is provided by Signicat‘s ReadID.

To date, BankID Norway has completed one million activations using this method, which now accounts for approximately half of all new activations. The organization reports zero fraud cases attributable to this verification path and a 35 percent reduction in support calls related to BankID, notes Morten.

Attack methods are continually evolving. Three years ago, the dominant threat in biometric verification was the presentation attack – holding a photograph or a mask up to a camera. The landscape, however, has shifted considerably and now includes deepfake and face-swap technology, which are accessible to a much wider range of actors.

A large-scale breach of BankID’s identity infrastructure would require re-keying the digital ID of every person in Norway. The service is used by all banks in the country, the public sector and a growing number of private businesses.

“That’s kind of a doomsday scenario,” says Morten.

Tools capable of generating a convincing synthetic video feed can be downloaded for free, require no specialist hardware, and have been adapted to produce virtual camera inputs on both Android and iOS devices. The result, according to Palmer, is an explosion in injection attacks, in which a fabricated video stream is fed directly into a verification system rather than presented physically to a real camera.

“We see tens of thousands of these attacks a day,” he says, noting that the combinations of available tools and techniques now number in the hundreds of thousands, making static defences increasingly inadequate.

“It becomes very challenging to stay up to date with the evolving attacks, unless you’re able to see the attacks are happening in real time,” Palmer continues.

The response has been to treat biometric liveness detection as a continuously updated service rather than a fixed product. Algorithms are updated, on average, three times a week invisibly to end users, similar to how a virus detector continuously downloads virus signatures.

The Norwegian BankID will continue to evolve in step with new European regulations. From April 1st, the digital ID will be issued solely by Stø AS, formerly known as BankID BankAxept AS. In the near future, the service also plans to enhance its resistance to phishing.

Just adding a phishing-resistant factor to authentication, doesn’t make the account phishing-resistant: The only way to truly get to a phishing-resistant account stage is to have more than one phishing resistant factor, according to Palmer.

“I’m very excited about the future of biometrics and passkeys, because they together provide two phishing-resistant authentication factors and that I see as a very viable path to getting to phishing-resistant accounts and being able to finally switch off the cause of so many data breaches,” says Palmer.

Article Topics

BankID (Norway)  |  biometric authentication  |  biometric liveness detection  |  document liveness  |  FIDO Alliance  |  identity verification  |  iProov  |  NFC  |  passkeys  |  selfie biometrics  |  Signicat