BankID-based Authentication for Phone Calls

Abstract: Authentication for phone calls is important for companies with hundreds of customers wanting to access sensitive information. However, it is sub-par compared to authentication when using applications or websites. In this thesis, seven models have been developed for how to use BankID as the authentication service during phone calls. The purpose of all models is to use the BankID API to provide the agent with the caller’s personal identity number and name. Two models, “manual recitation” and “the SMS model”, were selected and implemented based on criteria of security, ease-of-use, and integration to the existing environment. In the manual recitation model the agent asks the caller to read their personal identity number aloud, the agent then starts the BankID authentication process using the personal identity number. In the SMS model the agent sends out an SMS to the calling number, this SMS contains a link where the caller can start the BankID authentication process. The implementation has been used in production with real customers and evaluated using questionnaires, interviews, and tracings. Our results showed that BankID can be used for authentication during phone calls, improving security while still being easy to use.