1. Why was this added?
With the introduction of SMS authentication, we have decided to split the authentication levels in 3 tiers, to reflect their varying degrees of security. In addition to that, we have decided to make this choice explicit for the users to make them more aware of the security implications.
These updates are available in the default flow (and other templates that extend it), and they must be set for each recipient.
How choosing the authentication level looks today
2. What do they mean?
2.1 Low authentication level (Email authentication)
2.1.1 How the process looks for the sender
This was the default option in the previous version of the flow.
The sender would previously add a recipient's name and email and leave the "Require authentication" checkbox unticked:
In the new version the sender will have to choose the Low (Email authentication) option
2.1.2 How the process looks for the recipient
The recipient will be notified by email (unless the "Notify by SMS" option is selected) and they will receive an invitation with an access link.
2.1.3 What makes this option the least secure?
The security itself relies on an access token that is part of the invitation link. Thus. for Low (Email authentication) it's crucial for the recipient to not share that link with anyone, as anyone with the link will be able to access the documents.
2.2 Medium authentication level (SMS authentication)
2.2.1 How the process looks for the sender
In addition to selecting Medium (SMS authentication) the sender will need to enter the recipient's phone number
2.2.2 How the process looks for the recipient
The recipient will receive an Email invitation (SMS notifications are mutually exclusive with SMS authentication, for security reasons). Clicking the link in the invitation will take them to the SMS Authorization app.
There, clicking a button will send an authorization code via SMS to the number that was defined by the sender (see the image above). Next up, the recipient will need to enter the code, and if it matches they will get access to the documents.
|Pressing the button will send an SMS with an access code||Next, they will need to enter the access code received via SMS|
2.2.3 What makes this option the medium one in terms of security?
The recipient will be notified by email and then authenticate by SMS, making this method act as 2 factor authentication (2FA). Although this additional security layer makes it more secure than Email authentication, it's not as secure as using an eID method (such as BankID) for the following reasons:
- if a malicious actor were to get a hold of a recipient's phone, they would potentially have access to their email inbox as well
- eID methods have additional security layers (such as requiring a password from the recipient)
2.3 High authentication level (eID authentication)
2.3.1 How the process looks for the sender
The sender would previously select the "Require authentication" option and then enter the recipient's SSN:
In the new version it's pretty much the same thing except they would need to select High (eID authentication) option instead;
2.3.2 How the process looks for the recipient
|Swedish BankID Authentication||Norwegian BankID Authentication|
3. Additional clarifications
3.1 All recipients must have the same authentication level
To prevent one of the recipients being the weakest link in terms of security and jeopardize the overall security of the envelope, it's crucial that all the recipients have the same authentication levels.
This means that you can't have one recipient with Low authentication and another one with Medium (or any other combinations among different levels) in the same envelope.
3.1.1 In the Verified web-app
This functionality is enforced in the Verified web app and this is what the sender will see in this situation:
3.1.2 In the Verified API
It's important for the developers making use of our API to follow the recommended practice that is mentioned in our documentation and prevent recipients from being able to have different authentication levels.
3.2 What about API users?
There are no changes for API users as these updates are mainly related to the user interface / user experience of the Verified web app, just make sure to follow the recommendation mentioned above.