Home » Business » How do I (not) log in to the services of commercial providers using BankID?

How do I (not) log in to the services of commercial providers using BankID?

Company Bank identity as, which operates the BankID service for domestic banks last week announcedthat its product is already used by “the first innovative Czech companies”. And the truth is their enumeration it’s not that short. The following picture shows the companies in the left column (while those in the right column are still working on the commissioning of banking identity services).


Author: Jiří Peterka

However, if, as regular Internet users, you grind on the websites of these companies in places where you would expect to offer the use of a bank identity, you probably won’t find it there. That is, with the exception of the company in the first place in the left column, where the offer to log in using the bank identity really you will find.


Author: Jiří Peterka

The reasons deserve a little explanation and are related to the fact that electronic identification is one term that is used in two different meanings, respectively. for two quite different things. And this applies both in general and to the electronic identification services offered by BankID. In practice, this is often confused and various misunderstandings arise as a result.

Coincidentally, I recently discussed this in my own contribution at the conference Internet has technology 21: one meaning of “electronic identification” is in the sense of the one-time creation (and “fulfillment”) of an electronic identity. The easiest way to imagine this is as a kind of “introduction into the system”, involving obtaining the necessary attributes of the individual concerned, creating his electronic identity and allocating “means of electronic identification” for the ability to prove with the newly established electronic identity. In practice, it is most often a one-time registration, creating a user account (and filling it with the required data) and issuing access data.


Author: Jiří Peterka

The second meaning of the term “electronic identification” then corresponds to the more frequently recurring situation where several electronic identities already exist (have been created) and it is necessary to choose one specific one among them. This most often occurs during login, when the logging in user wants to declare who he pretends to be by selecting one particular identity (and then an authentication phase must follow, in which the logging in user proves that he really is who he pretends to be).


Author: Jiří Peterka

But back to banking identity services: these are structured into three variants, two of which (IDENTIFY and CONNECT) meet the two meanings of the term “electronic identification” described above: IDENTIFY is used for authentication during a one-time “introduction into the system” (registration, establishment account, etc.) and has several possible levels (IDENTIFY, IDENTIFY PLUS and IDENTIFY AML) depending on what the service provider wants (or needs) to know about his customer. The CONNECT service is then, according to its name, intended for repeated “connection” (login) of clients.


Author: Jiří Peterka

The individual variants of banking identity services, which is a purely commercial service, of course differ also in terms of their price conditions (in the respective price list of services). And from the reality of the online world (where I found the possibility of logging in using a bank identity with only one company), I conclude that commercial service providers – at least for now – prefer IDENTIFY services and the use of bank identity only for one-time “introduction” of the client into your system.

After all, even recent Press Release The company Bankovní identita as, which announces the use of banking identity services by the “first innovative companies”, talks about authentication, not login.

Therefore, even for companies that declare their support for banking identity, you will not encounter its practical use “at first glance”. Usually you will come across it “deeper”, as part of specific registration procedures, in one of the next steps, when your sufficiently reliable verification is required. For example, one for which you would otherwise have to go to the branch in person, or need an officially verified signature, etc.

Specific example: setting up an account in the client zone

I can show you here as an example setting up an account in the client zone Generali Česká pojišťovna, which I had set up for the purposes of this article.

The opening of the account started without any indication that in the process of setting up it will be possible to verify using the bank identity, I had to deduce this from Press Releases.


Author: Jiří Peterka

Only in the next step did an offer to use the bank identity for my verification appear.


Author: Jiří Peterka

When I chose this option, I got to the signpost with the option to choose the bank through which I want to authenticate.


Author: Jiří Peterka

BankID is not a bank identity

On the signpost for choosing a bank, I was a little surprised by two things. One of them is the offer of only two banks, namely ČSOB and Česká spořitelna for the “private” registration described here, resp. authentication – while in the case of “public” login via the NIA, the list of banks is larger.


Author: Jiří Peterka

The explanation is that there are again two different things: the “public” (and free) use of a bank identity to log in through the NIA to the services of “public” service providers (plus some others who are entitled to use NIA services), where banks are in position of qualified administrators of qualified electronic identification systems, is something other than (paid) provision of electronic identification services to commercial providers through a joint solution of banks, operated by Bankovní identita as and offered under the name BankID.

But I dare say that it is more a matter of time before the numbers of banks involved equalize. Or maybe even outweigh the numbers on the solution side through BankID, because not all banks need to aspire to the status of a qualified administrator and be willing to provide their electronic state identification services free of charge.

By the way, it is quite an unpleasant terminological complication: how to distinguish between the two variants so that the general public understands it and it is not confused?

Originally, when the term SONIA was still used (as an abbreviation from: Private NIA), it could still be relatively simple and intuitive: logging in (or verifying) “via the NIA” was public and “via SONIA” it was private. These were two different scenarios, resp. ways of using the banking identity, understood in the sense of the very method of identification and authentication of natural persons (using what individual banks know and their clients).

But then the term “SONIA” went out of fashion and was replaced by the term BankID, thus erasing the originally obvious difference between (banking) identity and its use. Because the term “BankID” is commonly understood both in terms of the (banking) identity itself and its use (as a service). It is also recorded by its shape, which includes the abbreviation ID.

According to the terminology recommendation of the banking association and themselves of the company Bankovní identita as however, the term “BankID” should be understood in a narrower sense, just as a way of using a bank identity – one of two, namely “the private one”. Simply put: only in the sense of the original “via SONIA”. Not “through the NIA.”


Author: Jiří Peterka

In other words, “through the NIA” we can log in in various ways, and one of them is “using a bank identity.” Today we have a choice of 5 banks, respectively. the bank identities they maintain (see image above).

In contrast, we can also log in to commercial (private) service providers, such as the one just described by Generali Česká pojišťovna, using their bank identity, but “via BankID”. Today we have a choice of 2 banks, respectively. their identities.

Even simpler: “via NIA” and “via BankID” are two mutually exclusive alternatives. However, both use bank identity (as a method).

Who runs the signpost?

After this small terminological excursion, we can return to a practical demonstration with verification using a bank identity “via BankID”.

Another thing that surprised me a little was the signpost itself: in the case of my verification with Generali Česká pojišťovna, the signpost is operated by this company (see the red box in the picture with the signpost). That is, the service provider, not the intermediary (the BankID service). Recall this on the left side of the following image.


Author: Jiří Peterka

It is interesting that when logging in using a bank identity (for the only company where I found it, in the right part of the picture) the signpost for bank selection is not operated by the service provider himself, on his domain, but by an intermediary – a common solution of banks operated by the bank Identity as Thus the BankID service.

So maybe the way the signpost is solved differs depending on whether it is used in the CONNECT service (for repeated login) or IDENTIFY (for one-time verification).

Consent to the transmitted data

When I continued to open an account in the client zone of Generali Česká pojišťovna and chose Česká spořitelna from the offer of two banks, I got to its usual login page.


Author: Jiří Peterka

Here I would expect some more detailed identification of where the request comes from (for possible concurrence of requests), but at least I learned that the request concerns the client zone. The other bank (ČSOB) will find it a bit more shared in this respect. The comparison is also shown in the following figure, in which you can log in using BankID.


Author: Jiří Peterka

But back to the specific procedure: it is basically the same as when using the bank identity “via the NIA” (or when logging in to the bank’s services as such) – you must log in (to your bank) in the way you have (with your bank) set or selected. In my case, after entering the client number, I had to confirm the login (to the bank) using its (mobile) key.


Author: Jiří Peterka

When I did so, I still had to agree to the transfer of my data (from the bank, ie Česká spořitelna, to the service provider, ie Generali to Česká pojišťovna).


Author: Jiří Peterka

Here I was a little surprised that after clicking on the detail to the transmitted information, I did not learn (or did not find the opportunity to view) their specific values, and therefore did not even check their accuracy. I was also (a little more surprised) that the list of transmitted data does not correspond to any of the advertised variants of the IDENTIFY service (or CONNECT).


Author: Jiří Peterka

Nevertheless, I agreed to the transfer of data and this should have taken place properly.


Author: Jiří Peterka

If I have correctly understood the construction of BankID services, at least the name (and surname) as well as the telephone number and e-mail are always passed within them. Let’s recall this with the following picture.


Author: Jiří Peterka

Nevertheless, after me, the service provider wanted to verify the e-mail and telephone number.


Author: Jiří Peterka

The truth is that the e-mail and telephone number were not in the list of transmitted data, which I had to agree to (but I entered them in the very first step). Does this mean that specific variants of BankID services (CONNECT, IDENTIFY) offer a certain list of client data, but the person who uses them does not have to take them all and can choose only a certain subset of them? And does the service provider find out or verify the “omitted” data himself?





Cif21-tip do clanku - temata - early cena




Well, there wasn’t much work to do, but it still seems useless to me. Or is it not yet completely completed implementation of BankID services on the part of Generali Česká pojišťovna, where the banking identity replaces one of the originally required steps, but other, now redundant steps have not yet been removed?

Well, we’ll see, we certainly don’t write about the use of bank identity “via NIA” and “via BankID” here at Lupa for the last time.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.