Why BankID will cease to support login via iframes?

BankID is discontinuing support for logins via iframes. Here are the reasons for this decision:

Easier for end-users to detect phishing

Previously, the user experience with BankID varied significantly from website to website, including web client dimensions, the BankID mobile interface, color choices, and more. As a result, BankID users have become accustomed to accepting varying user experiences. This poses a significant problem as it makes users more vulnerable to phishing attacks. In practice, iframes make it impossible for end-users to verify the origin of the BankID web client by simply checking the URL in the browser.

Prevents XSS attacks

The OpenID Connect protocol sends some authentication data in the front channel (authentication via an authorization code). This authorization code is vulnerable to session hijacking when the client is displayed in an iframe (as the iframe URL is always accessible from the parent page). Supporting iframes makes it easy for an attacker to create a fraudulent website that steals sessions from legitimate sites.

Ensures effective fraud detection

To protect user privacy, modern browsers block third-party tracking when third-party content is displayed in an iframe. This reduces the security of the login process as the browser actively restricts BankID's access to parameters used for fraud detection. We also anticipate that browser providers will continue to implement new measures that complicate anti-fraud efforts through iframes. Fraud detection is a central component of what makes BankID secure.

Supports technologies designed to prevent phishing

FIDO2 and WebAuthn are used for BankID Biometrics. A key feature of these protocols is their resistance to phishing, and as a result, iframe usage is disabled by default.