THE KEY TO YOUR DIGITAL SUCCESS
2 WAYS TO INTEGRATE WITH FREJA eID
For you as a company, authority or other organization, it is very easy to connect your users to Freja eID. All that is needed is a simple integration handled by your technical staff and that your users download the app and register themselves. There are 2 ways to become our partner.
Sign an agreement with Verisec AB directly and onboard your users via the Freja eID mobile app. Send our sales team a request of interest with your company details (name, contact person, time frame for insertion) so we can discuss how you can get started with Freja eID.
THROUGH AN INTEGRATOR
If a partner or system integrator manages your ID services you can connect via them. We are integrated with the leading suppliers, read more in the link below. Via some of these partners (CGI, Tieto, HiQ and Chas) you can also purchase via the Kammarkollegiet Ramavtal (Kammarkollegiet Framework Agreement): IT and Telecom, Software, and also Tjänster – Informationsförsörjning (Services – Information supply).
See the list of our partners below.
GOOD COOPERATION GIVES GOOD RESULTS
Click to see more information and contact details for our partners below.
How do we integrate with Freja eID?
Integration can be done directly via our REST API or via a System Integrator. Note that there are two separate APIs for integration with Freja eID. One for personal use by users, and another API for using service identification with ‘Organisation eID’. You can find more technical information about integration at the Developers section.
Which system integrators are you connected to?
Freja eID is currently linked to all major system integrators such as CGI, Tieto and Visma but also to specialists in the field of identity management such as ‘Svensk e-identitet’ and Signicat. If we have no integration with the supplier you use, it is usually a quick process for us to resolve this and integrate with them. See a complete list of the partners we have agreements with today.
Can we join via ‘Valfrihetssystem’?
Yes, Freja eID can be procured via Valfrihetssystem 2017 E-identification, which is handled by DIGG – the Swedish Agency for Digital Government. The agreement gives contracting authorities (according to LOU), access to new quality-tested e-credentials. The freedom of choice system as a form of procurement simplifies both procurement and contract management. The technical method of the freedom of choice system also technically facilitates the contracting authority’s introduction of foreign e-credentials in accordance with the eIDAS Regulation (No. 910/2014). Please note that the Option System covers personal use and not at present for service credentials. There is no Election System for this purpose at present.
Read more on DIGGs homepage.
What is Sweden Connect?
Sweden Connect is DIGG’s feature for electronic identification and the connection point for eIDAS in Sweden. By connecting to Sweden Connect, authorities, municipalities, county councils and suppliers have access to foreign e-credentials in their Swedish public e-services. When connected to Freja eID via Valfrihetssystem 2017 E-identification, this is also done via the IdP in Sweden Connect.
In which countries is Freja eID active?
In Sweden, Norway, Finland, Denmark and the UK. However, it is only in Sweden that we can offer a state quality-assured LOA3. In the rest of the countries, we do the same ID verification as in Sweden, except for the last step which is a physical meeting – something that is rquired by law in Sweden to achieve LOA3. In addition to the countries listed above, Freja eID can be used at the Basic level – meaning two-factor authentication and Strong Customer Authentication, but not with basic identified users.
How can we trust the identities you issue?
Both the release and the system for Freja eID have been reviewed and approved in accordance with DIGG’s e-identification trust framework. There are also ongoing checks and audits both by DIGG and external auditors.
What is Freja eID’s responsibility?
Freja eID assumes liability for the direct damage suffered by you as a result of errors in our service or processes, where the you had no reason to suspect a crime, and where the you have relied on an e-mail issued by us. identification. For example, it may be that we have issued an e-ID to the wrong person who subsequently turns out to be a fraudster who seized money by taking out loans in the name of the rightful person.
What is Freja eID’s pricing model?
There are essentially two different price models.
In one model, the customer is charged every time a user identifies with Freja eID, for example logging in or making an electronic signature.
The second model is a subscription model where we agree on a fixed, monthly price for unlimited use. If you use Freja eID for service identification or Organisation eID in some other context, the subscription model applies. For the use of Freja eID as personal e-ID for your users, you can choose between the tick-based model or a subscription model.
Freja eID is free for your users.
Does Freja eID cost anything for end users?
No, Freja eID is always free for the user. We also do not use our user database to advertise to the users or otherwise capitalise on the user base. The only revenue we receive is from customers for the use of the service.
How long does a contract period usually last?
A contract period is usually 24 or 36 months. The contract period when joining via Valfrihetssystem 2017 follows the contract terms that are regulated by DIGG for each time.
Do I have to have an agreement with Freja eID even if I go through a partner?
Yes, there must be a Relying Party agreement between Freja eID and the customer, even if it goes through a partner or system integrator.
What LOA levels does Freja eID support?
Freja eID is available in three levels corresponding to LOA1, LOA2 and LOA3. However, it is only the LOA3 level that is quality-marked by DIGG. This is because in Sweden there is no formal opportunity to certify an e-ID on LOA1 or LOA2.
What does the quality mark ‘Svensk e-legitimation’ mean?
‘Svensk e-legitimation’ is the state’s own quality mark for e-ID, and is based on international standards. In order to regulate e-IDs, the Swedish government has created the quality mark ‘Svensk e-legitimation’. DIGG reviews and approves Swedish e-IDs, and issues the quality mark based on national and international security criteria.
Organisations providing e-services that require an e-ID can rely on one that has the ‘Svensk e-legitimation’ quality mark. Also, users can be confident that the e-ID they are using is secure and approved by a trustworthy authority – the Swedish Government in this case.
Freja eID is approved for Swedish e-identification at LOA3 (Freja eID Plus) but also the services available at LOA1 and LOA2 are included in the same system and operating environment as the quality-checked service.
Does Freja eID meet the requirements for SCA in PSD2?
Yes, Freja eID fulfills all the requirements defined in the EU Payment Services Directive 2 (PSD2) to secure online payments with secure customer authentication – Strong Customer Authentication (SCA).
Is Freja eID approved within eIDAS?
The Swedish government has not submitted any e-ID to eIDAS yet, and the process for this is scheduled to begin in 2020. However, Freja eID is designed in accordance with the requirements that exist within eIDAS already. We have approached the government with our intention of becoming an e-ID approved within eIDAS when this process begins.
How is user data handled?
It is important to note that there is a difference in responsibility and management of user data for personal e-IDs and for e-service IDs. Read more about this in the section on Organisation eID.
What can Freja eID be used for?
Freja eID can be used to identify users during login and for other transactions on the web or in a mobile app. Furthermore, Freja eID can be used for legally binding electronic signatures, customer onboarding, GDPR consent, long-term transactions, two-factor authentication, service identification and a number of other functions. Read more about Freja eID features.
Which attributes can Freja eID share?
The basic idea of Freja eID is to give the user control over their digital life. This means that the user must always give their explicit consent every time personal data is shared with a Relying Party. Therefore, with the user’s consent, the following attributes may be shared: social security number, age, date of birth, physical address, e-mail address (1-3 depending on whether the user has added any additional emails) and mobile phone number (0-3 depending on whether the user has added their phone number to Freja eID). This applies to Sweden and Norway. In Finland, Denmark and the UK no physical address can be shared and in the UK no social security number can be shared as citizens of the UK don’t have one.
If you have also signed an agreement for Organisation eID, the attributes you have added for this service can also be shared.
How are the attributes sent?
They are passed along in the identification request you make via our API.
Can we customise which attributes the user chooses to share?
Currently it works so that you define which attributes you want to include in the identification request. Therefore, the user must decide to give his consent to share all this information or to refuse the request. If the user declines this request, they will not be able to reach your service.
What is Organisation eID?
It is a role-based identity, for example a employeeidentification. It is based on the fact that the user has Freja eID with an approved ID document and to this end the organisation issues its own attribute for the user’s identification within the organization. In this way, the private and the role-based e-identification are separated.
How is personal data handled in Organisation eID?
Freja eID handles the user’s personal information, such as name, address and social security number, based on consent. However, in a service identification personal data that is not attributable to the user may be processed, for example if an official handles a decision containing a citizen’s personal data. This personal data can only be processed in Freja eID if the Relying Party using Organisation eID has a personal data processing agreement with Freja eID.
How is transaction data handled and stored in Organisation eID?
We store evidence of transactions for 10 years. This includes the type of transaction, time and outcome. We also store the content of the transaction. However, it is always the Relying Party who is responsible for the attributes and transaction history that arise from data that they submit via the Organisation eID. The Relying Party owns the attributes it sets, as well the content and history of transactions, and may request that we delete transaction data or that we transfer stored transaction data.
What is the difference between a personal e-ID and Organisation eID?
In a personal e-ID, the handling of personal data is based on the user’s consent. As consent can never include someone else’s personal data, third-party information cannot be handled in a personal e-ID. However, this can be done in Organisation eID as it is the Relying Party who is responsible for personal data and Freja eID acts as assistant for the handling of personal data.
What is the difference for me as a Relying Party between a personal e-ID and Organisation eID?
A personal e-ID is one where Freja eID has verified the identity of an individual and accepts liability for any damage caused due to faults in Freja’s on-boarding and issuance process as a result of an eID being issued to the wrong person.
An Organisation eID is one or more organisational attributes relating to an individual, which an organisation can add to a user’s profile over and above their personal e-ID. These attributes may be an AD alias or a work e-mail address; typically, data which identifies the user in a corporate scenario. The organisation is the issuer and data controller of this data and it is the organisation who needs to take responsibility for the accuracy of the data.
Who is in control of Organisation eID?
Use of both personal and Organisational eID is completely under the user’s control, as are attributes stored within the framework of personal e-IDs. Attributes and transaction history connected to the user’s personal e-ID are also under their control.
On the other hand, the transaction history and attributes related connected to Organisation eID are under the control of the Relying Party. It is the Relying Party that adds the attribute with which Organisation eID is issued, and it is also the Relying Party that controls the removal of Organisation eID from the user. However, the user must consent to the Relying Party adding an Organisation eID to their Freja eID.
Why is a data processing agreement needed for Organisation eID?
This is required for the Relying Party and its users to be able to handle transactions that contain personal data about third parties, that is, information that has no legal basis to be handled solely based on the user’s consent.
Who is responsible for issuing Organisation eID?
The Relying Party is responsible for the issuing and revoking of an Organisation eID for its users. The Relying Party is also responsible for ensuring that the attribute added to the user’s Organisation eID is correct. In the event that an attribute in Organisation eID is incorrectly issued to a user, Freja eID cannot be held responsible. Freja eID’s responsibility is limited to the attributes we have issued, such as name, birth data and address.
How to integrate with Organisation eID
The Relying Party integrates via Freja eID’s REST API for Organisation eID. Note that this is a separate API from that which manages Freja eID for personal e-identification.
How are users onboarded and offboarded?
First of all, the user must download the Freja eID mobile app and register a valid ID document to be approved for a valid personal e-ID. Then, the Relying Party can add an Organisation eID to the user containing the description of the ID, the logo, the description of the attribute and the value of the attribute. The user may then consent to the addition of the Organisation eID, by making a digital signature with their personal Freja eID.
When offboarding a user, the Relying Party erases their Organisation eID attribute. In this way the connection between the Relying Party and the individual is removed.
What attributes can I add to Organisation eID?
Currenlty, we support the addition of one attribute per user. To this you can add a description of the attribute, your logo and a description of what you want to call your Organisation eID. The format of the attribute is optional and you can also add different attributes for different user groups, with custom descriptions for each attribute.
What rights does the user have in Organisation eID?
When an Organisation eID is being added to their Freja eID, the user must give their consent.
The user will see the transaction history from Organisation eID in My Pages as long as the Relying Party has Organisation eID active for that user. If/when the Relying Party revokes that user’s Organisation eID, that transaction history is deleted from My Pages.
What is the level of trust of Organisation eID?
Currently, Organisation eID can be issued if the user has undergone the process of adding an ID document to Freja eID as well as at trust level 3, if the user has been approved for Freja eID Plus.
Is Organisation eID automatically included when you have a contract with Freja eID?
No, using Organisation eID requires a separate agreement including an agreement for access to personal data.