Open in app

Sign in

Write

Sign in

The story behind the QR code login

Will
Nordnet Tech
Published in
7 min readMay 12, 2023

What is the most secure and user-friendly way for bank customers to log in? This is a million-dollar question, but we think we have a good answer at Nordnet.

If you are a Nordnet customer in Denmark, Finland, or Norway, you probably have found it is very natural to log in with the QR code whenever you open up the login page. Bring up the camera on the phone, scan the QR code, identify your biometrics on the Nordnet App, and then you are logged in. Yes, this is the brand new way of login in for customers in those three Nordic countries. This article will tell you the story behind it.

1. The Reason
2. The Design
3. The Launch
4. The Future

1. The Reason

Back in the old days, usernames and passwords used to be the dictator of authentication. Despite the simplicity and convenience it offers, it has a few well-known drawbacks. For instance: weak passwords, password reuse, weak against phishing attacks, and unavoidable human errors that might leak passwords. Therefore, more secure authentication methods like MFA (Multi-Factor Authentication) have been introduced and adopted by more and more websites. Since security is one of the most crucial factors in the banking business, it should be no surprise that Nordnet would put focus on levelling up its authentication mechanism for login.

MFA requires the user to provide at least two factors of authentication including:

  • Something the user knows, such as a password, PIN, or security question answer.
  • Something the user has, such as a physical token, smart card, or mobile phone.
  • Something the user is, such as biometric data, like a fingerprint or facial recognition.

Years ago, Nordnet has evaluated various MFA alternatives, such as OTP (One Time Password), USB dongle, and SSO (Single Sign On) provided by third parties. But none of them managed to reach our requirements on security and user experience.

OTP login is widely used by many websites nowadays. It is easy to implement as a second factor on top of username/password. However, it relies heavily on the security of the device or channel used to transmit the OTP. In case of a phishing or social engineering attack, OTP will be as weak as a password especially when it is delivered via common channels like SMS or email. Also, the time limit on entering a unique code every time at login is not a nice user experience.

A USB dongle is more secure than OTP because of the higher encryption level. But the biggest downside is that it requires users to have physical access to the dongle to authenticate. This might be acceptable for desktop login but will be a nightmare for mobile login.

Third-party SSO could also be a nice choice. For example, almost all banks in Sweden adopt Swedish BankID as their main login method. As an E-ID provider, Swedish BankID provides a secure and smooth identification experience. And the adoption rate of BankID in Sweden is quite high. Unfortunately, the other Nordic countries don’t have equivalent E-ID players yet. Nordnet has provided customers to log in with all E-ID solutions in Norway, Denmark, and Finland. But both the adoption rate and user experience are not as good as Swedish BankID. We have also found that 3rd-party-provided SSO solutions vary in quality and cost, resulting in us deeming the space too speculative for us, and we’d rather not take an unnecessary risk with our customer’s security.

Therefore, we decided to build our own solution. With the new login solution, the user signs a one-time nonce with the cryptographic key unlocked by either biometrics (something the user is) or PIN code (something the user knows) on their mobile devices (something the user has). The digital signature will then be validated by backend services to determine if the authentication is successful. The backend services also ensure that one QR code can only be used once. Any suspicious attempts like double scan, late scan, invalid signature, and ID miss matching will be treated as errors and will lead to login failure.

In addition, both web and app login requires that the user have possession of the mobile device that has activated the QR code login. This ensures that the login flow, unlike OTP, is more difficult to be performed remotely.

With all the secure factors above baked into this login solution, the security level is greatly enhanced and the user experience is smooth.

2. The Design

The QR code login solution is used by all platforms including desktop browsers, mobile browsers, and the Nordnet App. All the platforms use a single, common API to perform login, with slightly different logic built in to ensure a clean and secure integration between the client platform and the API.

The benefits of building a common API are great. We don’t have to design functions that are specialized for the Nordnet App or web. Instead, the focus is on how to make the API generic so that all platforms can make use of it in a logical way. The API is also not country-specific, which means all possible conditions are taken care of for all three Nordic countries (Denmark, Finland, and Norway). And it can easily scale to a fourth country if needed. The simplicity of the API decreases the complexity of the software and increases the confidence level during the first launch, and continued improvements and maintenance. In fact, after the first successful release to one country on one platform, we were certain that the solution would just work out in other countries, on all platforms.

It’s also worth mentioning that there is nowhere you can find a QR code on Nordnet App. Nordnet App has a smart design that performs a “scan” stealthily when the user initiates login. This produces an even better user experience compared to our web login. For users who activated FaceID, all they need to do is open the Nordnet App, complete FaceID, and then enjoy online banking.

What if the user doesn’t have a QR code login activated? Then the scanning of the QR code will trigger the onboarding flow so that the user can activate it and then login in. What if the user doesn’t even have the Nordnet App installed on the phone? Don’t worry, the scan will bring up the Nordnet App page on the App Store or Play Store depending on the phone model. We try our best to smooth the flow to engage new users.

To sum up, the design language that Nordnet wants to deliver to its customers is: “We want you to log in securely in a simple way”.

3. The Launch

We launched the brand new login on the Nordnet App in Norway in late April 2022. The result turned out to be a marvelous success. The number of successful QR code logins ramped up from 0% to 40% during the first week and reached nearly 70% by the end of the first month.

Customers love it.

The same story happened in Finland and Denmark as well. The usage statistic reached 58% and 75% in the first week and month after release, respectively. And while we are writing this article, the number is 91%, which means the majority of the Nordnet App users are logging in with a QR code, after launching the new feature in less than one year.

The new login for web, on both desktop and mobile browsers, was launched after the summer of 2022. Thanks to the successful launch on the Nordnet App, a large number of customers have already activated QR code login on the Nordnet App and this means that their phones are already capable of logging in on the web as long as the QR code can be scanned. As a result, the QR code login on the web soon became popular as well. So far, it has been the main way to log in on both the web and the Nordnet App.

4. The Future

The new QR code login has been a great success for Nordnet, but is it already a perfect solution? Probably not. There are still many things we can improve, such as:

  • Find a reliable but more friendly way to identify new customers.
  • Make the QR code animated to boost the security level even higher.
  • Improve the design to encourage customers who have QR code resistance or fear to try it out.
  • And more.

We would like to continuously improve the login solution to make Nordnet one of the most secure digital banks in the world. We would also like to give the best user experience to our customers so that they feel comfortable instead of stressed whenever they log in.

Do you like the new login on Nordnet? Please let us know what you think!

Login
Security
Nordnet
MFA
Authentication

--

--

Will
Nordnet Tech

Written by Will

10 Followers
Editor for

A full stack(overflow) developer

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams