Norway’s Digital Identity System: Broad Success, Deep Gaps

Digital identity in Norway is often presented as a model for the rest of Europe. The three market‑driven solutions—BankID, Buypass, and Comfides—allow most residents to file taxes, book doctor appointments, and sign contracts with a few clicks. The convenience is real, and the uptake is high: over 95 % of the population holds at least one e‑ID, and transaction volumes on the Altinn portal have grown by more than 30 % year‑over‑year since 2022.

However, the final report of the Societal Security and Digital Identities (SODI) project, led by Professor Marte Eidsand Kjørven at the University of Oslo, paints a far more nuanced picture. The authors argue that the system’s technical reliability masks three inter‑related problems:

1. Digital exclusion of vulnerable groups
2. Systemic fraud and identity abuse
3. Fragmented public governance

Below we unpack each claim, examine what the report actually adds to the discussion, and outline the practical limits of the proposed remedies.

---

1. Who Is Left Out?

The SODI report documents dozens of cases where individuals cannot obtain a BankID because the issuing banks deem them “high risk” or because the applicant cannot meet the required verification standards. One striking example is Bendik, a young man with Down syndrome who was denied a BankID and consequently lost access to the national health portal, tax filing services, and even the ability to receive his unemployment benefits online.

Caption: ‘Bendik’ has Down syndrome and is denied BankID. Photo: Colourbox.

The problem is not limited to people with cognitive disabilities. Elderly citizens who lack a smartphone, refugees whose identity documents are not yet recognized, and residents of remote areas with poor broadband coverage also face barriers. The report estimates that approximately 3 % of the adult population experiences at least one of these obstacles, translating to roughly 150 000 people.

Why the exclusion persists

• Verification bottlenecks – Banks require an in‑person visit to a branch, a valid passport, and a credit‑check. For someone who cannot travel easily, the process stalls.
• Private‑sector gatekeeping – The e‑ID providers are commercial entities; their risk‑assessment algorithms are not publicly audited, and they can refuse service without a clear appeals process.
• Lack of statutory fallback – Norwegian law does not mandate a state‑provided alternative e‑ID, unlike Estonia’s universal ID card.

Practical impact

Without an e‑ID, users must rely on manual paper forms, which are slower, more error‑prone, and often require a proxy. In the case of public benefits, the extra administrative steps can delay payments by weeks, undermining financial stability for already vulnerable households.

---

2. Fraud and Identity Abuse

The report links the high adoption of e‑IDs to a surge in identity‑theft cases. DNB alone reported 3.3 billion NOK in attempted fraud in 2025, a 30 % rise over the previous year. While the bank blocked most of the attempts, the residual losses illustrate how stolen credentials can be weaponized:

• Unauthorized loans – Criminals use compromised BankIDs to apply for personal loans, often in the victim’s name.
• Public‑benefit fraud – Stolen IDs enable false claims for unemployment benefits or child support.
• Corporate impersonation – Fraudsters can sign contracts on behalf of companies, leading to supply‑chain disruptions.

A particularly troubling case highlighted by the SODI team involves a man who handed his BankID to an ex‑partner for routine tasks. The partner then opened multiple high‑value consumer loans. The Supreme Court is now considering whether the victim can be held liable for the debt despite being a victim of identity theft.

Structural weaknesses

• Code‑device distribution – Physical BankID tokens are mailed without verifying the recipient’s identity, opening a low‑tech vector for theft.
• Single‑factor authentication – Most services still rely on a password + token model; biometric or hardware‑based second factors are optional, not mandatory.
• Opaque revocation processes – Users report long delays when trying to suspend a compromised ID, during which fraud can continue.

Mitigation proposals in the report

• Introduce mandatory multi‑factor authentication for high‑value transactions.
• Create a central revocation service that can instantly invalidate compromised credentials across all providers.
• Require audit‑ready logging for all ID‑issuance decisions, enabling downstream services to assess risk in real time.

These measures are technically feasible, but they would require coordinated action across private providers, banks, and government agencies—something the current governance model does not support.

---

3. Governance Gaps

The SODI authors argue that the digital identity ecosystem suffers from “fragmented responsibility.” The three e‑ID providers operate under separate licences, each governed by a mix of financial‑services regulation, data‑protection law, and sector‑specific rules. No single authority has a holistic view of the system.

Key observations:

• No statutory oversight body – Unlike Estonia’s Authentication Service Center, Norway lacks a dedicated regulator with a mandate to enforce interoperability and inclusion.
• Decision‑making opacity – Criteria for granting or revoking an e‑ID are held by private companies; the public sector has limited insight or influence.
• Limited stakeholder participation – Civil‑society groups, disability advocates, and consumer‑rights organisations were only consulted after the draft report was prepared.

Proposed governance reforms

1. Establish a National Digital Identity Board – A multi‑ministerial body with representation from the Ministry of Justice, the Financial Supervisory Authority, consumer NGOs, and technical experts.
2. Mandate a public‑interest impact assessment for any change to e‑ID issuance policies.
3. Create a statutory “right to an e‑ID” that obliges the state to provide an alternative mechanism for those denied private solutions.

The report notes that implementing these reforms would require new legislation, budget allocations, and a cultural shift toward shared responsibility between public and private actors.

---

4. What Is New?

The SODI report does not introduce a brand‑new technology; the e‑ID platforms have been stable for years. Its contribution lies in systemic analysis and policy recommendations that synthesize legal scholarship, empirical case studies, and technical risk assessments. The inclusion of cross‑border data from Estonia—where a state‑run ID system co‑exists with private alternatives—provides a concrete comparative baseline.

Moreover, the report is the first to quantify the scale of exclusion (3 % of adults) and to link that figure directly to measurable outcomes such as delayed benefit payments and increased reliance on in‑person services.

---

5. Limitations and Open Questions

• Scope of the data – The exclusion estimate relies on self‑reported surveys and may undercount hidden populations (e.g., undocumented migrants).
• Implementation feasibility – The suggested governance board would need legislative backing; without political will, the recommendation may remain academic.
• Technology lock‑in – Moving to mandatory multi‑factor authentication could marginalize users who lack compatible devices, potentially worsening exclusion unless accompanied by device‑subsidy programs.
• International interoperability – The report touches on cross‑border recognition but does not detail how Norway could align with EU e‑IDAS standards without compromising its existing private‑sector model.

---

6. Where to Find the Full Report

The complete SODI analysis is available as a PDF from the University of Oslo’s repository: SODI Final Report (PDF). The project’s website also hosts a summary of the policy recommendations and a list of participating institutions.

---

7. Takeaway

Norway’s digital identity infrastructure delivers undeniable efficiency for the majority of citizens, yet the current market‑driven model leaves a non‑trivial segment of the population without essential access, exposes users to sophisticated fraud, and operates under a patchwork of regulations. Addressing these issues will require legal reforms, technical upgrades, and inclusive governance—a combination that is technically possible but politically demanding.

Caption: Professor Marte E. Kjørven and director Marianne Henriksen at Skatteetaten. Photo: UiO.