How does this actually work on something like iOS, which I believe is a lot more restrictive and may not allow access to the SIM except through carrier services (which are in turn susceptible to attacks, including bribes, social engineering, etc.)?
The carrier is involved in transmitting and triggering the challenge as well, and I'm pretty confident that it works on iOS, though I've never tried myself.
The authentication works like this:
1. User fills out form with enough public and semi-private infoemation to securely identify the user (usually phone number and date of birth or social security number)
2. The user is presented with a random two-word string
3. The same message appears on the user's phone. If the words are the same, the user proceeds to input a PIN. The PIN is only stored on the SIM, and is chosen by the user.
4. A response is sent from the phone and the user gets logged in.
I assume that the challenge response employs asymmetric authentication, storing a private key for the SIM and public key for BankID on the SIM.
I'm not familiar enough with how the underlying crypto works to guess what kind of attacks they'd be suceptible to, but considering that the authentication is used for most public services in Norway (including taxes, welfare, medical records and document signing) as well as some private services (banking, insurance), I'll believe that the proper due diligence has been done.
There is a big focus on using these platforms securely, and BankID recently ran an at campaign with some TV spots, telling how people should never share their BankID login, not even with their loved ones - https://youtu.be/OFJmX7A--w4
