In fact, the architecture seems to involve the "applet" (in fact, an "application" if one uses the dot-com era terminology) calling out to other Internet addresses and performing some kind of authentication dance. Of course, all this is in vain if the system is down, which then means you can just use the old-fashioned login mechanisms instead. Which the banks have kept around because BankID does go down every now and again.
My feeling is that a bunch of people got a budget to develop their own local solution in the hope that they could make it a more broadly adopted standard. However, every nation's banking sector probably have their eyes on the same prize, so those dreams will never play out. They were influenced enough to make it work only with a single vendor's technology - it's what the consultants know, after all - and the consequence of that is that everyone is now exposed to that vendor's fantastic track record in fixing security issues in a timely fashion.
Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds