> There is also already a clear precedent to allow delegation of access that require strong authentication IRL. For example, PostNord allows you to retrieve someone else's mail as long as you provide ID for both yourself and the recipient.
They have the same service in their app with BankID + QR code (at least for packages).
It wouldn't work, because services using BankID want a (presumably contractually-obligated) assurance that only that particular person is using the service. If someone else can be authorised use your ID, it undermines that.
They could still add such a feature of course, but they would need to inform and have the co-operation of services when someone else is using the ID, so it wouldn't be widely supported.
Person A initiates and signs request to delegate for Person B. Person B receives the delegation request and signs it, which produces a positive response. The response (containing Person B's signature= is then 'wrapped' in Person A's request and is only sent on the to destination.
They have the same service in their app with BankID + QR code (at least for packages).