🏠 Overview 🎯 Features 🎯 Biometric Login (Face ID / Fingerprint)

Biometric Login (Face ID / Fingerprint)

Feature Detail

medium complexity extracted Authentication & Access Control Confidence: 100%
3
Components
4
Shared
0
User Stories
Yes
Analyzed

Description

Biometric login allows users to unlock their Meander session using Face ID or fingerprint recognition after completing an initial full-credential authentication. It is not a standalone identity method but a session continuation mechanism that retrieves a device-bound token from the secure enclave and presents a local biometric prompt on subsequent launches. The feature removes daily sign-in friction for peer mentors who open the app multiple times per day to log activities, without transmitting any biometric data to the server.

Sources & reasoning

Lines 42 and 276 describe biometric login explicitly as a post-initial-login session mechanism co-delivered with BankID/Vipps. BankID/Vipps are Phase 2 (v1.0) per the priority matrix. Biometric depends on a prior full-credential session and is naturally co-delivered in Phase 2. Blueprint confirms v1.0.

  • docs/source/likeperson.md · line 42
    med biometrisk innlogging (Face ID / fingeravtrykk) etterpå
  • docs/source/likeperson.md · line 276
    Biometric session unlock (Face ID / fingerprint) after first login. Mobile stores tokens in the platform secure store

Analysis

Business Value

Peer mentors and coordinators open the Meander app multiple times per day to register activities, check contacts, and track assignments. Requiring full password entry on every launch would create significant friction, particularly for users with motor or cognitive disabilities - a core demographic for all four partner organisations. Biometric unlock removes this friction while maintaining security: the refresh token is stored in the device secure enclave and biometric verification happens locally. This directly supports WCAG 2.2 AA goals by reducing cognitive and motor load for high-frequency interactions, and is the authentication pattern explicitly described in the source document for post-login use.

Implementation Notes

Implemented in Flutter using the local_auth plugin, which abstracts Face ID on iOS and fingerprint/face recognition on Android. On successful biometric verification, the app retrieves the stored refresh token from flutter_secure_storage and silently exchanges it for a new access token via the Authentication Module. No biometric data ever leaves the device; verification is delegated entirely to the OS. If the user has not enrolled biometrics, or cancels the prompt, the app falls back gracefully to password entry without showing an error. If the refresh token has expired or been revoked, the user is redirected to full sign-in regardless of biometric success.

Components (7)

User Interface (1)

ui BiometricPromptWidget medium

Service Layer (1)

service BiometricAuthService medium

Data Layer (1)

data SecureTokenStore medium

Shared Components

These components are reused across multiple features

User Stories

No user stories have been generated for this feature yet.