🏠 Overview 🎯 Features 🎯 Passkeys (WebAuthn)

Passkeys (WebAuthn)

Feature Detail

high complexity extracted Authentication & Access Control Confidence: 100%
3
Components
4
Shared
0
User Stories
Yes
Analyzed

Description

Passkeys (WebAuthn) provide phishing-resistant, passwordless authentication using device-bound asymmetric key pairs synced via iCloud Keychain or Google Password Manager. Users register a passkey during onboarding and subsequently authenticate with a biometric or device PIN without entering a password. The feature follows the FIDO2/WebAuthn standard and positions Meander for the industry-wide shift away from shared secrets, with particular accessibility benefits for users with motor or cognitive impairments who struggle with password management.

Sources & reasoning

Passkeys are not mentioned in the source document. The feature appears in the authoritative blueprint with target_release v1.1. No phase evidence exists in source docs, so blueprint assignment is used directly. v1.1 aligns with Phase 3 ordinal position. The feature is a logical evolution of the biometric-login foundation and industry direction for passwordless auth on iOS/Android.

No source references — this artifact was included based on reasoning alone (see above).

Analysis

Business Value

Passkeys eliminate the entire class of phishing and credential-stuffing attacks by replacing shared secrets with cryptography bound to specific relying parties. For a platform handling encrypted sensitive assignments, personal health data, and financial reimbursements, this is a meaningful long-term security improvement. From a usability perspective, passkeys reduce the support burden around forgotten passwords - a real concern for elderly and cognitively impaired peer mentors. Platform adoption among non-technical users is accelerating rapidly on both iOS and Android as the native UX matures, making early adoption a strategic advantage for Meander's target demographic.

Implementation Notes

Implemented in Flutter using the credential_manager or flutter_passkeys plugin, which wraps the platform-native WebAuthn APIs (AuthenticationServices on iOS 16+, Credential Manager on Android 9+). The backend Authentication Module handles WebAuthn registration and authentication ceremonies: registration stores the public key in the passkey_credentials table; authentication verifies the signed challenge. The relying party ID must match the app's associated domain configured in Apple App Site Association and Digital Asset Links. Cross-device passkey sync must be tested across device-restore scenarios. The feature must degrade gracefully to email/password on unsupported OS versions.

Components (7)

User Interface (1)

ui PasskeySetupScreen medium

Service Layer (1)

service PasskeyAuthService medium

Data Layer (1)

data PasskeyCredentialStore medium

Shared Components

These components are reused across multiple features

User Stories

No user stories have been generated for this feature yet.