Authentication Methods (Passkeys)

Passkeys represent the modern standard for secure, user-friendly authentication and are increasingly expected by enterprise and public-sector customers. For Meander's target audience - which includes users with varying digital literacy - passkeys eliminate password fatigue and reduce account recovery support requests. For organizations handling sensitive personal data (encrypted assignments, health-related contacts), passkeys provide stronger authentication guarantees than passwords while being easier to use than BankID for day-to-day access. Adoption of passkeys signals platform maturity to prospective organizational buyers and aligns with Norwegian public sector digital security expectations, supporting the sales website's compliance messaging.

Implement using the FIDO2/WebAuthn standard via Flutter's local_auth and a WebAuthn-compatible backend endpoint. The Passkey Service handles credential creation (navigator.credentials.create equivalent via platform API), storage of public key material server-side in a dedicated credentials table linked to the users table, and assertion verification on login. The Passkey Setup Screen should guide users through device capability detection, registration flow, and confirmation. The backend must implement challenge-response nonce management to prevent replay attacks. Fallback to email/password must always be available in case passkey authentication fails or the device changes. Ensure the implementation is tested against iOS (Face ID + passkey) and Android (fingerprint + passkey) device configurations.