Biometric Login (Face ID / Fingerprint)

Description

Biometric Login allows users who have already authenticated via email/password, BankID, or Vipps to use Face ID or fingerprint recognition for subsequent app sessions. The feature does not replace the primary authentication method but acts as a fast, low-friction session unlock after the initial strong authentication. Secure tokens are stored in the device's hardware-backed secure enclave, and biometric authentication is used locally to release the stored credential for a new session without transmitting biometric data to any server.

User Flow

Click to expand

Analysis

Business Value

Peer mentors often register activities immediately after completing them, frequently opening the app multiple times per day. Biometric login dramatically reduces the friction of these repeated authentications, directly supporting the core design principle of minimum cognitive load. All three workshops mentioned biometric login as the expected post-onboarding session mechanism. For users with motor impairments or cognitive challenges, Face ID or fingerprint is significantly easier than re-entering credentials, aligning with the platform's strong WCAG 2.2 AA and cognitive accessibility commitments.

Implementation Notes

Flutter's local_auth package provides cross-platform biometric authentication (FaceID on iOS, fingerprint/face on Android). On successful biometric check, the app retrieves the stored JWT refresh token from flutter_secure_storage and performs a silent token refresh with the backend. Biometric data never leaves the device; only the resulting token exchange touches the network. The feature must gracefully fall back to PIN or password if biometrics fail or are not enrolled. Users should be prompted once after first login to enable biometrics, with the option to defer. BLoC handles the biometric auth state and token refresh flow.