🏠 Overview 🎯 Features 🎯 Biometric Session Authentication

Biometric Session Authentication

Feature Detail

medium complexity extracted Authentication & Access Control Confidence: 100%
4
Components
198
Shared
18
User Stories
Yes
Analyzed

Description

After the initial login via email/password or BankID/Vipps, users can authenticate subsequent sessions using device biometrics — Face ID on iPhone or fingerprint on supported devices. This reduces friction for frequent users such as peer mentors logging multiple activities per week. Biometric auth is a local device-level gate; the underlying Supabase session token is refreshed upon successful biometric verification. If biometrics fail or are unavailable, fallback to credential login is required.

Analysis

Business Value

Significantly reduces login friction for daily or weekly users, supporting the core design principle of minimal cognitive load and fewest possible steps to complete a registration.

Implementation Notes

Use Flutter local_auth package. Store encrypted session token in flutter_secure_storage. Biometric prompt shown on app resume if session is still valid. Fallback path to email/password login must always be accessible.

Components (202)

User Interface (2)

ui Biometric Prompt Overlay low ui Biometric Unavailable Banner low

Service Layer (1)

service Session Resume Manager medium

Infrastructure (1)

infrastructure Local Auth Integration low

Shared Components

These components are reused across multiple features

User Interface (59)

ui Role Switch Widget medium Shared ui Role-Aware Bottom Navigation medium Shared ui Activity Type Selection Screen low Shared ui Speech-to-Text Field Overlay medium Shared ui Receipt Capture Widget medium Shared ui Peer Mentor Single Selector low Shared ui Proxy Audit Badge Widget low Shared ui Export Period Picker low Shared ui Contact Card Widget low Shared ui Contact Search Bar low Shared ui Peer Mentor Card Widget low Shared ui Activity History List low Shared ui Multi-Chapter Affiliation Chip Widget medium Shared ui Certification Status Badge low Shared ui Duplicate Activity Warning Dialog medium Shared ui Mentor Multi-Select Widget medium Shared ui Map Filter Panel medium Shared ui Claim Status Badge low Shared ui Export Date Range Picker low Shared ui Custom Date Range Picker low Shared ui Duplicate Activity Warning Dialog low Shared ui Proxy Activity Form medium Shared ui Proxy Peer Mentor Selector medium Shared ui Expected Return Date Picker low Shared ui Pause Activation Screen low Shared ui Pause Status Indicator low Shared ui Admin KPI Stat Widget low Shared ui Organisation Hierarchy Navigator high Shared ui Bufdir Period Selector Widget low Shared ui Export History List medium Shared ui Activity Type Donut Chart medium Shared ui Monthly Activity Bar Chart medium Shared ui Statistics Period Filter Bar low Shared ui Statistics Summary Cards low Shared ui Notification Badge Widget low Shared ui Certificate Expiry Status Indicator low Shared ui Animated Stat Card Widget medium Shared ui In-App Notification Banner low Shared ui Accessible Modal Sheet Widget high Shared ui Live Region Announcer medium Shared ui Semantics Wrapper Widget medium Shared ui Sensitive Field Warning Dialog high Shared ui Confirm Before Submit Screen medium Shared ui Inline Contextual Help Widget low Shared ui Labelled Navigation Bar low Shared ui Plain Language Error Display low Shared ui Single-Action Screen Layout medium Shared ui Wizard Progress Indicator low Shared ui Accessible Text Style System medium Shared ui Accessible Touch Target Wrapper low Shared ui Contrast-Safe Color Palette Widget medium Shared ui Accessible Bottom Navigation Bar medium Shared ui Modal Close Button low Shared ui Persistent Back Button low Shared ui Vertical Scroll Container low Shared ui Organization Card Widget low Shared ui Terminology-Aware Text Widget low Shared ui FeatureGate Widget low Shared ui Chapter Switcher medium Shared

Service Layer (52)

service Authentication Service medium Shared service Authentication Session Manager medium Shared service Biometric Authentication Service medium Shared service Biometric Authentication Service medium Shared service Biometric Authentication Service medium Shared service Permission Checker Service medium Shared service Role State Manager medium Shared service No-Access Route Guard low Shared service Activity Type Metadata Resolver low Shared service Chapter Scope Resolver medium Shared service Organisation Hierarchy Resolver medium Shared service Coordinator Notification Service medium Shared service Duplicate Activity Detection Service high Shared service Mentor Filter Service low Shared service Receipt Threshold Validator low Shared service Approval Status Notification Service medium Shared service Threshold Evaluation Service medium Shared service Declaration Encryption Service high Shared service Organization Feature Flag Service low Shared service Participant Deduplication Service high Shared service Reporting Period Service medium Shared service Activity Attribution Service low Shared service Proxy Duplicate Detection Service medium Shared service Pause Management Service medium Shared service Pause Notification Service medium Shared service Admin Export Service medium Shared service Admin Row-Level Security Guard high Shared service Organisation Hierarchy Service high Shared service User Management Service high Shared service Role Access Validator low Shared service Peer Mentor Stats Aggregator medium Shared service Push Notification Dispatcher medium Shared service Notification Preference Service low Shared service Scenario Deep-Link Router medium Shared service Scenario Notification Content Builder medium Shared service Badge Criteria Integration medium Shared service Activity Summary Aggregator low Shared service Focus Management Service medium Shared service Screen Reader Detection Service medium Shared service Sensitive Field Privacy Guard high Shared service Plain Language Content Service medium Shared service Wizard State Manager medium Shared service Tab State Manager medium Shared service Organization Route Guard medium Shared service Tenant Context Service high Shared service Label Key Resolver Service low Shared service Organization Labels Notifier medium Shared service FeatureFlagProvider (Riverpod) medium Shared service Access Scope Service high Shared service Hierarchy Aggregation Service high Shared service Hierarchy Service high Shared service Unit Assignment Service medium Shared

Data Layer (33)

data Authentication Repository low Shared data Auth Token Store low Shared data Secure Session Storage low Shared data Activity Type Cache Provider medium Shared data Receipt Storage Adapter medium Shared data Proxy Contact List Provider low Shared data Contact Repository medium Shared data Contact Detail Repository medium Shared data Peer Mentor Repository low Shared data Mentor Status Repository low Shared data Contact Chapter Repository medium Shared data Contact Cache Sync Repository low Shared data Organisation Rate Configuration Repository low Shared data Multi-Organization Data Isolator medium Shared data Bufdir Aggregation Repository low Shared data Report File Storage Client low Shared data Certification Status Repository low Shared data Peer Mentor Status Repository medium Shared data Statistics Cache Manager low Shared data In-App Notification Repository low Shared data Pause Status Record Repository low Shared data Activity Aggregation Repository medium Shared data Notification Preferences Repository low Shared data Scenario Notification Repository medium Shared data Sensitive Field Configuration low Shared data Error Message Registry low Shared data Help Content Registry low Shared data Wizard Draft Repository low Shared data Design Token Provider medium Shared data Organization Repository medium Shared data Terminology Local Cache Adapter low Shared data Organization Unit Repository high Shared data Unit Assignment Repository medium Shared

Infrastructure (54)

infrastructure Keyboard-Aware Layout Utility low Shared infrastructure Supabase Auth Client low Shared infrastructure Deep Link / OAuth Redirect Handler medium Shared infrastructure Secure Storage Adapter low Shared infrastructure Supabase Session Manager medium Shared infrastructure URL Launcher Utility low Shared infrastructure Local Storage Adapter low Shared infrastructure Supabase Activity Client low Shared infrastructure Organization Labels Provider low Shared infrastructure Supabase Client low Shared infrastructure Organisation Field Config Loader medium Shared infrastructure Speech-to-Text Adapter medium Shared infrastructure File Download Handler low Shared infrastructure Duplicate Reviewed Flag Middleware low Shared infrastructure Contact RLS Query Builder low Shared infrastructure Contact Form Validator low Shared infrastructure Design Token Theme low Shared infrastructure Organization Labels Provider low Shared infrastructure Supabase Client Provider low Shared infrastructure Search Debounce Utility low Shared infrastructure Expense Type Analytics Tracker low Shared infrastructure Receipt Image Picker Integration low Shared infrastructure CSV / JSON File Generator medium Shared infrastructure Coordinator Role Guard low Shared infrastructure Nightly Job Scheduler medium Shared infrastructure Supabase RLS Policy Configuration high Shared infrastructure Export File Storage Adapter low Shared infrastructure Supabase Storage Adapter low Shared infrastructure Peer Mentor Pause Management Service medium Shared infrastructure Push Notification Service medium Shared infrastructure fl_chart Adapter medium Shared infrastructure Push Notification Service low Shared infrastructure FCM Push Notification Sender medium Shared infrastructure FCM Notification Dispatcher medium Shared infrastructure Push Notification Dispatcher medium Shared infrastructure Supabase Realtime Subscription Service medium Shared infrastructure Organisation Data Isolation Guard low Shared infrastructure Push Notification Dispatcher medium Shared infrastructure Deep Link Handler medium Shared infrastructure QR Code Generator low Shared infrastructure Share Sheet Bridge low Shared infrastructure Semantics Service Facade medium Shared infrastructure Accessibility Design Token Enforcer medium Shared infrastructure Accessible Theme Builder medium Shared infrastructure Navigation Route Configuration medium Shared infrastructure Accessibility Live Region Announcer low Shared infrastructure Feature Flag Provider low Shared infrastructure Secure Storage Adapter low Shared infrastructure Supabase RLS Tenant Scope Configurator medium Shared infrastructure Label Key Registry low Shared infrastructure Terminology Riverpod Providers low Shared infrastructure WCAG Semantics Label Resolver low Shared infrastructure Feature Flag Key Constants low Shared infrastructure RLS Policy Manager high Shared

User Stories (18)

Be Prompted to Re-Authenticate When My Session Becomes Sensitive
medium 5 pts

As a As a Peer Mentor (Likeperson)

I want to be asked to re-authenticate with biometrics when I access sensitive operations like viewing encrypted contact details or submitting expense claims

So that the app protects sensitive data while still allowing low-friction access to routine registration tasks, without requiring me to log in and out repeatedly

Acceptance Criteria
  • Given I am in an active session and navigate to a screen that displays encrypted personal data, When the screen loads, Then a biometric prompt overlay is displayed before the sensitive content is revealed
  • Given the biometric step-up prompt is shown, When I authenticate successfully, Then the sensitive content is decrypted and displayed immediately
  • Given the biometric step-up prompt is shown, When I cancel or fail biometric authentication, Then the sensitive content remains hidden and I am offered a password fallback or navigation back
  • +3 more
View Full Story →
Continue Using the App Offline After Biometric Authentication
medium 8 pts

As a As a Peer Mentor (Likeperson)

I want to be able to authenticate with biometrics and use the app even when I have no internet connection

So that I can register activities immediately after a visit even in areas with poor connectivity, and trust that my data will sync when I am back online

Acceptance Criteria
  • Given I am authenticated and then lose network connectivity, When I try to register an activity, Then the registration flow works normally and data is queued for sync
  • Given I am offline and the app is relaunched, When I authenticate with biometrics, Then the local biometric check succeeds and I can access the app using cached data
  • Given I am offline after biometric authentication, When I navigate to a screen requiring live data, Then I see a clear non-alarming offline indicator and can view cached data where available
  • +3 more
View Full Story →
Be Prompted to Re-Authenticate When My Session Becomes Sensitive
medium 5 pts

As a As a Coordinator

I want to be asked to re-authenticate with biometrics when I access sensitive operations like viewing encrypted contact details or submitting expense claims

So that the app protects sensitive data while still allowing low-friction access to routine registration tasks, without requiring me to log in and out repeatedly

Acceptance Criteria
  • Given I am in an active session and navigate to a screen that displays encrypted personal data, When the screen loads, Then a biometric prompt overlay is displayed before the sensitive content is revealed
  • Given the biometric step-up prompt is shown, When I authenticate successfully, Then the sensitive content is decrypted and displayed immediately
  • Given the biometric step-up prompt is shown, When I cancel or fail biometric authentication, Then the sensitive content remains hidden and I am offered a password fallback or navigation back
  • +3 more
View Full Story →
Continue Using the App Offline After Biometric Authentication
medium 8 pts

As a As a Coordinator

I want to be able to authenticate with biometrics and use the app even when I have no internet connection

So that I can register activities immediately after a visit even in areas with poor connectivity, and trust that my data will sync when I am back online

Acceptance Criteria
  • Given I am authenticated and then lose network connectivity, When I try to register an activity, Then the registration flow works normally and data is queued for sync
  • Given I am offline and the app is relaunched, When I authenticate with biometrics, Then the local biometric check succeeds and I can access the app using cached data
  • Given I am offline after biometric authentication, When I navigate to a screen requiring live data, Then I see a clear non-alarming offline indicator and can view cached data where available
  • +3 more
View Full Story →
Be Prompted to Re-Authenticate When My Session Becomes Sensitive
medium 5 pts

As a As a Organization Administrator

I want to be asked to re-authenticate with biometrics when I access sensitive operations like viewing encrypted contact details or submitting expense claims

So that the app protects sensitive data while still allowing low-friction access to routine registration tasks, without requiring me to log in and out repeatedly

Acceptance Criteria
  • Given I am in an active session and navigate to a screen that displays encrypted personal data, When the screen loads, Then a biometric prompt overlay is displayed before the sensitive content is revealed
  • Given the biometric step-up prompt is shown, When I authenticate successfully, Then the sensitive content is decrypted and displayed immediately
  • Given the biometric step-up prompt is shown, When I cancel or fail biometric authentication, Then the sensitive content remains hidden and I am offered a password fallback or navigation back
  • +3 more
View Full Story →
Continue Using the App Offline After Biometric Authentication
medium 8 pts

As a As a Organization Administrator

I want to be able to authenticate with biometrics and use the app even when I have no internet connection

So that I can register activities immediately after a visit even in areas with poor connectivity, and trust that my data will sync when I am back online

Acceptance Criteria
  • Given I am authenticated and then lose network connectivity, When I try to register an activity, Then the registration flow works normally and data is queued for sync
  • Given I am offline and the app is relaunched, When I authenticate with biometrics, Then the local biometric check succeeds and I can access the app using cached data
  • Given I am offline after biometric authentication, When I navigate to a screen requiring live data, Then I see a clear non-alarming offline indicator and can view cached data where available
  • +3 more
View Full Story →
See a Clear Message When Biometrics Are Unavailable on My Device
high 3 pts

As a As a Peer Mentor (Likeperson)

I want to receive a clear and non-alarming message when my device does not support biometric authentication or when it is temporarily unavailable

So that I understand why biometric login is not offered and know what alternative I should use, without feeling that something is broken or that my account is compromised

Acceptance Criteria
  • Given my device has no biometric hardware, When biometric setup is attempted, Then a banner explains that biometric login is not available on this device and I am directed to use password login
  • Given my device has biometrics disabled at the OS level, When I attempt biometric login, Then a clear message tells me to enable biometrics in device settings or use password login instead
  • Given biometric authentication fails due to too many failed attempts and the sensor locks, When I open the app, Then I am immediately shown the fallback login screen with a plain-language explanation
  • +3 more
View Full Story →
Enable or Disable Biometric Authentication from Settings
high 5 pts

As a As a Peer Mentor (Likeperson)

I want to choose whether to enable biometric authentication and be able to turn it off if I change my mind

So that I have control over my security preferences and can accommodate personal or organizational security policies without being locked into a configuration I did not choose

Acceptance Criteria
  • Given I complete first-time login successfully, When I reach the biometric setup prompt, Then I am shown a clear explanation of what biometric login does, with options to enable or skip
  • Given I chose to skip biometric setup during onboarding, When I open the app settings later, Then I can find a 'Biometric Login' toggle and enable it at any time
  • Given I have biometric authentication enabled, When I toggle it off in settings, Then my biometric session credential is removed from secure storage immediately
  • +3 more
View Full Story →
See a Clear Message When Biometrics Are Unavailable on My Device
high 3 pts

As a As a Coordinator

I want to receive a clear and non-alarming message when my device does not support biometric authentication or when it is temporarily unavailable

So that I understand why biometric login is not offered and know what alternative I should use, without feeling that something is broken or that my account is compromised

Acceptance Criteria
  • Given my device has no biometric hardware, When biometric setup is attempted, Then a banner explains that biometric login is not available on this device and I am directed to use password login
  • Given my device has biometrics disabled at the OS level, When I attempt biometric login, Then a clear message tells me to enable biometrics in device settings or use password login instead
  • Given biometric authentication fails due to too many failed attempts and the sensor locks, When I open the app, Then I am immediately shown the fallback login screen with a plain-language explanation
  • +3 more
View Full Story →
Enable or Disable Biometric Authentication from Settings
high 5 pts

As a As a Coordinator

I want to choose whether to enable biometric authentication and be able to turn it off if I change my mind

So that I have control over my security preferences and can accommodate personal or organizational security policies without being locked into a configuration I did not choose

Acceptance Criteria
  • Given I complete first-time login successfully, When I reach the biometric setup prompt, Then I am shown a clear explanation of what biometric login does, with options to enable or skip
  • Given I chose to skip biometric setup during onboarding, When I open the app settings later, Then I can find a 'Biometric Login' toggle and enable it at any time
  • Given I have biometric authentication enabled, When I toggle it off in settings, Then my biometric session credential is removed from secure storage immediately
  • +3 more
View Full Story →
See a Clear Message When Biometrics Are Unavailable on My Device
high 3 pts

As a As a Organization Administrator

I want to receive a clear and non-alarming message when my device does not support biometric authentication or when it is temporarily unavailable

So that I understand why biometric login is not offered and know what alternative I should use, without feeling that something is broken or that my account is compromised

Acceptance Criteria
  • Given my device has no biometric hardware, When biometric setup is attempted, Then a banner explains that biometric login is not available on this device and I am directed to use password login
  • Given my device has biometrics disabled at the OS level, When I attempt biometric login, Then a clear message tells me to enable biometrics in device settings or use password login instead
  • Given biometric authentication fails due to too many failed attempts and the sensor locks, When I open the app, Then I am immediately shown the fallback login screen with a plain-language explanation
  • +3 more
View Full Story →
Enable or Disable Biometric Authentication from Settings
high 5 pts

As a As a Organization Administrator

I want to choose whether to enable biometric authentication and be able to turn it off if I change my mind

So that I have control over my security preferences and can accommodate personal or organizational security policies without being locked into a configuration I did not choose

Acceptance Criteria
  • Given I complete first-time login successfully, When I reach the biometric setup prompt, Then I am shown a clear explanation of what biometric login does, with options to enable or skip
  • Given I chose to skip biometric setup during onboarding, When I open the app settings later, Then I can find a 'Biometric Login' toggle and enable it at any time
  • Given I have biometric authentication enabled, When I toggle it off in settings, Then my biometric session credential is removed from secure storage immediately
  • +3 more
View Full Story →
Authenticate with Face ID or Fingerprint After Initial Login
critical 8 pts

As a As a Peer Mentor (Likeperson)

I want to use Face ID or fingerprint to unlock the app after my first BankID/Vipps login

So that I can access the app quickly without re-entering credentials every session, making it practical to log multiple short activities throughout a busy day

Acceptance Criteria
  • Given I have completed initial BankID or Vipps authentication, When I open the app in a new session, Then I am presented with a biometric prompt (Face ID or fingerprint) instead of a login form
  • Given biometric authentication is enabled, When I successfully authenticate with Face ID or fingerprint, Then I am taken directly to the role-based home screen within 2 seconds
  • Given biometric authentication is enabled, When I fail biometric authentication 3 times, Then I am offered a fallback option to use my password or re-authenticate via BankID/Vipps
  • +3 more
View Full Story →
Have My Session Securely Persisted So I Do Not Need to Log In Every Time I Open the App
critical 8 pts

As a As a Peer Mentor (Likeperson)

I want my authenticated session to be securely stored on my device so the app resumes where I left off

So that I can close and reopen the app between activities throughout the day without re-authenticating every time, supporting the low-friction registration workflow the app is designed around

Acceptance Criteria
  • Given I successfully authenticate, When the session token is stored, Then it is written to encrypted secure storage (iOS Keychain or Android Keystore), never to plain SharedPreferences or localStorage
  • Given a valid session is persisted, When I open the app after closing it, Then the session resume manager detects the token and either resumes silently or triggers biometric confirmation
  • Given a persisted session has expired, When I open the app, Then I am redirected to the login screen with a clear message that my session has ended
  • +3 more
View Full Story →
Authenticate with Face ID or Fingerprint After Initial Login
critical 8 pts

As a As a Coordinator

I want to use Face ID or fingerprint to unlock the app after my first BankID/Vipps login

So that I can access the app quickly without re-entering credentials every session, making it practical to log multiple short activities throughout a busy day

Acceptance Criteria
  • Given I have completed initial BankID or Vipps authentication, When I open the app in a new session, Then I am presented with a biometric prompt (Face ID or fingerprint) instead of a login form
  • Given biometric authentication is enabled, When I successfully authenticate with Face ID or fingerprint, Then I am taken directly to the role-based home screen within 2 seconds
  • Given biometric authentication is enabled, When I fail biometric authentication 3 times, Then I am offered a fallback option to use my password or re-authenticate via BankID/Vipps
  • +3 more
View Full Story →
Have My Session Securely Persisted So I Do Not Need to Log In Every Time I Open the App
critical 8 pts

As a As a Coordinator

I want my authenticated session to be securely stored on my device so the app resumes where I left off

So that I can close and reopen the app between activities throughout the day without re-authenticating every time, supporting the low-friction registration workflow the app is designed around

Acceptance Criteria
  • Given I successfully authenticate, When the session token is stored, Then it is written to encrypted secure storage (iOS Keychain or Android Keystore), never to plain SharedPreferences or localStorage
  • Given a valid session is persisted, When I open the app after closing it, Then the session resume manager detects the token and either resumes silently or triggers biometric confirmation
  • Given a persisted session has expired, When I open the app, Then I am redirected to the login screen with a clear message that my session has ended
  • +3 more
View Full Story →
Authenticate with Face ID or Fingerprint After Initial Login
critical 8 pts

As a As a Organization Administrator

I want to use Face ID or fingerprint to unlock the app after my first BankID/Vipps login

So that I can access the app quickly without re-entering credentials every session, making it practical to log multiple short activities throughout a busy day

Acceptance Criteria
  • Given I have completed initial BankID or Vipps authentication, When I open the app in a new session, Then I am presented with a biometric prompt (Face ID or fingerprint) instead of a login form
  • Given biometric authentication is enabled, When I successfully authenticate with Face ID or fingerprint, Then I am taken directly to the role-based home screen within 2 seconds
  • Given biometric authentication is enabled, When I fail biometric authentication 3 times, Then I am offered a fallback option to use my password or re-authenticate via BankID/Vipps
  • +3 more
View Full Story →
Have My Session Securely Persisted So I Do Not Need to Log In Every Time I Open the App
critical 8 pts

As a As a Organization Administrator

I want my authenticated session to be securely stored on my device so the app resumes where I left off

So that I can close and reopen the app between activities throughout the day without re-authenticating every time, supporting the low-friction registration workflow the app is designed around

Acceptance Criteria
  • Given I successfully authenticate, When the session token is stored, Then it is written to encrypted secure storage (iOS Keychain or Android Keystore), never to plain SharedPreferences or localStorage
  • Given a valid session is persisted, When I open the app after closing it, Then the session resume manager detects the token and either resumes silently or triggers biometric confirmation
  • Given a persisted session has expired, When I open the app, Then I am redirected to the login screen with a clear message that my session has ended
  • +3 more
View Full Story →