flutter_local_auth (iOS LocalAuthentication / Android BiometricPrompt)
Third Party Library Integration by Flutter Community / Google
Description
The flutter_local_auth package wraps iOS LocalAuthentication and Android BiometricPrompt APIs to provide Face ID, Touch ID, and fingerprint re-authentication after initial BankID or Vipps Login. This eliminates the need for full OAuth re-authentication on every app launch, satisfying the requirement for frictionless re-entry while maintaining strong identity assurance.
Detailed Analysis
The flutter_local_auth integration eliminates the single biggest friction point in repeated app usage: requiring users to complete a full BankID or Vipps Login flow every time they open the application. By enabling Face ID, Touch ID, and fingerprint re-authentication for returning sessions, the platform delivers the secure-yet-effortless experience that users expect from modern mobile applications — comparable to banking apps and other high-assurance Norwegian digital services. This directly supports user retention and daily engagement metrics, particularly for peer mentors who open the app multiple times daily to log activities. Critically, biometric data never leaves the device — the OS Secure Enclave or Trusted Execution Environment handles all biometric matching and returns only a boolean result — meaning there is zero biometric data liability for the organisations.
This is a free open-source package with no licensing cost, making it the highest-value authentication enhancement available. The only cost is development and physical device testing time across the iOS and Android device matrix.
flutter_local_auth is a Flutter Community package wrapping iOS LocalAuthentication and Android BiometricPrompt, requiring no external API contracts or merchant agreements — making it one of the simpler integrations to initiate. However, testing is device-intensive: Face ID requires physical iPhone hardware, Touch ID requires specific iPhone/iPad models, and fingerprint testing requires physical Android devices with enrolled biometrics.
Six components depend on this integration: biometric auth screen (019), biometric auth service (023), local auth integration (036), biometric prompt overlay (032), biometric unavailable banner (033), and session resume manager (034). Platform-specific configuration is required: NSFaceIDUsageDescription must be added to iOS Info.plist, and USE_BIOMETRIC / USE_FINGERPRINT permissions must be declared in the Android Manifest before App Store / Play Store submission. The biometric unavailable banner (033) must be tested against users without enrolled biometrics, and the three-failure fallback to BankID/Vipps must be validated end-to-end. No external monitoring alerts are required — this integration is entirely device-local and offline-capable.
flutter_local_auth ^2.1.0 wraps iOS LocalAuthentication (iOS 8+ for Touch ID, iOS 11+ for Face ID) and Android BiometricPrompt (Android 6.0+ with enrolled biometric) via SDK integration — no network calls, no external API endpoints. The integration is inbound-only: the app receives a boolean pass/fail result from the OS; biometric templates never leave the device Secure Enclave or TEE. Configuration requires NSFaceIDUsageDescription in Info.plist and biometric permissions in AndroidManifest.xml; no environment variables are needed. Component flow: session resume manager (034) → biometric auth service (023) → local auth integration (036) → biometric auth screen (019) / biometric prompt overlay (032).
Error handling covers three scenarios: biometric unavailable (show BiometricUnavailableBanner component 033), three consecutive failures (fall back to full BankID or Vipps re-authentication), and biometric hardware failure (device PIN fallback — biometricOnly mode is disabled for accessibility). OS-enforced lockout activates after 5 failed attempts. Latency target is under 1 second for biometric verification. Availability is device-local and fully offline — no health checks required.
This integration must never be used as sole authentication for first login; it always operates paired with prior BankID or Vipps network identity verification.
Using Components (6)
Dependencies (3)
Authentication
| Type | Certificate |
| Requirements | Device biometric enrollment (Face ID or fingerprint), NSFaceIDUsageDescription in iOS Info.plist, USE_BIOMETRIC and USE_FINGERPRINT permissions in Android Manifest |
| Scopes | local device authentication only — no network credentials transmitted |
Configuration
Error Handling
Monitoring
Performance
| Latency | < 1s for biometric verification |
| Availability | Device-local — available offline |
Cost Implications
| Pricing Model | Free open-source package |