Enable Biometric Login After Initial BankID/Vipps Authentication

After successfully authenticating via BankID or Vipps for the first time, the app presents an option to enable biometric authentication (Face ID or fingerprint/Touch ID) for future logins. The biometric auth service uses the device's local authentication framework to verify the user, with the auth session token stored securely. On subsequent app launches, the user is authenticated via biometrics rather than going through the full BankID or Vipps flow again. If biometrics fail or are unavailable, the user can fall back to the full BankID/Vipps flow.

CRITICAL story-bankid-vipps-login-organization-admin-005 8 pts

Story Points

Critical

Priority

BankID and Vipps Login

Feature

User Story

As a Organization Administrator

I want to enable Face ID or fingerprint login after my first BankID or Vipps authentication

So that subsequent logins are fast and frictionless while maintaining the security of my initial identity verification

Acceptance Criteria

Given I have just completed BankID or Vipps login for the first time, When authentication succeeds, Then I am offered the option to enable biometric login with a clear explanation
Given I opt in to biometric login, When I confirm, Then the biometric auth service registers my biometric preference and stores my session token securely
Given biometric login is enabled, When I open the app on subsequent sessions, Then the biometric prompt overlay is shown immediately instead of the auth method selector
Given I authenticate with Face ID or fingerprint, When biometric verification succeeds, Then my session is restored and I am taken to the role-based home screen
Given biometric authentication fails three consecutive times, When the threshold is exceeded, Then I am shown a fallback option to re-authenticate via BankID or Vipps
Given my device does not support biometrics, When the setup step is reached, Then the biometric unavailable banner is shown and the option is gracefully skipped

Business Value

All three partner organizations explicitly requested biometric login as the expected post-initial-login experience. For a volunteer app used primarily on mobile, requiring full BankID or Vipps authentication on every session would cause severe friction and abandonment. Biometric login after verified initial authentication strikes the right balance: strong identity assurance at first login, then rapid frictionless access on returning sessions — matching the UX pattern of Norwegian banking apps users already know.

Components

Biometric Authentication Screen ui
Biometric Authentication Service service
Biometric Authentication Service service
Biometric Prompt Overlay ui
Biometric Unavailable Banner ui
Session Resume Manager service
Secure Session Storage data
Local Auth Integration infrastructure
Supabase Session Manager infrastructure
Auth Token Store data
Secure Storage Adapter infrastructure
Biometric Authentication Service service

Dependencies

Authenticate Using BankID critical
Authenticate Using Vipps critical

BankID and Vipps Login

Related Feature

Organization Administrator

User Role