Enable or Disable Biometric Authentication from Settings

The peer mentor must have agency over whether biometric authentication is active on their device. During onboarding after first login, they should be prompted to enable biometrics with a clear explanation of what it does. They should also be able to revisit this setting at any time through the app settings. Disabling biometrics should immediately revoke the stored biometric session credential from secure storage and require full password or BankID login on the next session.

HIGH story-biometric-session-authentication-coordinator-002 5 pts

Story Points

High

Priority

Biometric Session Authentication

Feature

User Story

As a Coordinator

I want to choose whether to enable biometric authentication and be able to turn it off if I change my mind

So that I have control over my security preferences and can accommodate personal or organizational security policies without being locked into a configuration I did not choose

Acceptance Criteria

Given I complete first-time login successfully, When I reach the biometric setup prompt, Then I am shown a clear explanation of what biometric login does, with options to enable or skip
Given I chose to skip biometric setup during onboarding, When I open the app settings later, Then I can find a 'Biometric Login' toggle and enable it at any time
Given I have biometric authentication enabled, When I toggle it off in settings, Then my biometric session credential is removed from secure storage immediately
Given I have disabled biometric auth, When I next open the app, Then I am required to authenticate via password or BankID/Vipps
Given I toggle biometric auth on in settings, When the system biometric prompt appears to confirm setup, Then successfully enrolling stores my session credential in secure storage
Given biometric auth setup, When I view the settings screen, Then the toggle clearly reflects the current enabled/disabled state

Business Value

User control over security settings is an accessibility and trust requirement. Peer mentors working with vulnerable populations may share devices in family settings or have organizational security requirements. Providing a clear opt-in/opt-out mechanism builds trust, satisfies WCAG 2.2 AA user control principles, and prevents support escalations caused by biometric configurations users do not understand or want.

Components

Biometric Authentication Screen ui
Biometric Authentication Service service
Local Auth Integration infrastructure
Secure Session Storage data
Secure Storage Adapter infrastructure
Session Resume Manager service
Biometric Authentication Service service

Dependencies

Authenticate with Face ID or Fingerprint After Initial Login critical

Biometric Session Authentication

Related Feature

Coordinator

User Role