Be Prompted to Re-Authenticate When My Session Becomes Sensitive

Not all app actions carry the same sensitivity. Registering a 30-minute activity is low-risk; accessing an encrypted contact assignment with personal health details is high-risk. The biometric prompt overlay should be triggerable on a per-action basis for elevated-sensitivity operations, rather than only at app launch. This step-up authentication pattern is especially important for Blindeforbundet's encrypted contact assignment workflows and NHF's sensitive field display requirements. The biometric prompt must be dismissible with a fallback to password for accessibility.

MEDIUM story-biometric-session-authentication-organization-admin-005 5 pts

Story Points

Medium

Priority

Biometric Session Authentication

Feature

User Story

As a Organization Administrator

I want to be asked to re-authenticate with biometrics when I access sensitive operations like viewing encrypted contact details or submitting expense claims

So that the app protects sensitive data while still allowing low-friction access to routine registration tasks, without requiring me to log in and out repeatedly

Acceptance Criteria

Given I am in an active session and navigate to a screen that displays encrypted personal data, When the screen loads, Then a biometric prompt overlay is displayed before the sensitive content is revealed
Given the biometric step-up prompt is shown, When I authenticate successfully, Then the sensitive content is decrypted and displayed immediately
Given the biometric step-up prompt is shown, When I cancel or fail biometric authentication, Then the sensitive content remains hidden and I am offered a password fallback or navigation back
Given I am using a screen reader, When the biometric step-up prompt appears, Then the prompt is announced with appropriate semantics and focus is managed correctly
Given biometric step-up is triggered, When I complete authentication, Then the step-up result is cached for the current screen session so I am not re-prompted within the same navigation context
Given biometric hardware is unavailable, When a sensitive screen is accessed, Then I am prompted to enter my password as the step-up authentication method instead

Business Value

Blindeforbundet's encrypted contact assignment feature requires sending sensitive personal information (names, addresses, health summaries) to peer mentors. NHF requires a warning when sensitive fields are read aloud by screen readers. Step-up biometric authentication satisfies these data protection requirements without forcing full logout and re-login, preserving the low-friction user experience. This also supports future GDPR compliance for sensitive data access logging.

Components

Biometric Prompt Overlay ui
Biometric Authentication Service service
Local Auth Integration infrastructure
Biometric Authentication Service service
Encrypted Field Display Widget ui
Field Encryption Utilities infrastructure
Sensitive Field Warning Dialog ui
Sensitive Field Privacy Guard service
Live Region Announcer ui
Biometric Authentication Service service

Dependencies

Biometric Session Authentication

Related Feature

Organization Administrator

User Role