Re-authenticate Using Device Biometrics

• Given a returning user with biometrics enrolled, when the app launches or returns from background after a timeout, then the biometric prompt is shown immediately without requiring the user to navigate to a login screen
• Given a user who passes the biometric challenge, when the stored session token is retrieved from Secure Storage, then the app navigates to the appropriate home screen within 2 seconds of biometric confirmation
• Given a user with an expired session token but valid refresh token, when biometrics succeed and session restoration is attempted, then the session is silently refreshed and the user is logged in without any visible interruption
• Given a user who has a fully expired or invalid session (e.g., after password change), when biometric authentication succeeds but session restoration fails, then the app redirects to the BankID/Vipps selection screen with an explanation that re-authentication is required
• Given three consecutive failed biometric attempts, when the system reports biometric lockout, then the app falls back to the BankID/Vipps selection screen automatically
• Given a user who cancels the biometric prompt, when they dismiss the dialog, then a 'Use BankID or Vipps instead' option is presented below the biometric prompt

Daily re-authentication is the most frequent interaction users have with the authentication system. Reducing the friction from a 15-30 second external provider flow to a sub-second biometric scan is the primary driver of daily engagement for peer mentors who open the app several times per day. This feature directly addresses the underreporting problem identified in all three workshops by making the app feel as fast and native as a banking app.

• Biometric Auth Screen ui
• Biometric Auth Service service
• Auth Token Repository data