Authentication Methods (Passkeys)

high complexity extracted Profile Management Confidence: 100%

Components

Shared

User Stories

Yes

Analyzed

Description

Authentication Methods (Passkeys) gives users the ability to register, manage, and remove WebAuthn passkeys as an alternative or supplementary authentication credential. The Passkey Settings Screen, accessible from Profile Management, lists all registered passkeys with their creation date, device name, and last-used timestamp. Users can register new passkeys using the device's biometric sensor or hardware security key, and remove existing passkeys that belong to lost or replaced devices. The Passkey Service communicates with the Authentication Module's WebAuthn endpoints to perform registration and assertion ceremonies per the FIDO2 specification. Passkeys complement - but do not replace - the existing biometric session unlock (Face ID / fingerprint), which is a local re-authentication shortcut. Passkeys enable full cross-device sign-in without a password, which is especially valuable for users who struggle with password management due to cognitive or motor impairments.

Analysis

Business Value

Password fatigue and password reset flows are disproportionately burdensome for the user base this platform serves - particularly older users, users with cognitive impairments, and users with motor difficulties who find typing long passwords on a small screen challenging. Passkeys eliminate the password entirely for sign-in after initial registration, reducing support load on coordinators who currently assist peers with forgotten credentials. From a security standpoint, passkeys are phishing-resistant by design: the credential is cryptographically bound to the relying party origin and never transmitted over the network. This directly supports the platform's encryption and data sensitivity requirements flagged by Blindeforbundet. For NHF users with stroke-related cognitive challenges, removing the password step and replacing it with a single biometric gesture measurably lowers the cognitive load of daily app access, aligning with the platform's core design principle of minimum cognitive burden.

Implementation Notes

The Passkey Service uses Flutter's local_auth and a custom WebAuthn bridge (platform channel) to invoke the iOS ASAuthorizationController and Android CredentialManager APIs for registration and assertion. The Authentication Module exposes two WebAuthn endpoints: POST /api/v1/auth/passkeys/register/begin, POST /api/v1/auth/passkeys/register/complete (registration ceremony), and POST /api/v1/auth/passkeys/authenticate/begin, POST /api/v1/auth/passkeys/authenticate/complete (assertion ceremony), following the WebAuthn Level 2 specification. Passkey metadata (credential ID, public key, AAGUID, device name derived from user-agent, last used timestamp) is stored server-side in a passkey_credentials table owned by the Authentication Module, not the product tables. The Passkey Settings Screen fetches this list via GET /api/v1/auth/passkeys and renders each entry with a remove button that calls DELETE /api/v1/auth/passkeys/{credentialId} with re-authentication confirmation. At least one active credential (password or passkey) must remain; the service blocks removal of the last credential. Synced passkeys (iCloud Keychain, Google Password Manager) are supported via the platform authenticator; roaming authenticators (hardware keys) are optional scope for v1.1.