Secure Token Store
Component Detail
Data Layer
medium complexity
mobile
0
Dependencies
0
Dependents
0
Entities
0
Integrations
Description
Encrypted on-device storage that holds the refresh token behind the device's biometric-protected keystore. Uses iOS Keychain and Android Keystore with biometric access control flags so the token can only be read after a successful biometric match.
secure-token-store
Sources & reasoning
Biometric session unlock is listed under Mobile App Architecture as a core auth capability, not deferred. It is implicit in the MVP scope alongside email/password (which is named MVP), and §1.1's lowest-cognitive-load principle treats it as table stakes. Target_release 'MVP' matches §5 Fase 1 phase name.
-
docs/source/likeperson.md · line 26BankID eller Vipps som foretrukket autentisering ved førstegangs innlogging, med biometrisk innlogging (Face ID / fingeravtrykk) etterpå
-
docs/source/likeperson.md · line 211Biometric session authentication (Face ID / fingerprint)
-
docs/source/likeperson.md · line 205Biometric session unlock (Face ID / fingerprint) after first login.
Responsibilities
- Persist refresh tokens in iOS Keychain or Android Keystore
- Bind token access to biometric authentication via OS-level access control
- Wipe stored tokens when biometrics are disabled or the user signs out
- Detect and invalidate tokens when device biometric enrollment changes
- Expose a minimal read/write API to the Biometric Service only
Interfaces
storeRefreshToken(userId, token): void
retrieveRefreshToken(userId): string
clearTokens(userId): void
invalidateOnBiometryChange(): void