🏠 Overview 🎯 Features 🎯 Passkeys (WebAuthn)

Passkeys (WebAuthn)

Feature Detail

high complexity MVP extracted Authentication & Access Control Confidence: 100%
6
Components
43
Shared
0
User Stories
Yes
Analyzed

Description

Passkeys implement the W3C WebAuthn standard, providing phishing-resistant passwordless authentication using device-bound cryptographic key pairs. A passkey is created on the user's device at enrollment and used for subsequent logins without transmitting a shared secret to the server. The feature supports both platform authenticators (device biometrics linked to iCloud Keychain or Google Password Manager for cross-device sync) and roaming hardware security keys. For Meander it represents a future-facing upgrade to the auth stack beyond the confirmed phase roadmap, eliminating password management entirely.

Sources & reasoning

No explicit phase assignment for WebAuthn/passkeys exists in the source doc. The blueprint marks it v2.0, consistent with the Phase 4 speculative tier (fourth-or-later maps to v2.0 by schema convention). The Authentication Module's portability requirement and clean extension-point design make passkeys a natural future addition, but there is no organizational demand signal in any workshop section, justifying deferral to v2.0.

No source references — this artifact was included based on reasoning alone (see above).

Analysis

Business Value

Passkeys eliminate phishing and credential stuffing risks inherent in password-based authentication, which is significant for an app handling sensitive personal data about vulnerable individuals. As Norwegian banking and government services accelerate passkey adoption, users will increasingly expect this option, and offering it positions Meander as a security-forward platform in procurement conversations with larger organizations. Long-term, passkeys reduce support costs by eliminating password reset workflows. The Authentication Module's clean extension-point design makes passkeys a natural future addition without forcing changes on existing consumers.

Implementation Notes

Server-side implementation uses a WebAuthn library (SimpleWebAuthn or WebAuthn4J) on the Node.js backend, storing credential public keys and credential IDs per user account. Flutter integration uses platform channels to the native FIDO2 APIs (iOS AuthenticationServices, Android FIDO2 Client API). The Authentication Module adds a credential registration endpoint and an assertion verification endpoint alongside the existing password flow. The relying party ID must match the app's registered domain and Apple App Site Association / Android Asset Links for cross-device sync via iCloud Keychain and Google Password Manager. Existing accounts can enroll passkeys as an additional authenticator without disrupting current sessions.

Components (49)

User Interface (2)

ui Passkey Enrollment Screen medium ui Passkey Login Prompt medium

Service Layer (1)

service WebAuthn Service high

Data Layer (1)

data webauthn_credentials medium

Infrastructure (2)

infrastructure FIDO2 Platform Channel Bridge high infrastructure Relying Party Config low

Shared Components

These components are reused across multiple features

User Stories

No user stories have been generated for this feature yet.