Biometric Authentication and Passkeys in React Native: UX and Threat Models

Password-only authentication is insufficient for high-value accounts. Mobile platforms expose biometric APIs backed by secure enclaves and hardware keystore modules. Passkeys—FIDO2 WebAuthn credentials—are increasingly first-class on iOS and Android, enabling phishing-resistant sign-in when paired with correct relying party configuration.

Platform integration patterns

Use maintained libraries wrapping LocalAuthentication and BiometricPrompt. Never store raw secrets in JavaScript; persist wrapped keys in Keychain or Android Keystore with biometric-bound access controls where supported.

User experience and fallbacks

Offer device PIN or password fallbacks when biometrics are unavailable or enrollment changes. Communicate clearly when step-up authentication is required for sensitive transactions—regulators often expect strong customer authentication (SCA) for payments.

Threat modeling

Biometrics authenticate device possession and user presence, not authorization to remote APIs by themselves. Combine with server-side risk engines, device binding, and rate limits. Understand jailbreak and root caveats—treat client signals as advisory.

Accessibility

Provide alternatives for users who cannot use biometrics. Ensure VoiceOver and TalkBack paths remain coherent through fallback screens.

Takeaways

Authentication UX is a product surface with compliance implications. Coordinate with identity providers early when adopting passkeys across web and native clients.