> ## Documentation Index
> Fetch the complete documentation index at: https://docs.encoreos.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Mobile App Security — Biometric, PIN, Session Lock — Integration

> Feature ID: PF-79 Status: ✅ Phase 1 & 2 Complete Spec: PF-79-mobile-app-security-biometric-pin-session-lock.md Last Updated: 2026-03-13

**Feature ID:** PF-79\
**Status:** ✅ Phase 1 & 2 Complete\
**Spec:** [PF-79-mobile-app-security-biometric-pin-session-lock.md](../../../specs/pf/specs/PF-79-mobile-app-security-biometric-pin-session-lock.md)\
**Last Updated:** 2026-03-13

***

## Overview

PF-79 adds optional app lock (session lock on background/inactivity), app PIN, and device biometric (Face ID / Touch ID) for PWA and mobile. It integrates with existing platform auth and session management; no new event or API contracts. Phase 3 adds WebAuthn enrollment/verification alongside TOTP.

***

## Phase Summary

| Phase   | Scope                                              | Status         |
| ------- | -------------------------------------------------- | -------------- |
| Phase 1 | Client-side PIN + session lock                     | ✅ Complete     |
| Phase 2 | Device biometric (WebAuthn platform authenticator) | ✅ Complete     |
| Phase 3 | WebAuthn MFA enrollment alongside TOTP             | 🔲 Not started |

***

## Integration Points (from Spec)

| Dependency                                   | Pattern            | Purpose                                                                                                                                             |
| -------------------------------------------- | ------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------- |
| PF-49 (Session Management & Device Tracking) | Platform / Context | Session list and device context unchanged; lock is a local UI gate; "Lock and Sign Out" clears tokens when user chooses.                            |
| Auth.tsx / MfaChallenge / MfaEnrollment      | Platform (auth UI) | Lock screen sits in front of authenticated app; after unlock, existing session is used. Phase 3 adds WebAuthn to MFA enrollment and challenge flow. |
| Supabase Auth                                | Config / API       | WebAuthn must be enabled in Supabase (Dashboard) for Phase 3; no change to existing TOTP flow.                                                      |

***

## Platform Layer Usage

* **Auth:** Lock screen component is rendered by app shell when lock policy is active; uses existing `useCurrentUser` and Supabase session. No new auth APIs.
* **Biometric (Phase 2):** WebAuthn platform authenticator for local unlock gate. Client-only; no server round-trip. Credential references in sessionStorage.
* **Settings (Phase 1.5/2.5):** Optional org-level policy (`require_app_lock_mobile`, `app_lock_timeout_minutes`) stored in `pf_module_settings`; mobile client fetches and applies. RLS and migration per constitution when implemented.

***

## Event / API Contracts

No new event or public API contracts. App lock is client-side only; optional server-driven policy is read from `pf_module_settings` when Phase 1.5/2.5 is implemented.

***

## Related Docs

* [CROSS\_CORE\_INTEGRATIONS.md](./CROSS_CORE_INTEGRATIONS.md)
* [PLATFORM\_INTEGRATION\_LAYERS.md](./PLATFORM_INTEGRATION_LAYERS.md)