[ECUK In-App 3DS] Add Passkeys/WebAuthn support for multifactor biometric authentication

[dariusz-biela]

Explanation of Change

This PR adds Passkeys/WebAuthn as a new authentication method for in-app 3DS card transaction authorization on Web/mWeb, alongside the existing NativeBiometrics (iOS/Android). A platform-specific useBiometrics() hook abstracts both methods behind a shared UseBiometricsReturn interface so the MFA context is unaware of the underlying technology. The Biometrics/ module is refactored into NativeBiometrics/, Passkeys/, and shared/ directories. Passkeys are currently enabled only in the BiometricsTest scenario. Localization and tests are updated accordingly.

Detailed breakdown

• usePasskeys hook — Manages the full Passkeys lifecycle (registration and authorization) by bridging low-level WebAuthn browser APIs with the MultifactorAuthenticationContext. Handles frontend ↔ backend credential exchange including challenge request/response flows.
• WebAuthn helpers — Passkeys/WebAuthn.ts provides ArrayBuffer ↔ base64url conversions, builds PublicKeyCredentialCreationOptions/RequestOptions, and wraps navigator.credentials.create/get. A separate Passkeys/helpers.ts module maps common WebAuthn DOMException errors to internal error codes.
• Shared biometrics abstraction — Extracts common types (UseBiometricsReturn, RegisterResult, AuthorizeResult, AuthorizeParams) and a useServerCredentials hook into biometrics/shared/ so that both useNativeBiometrics and usePasskeys share the same contract with the MFA context.
• Platform-specific useBiometrics split — biometrics/useBiometrics/index.ts (web) re-exports usePasskeys, while index.native.ts re-exports useNativeBiometrics, so the MultifactorAuthenticationContext calls a single useBiometrics() hook and the platform decides which implementation runs.
• MultifactorAuthenticationContext extension — Wires in the new useBiometrics() abstraction. Device eligibility is now checked in two steps: (2a) doesDeviceSupportAuthenticationMethod() verifies platform support, and (2b) the scenario's allowedAuthenticationMethods array is checked against deviceVerificationType. Prompt navigation now uses a PROMPT_TYPE_MAP to pick the correct prompt type (biometrics vs passkeys).
• Scenario configuration — Extends the BiometricsTest scenario's allowedAuthenticationMethods from [BIOMETRICS] to [BIOMETRICS, PASSKEYS]. Other scenarios remain unchanged, so Passkeys are currently only available in the test flow.
• NativeBiometrics refactor — Renames the Biometrics/ directory to NativeBiometrics/ and extracts native-specific types, helpers (Expo error decoding), and VALUES into dedicated files. Shared types and challenge types are moved to shared/. A new barrel file (MultifactorAuthentication/VALUES.ts) merges shared + NativeBiometrics + Passkeys values. The unused Observer.ts and MultifactorAuthenticationCallbacks are removed.
• Registration flow change — keyInfo construction (previously in processing.ts via createKeyInfoObject) is now performed inside each hook (useNativeBiometrics / usePasskeys), and processRegistration receives the ready-made keyInfo object directly.
• Prompt content updates — PromptContent.tsx now supports both Lottie animations and SVG illustrations (animation prop renamed to illustration). Passkeys use a new SVG asset (simple-illustration__encryption-passkeys.svg); native biometrics continue using the existing Lottie fingerprint animation.
• Field renames — localPublicKey → localCredentialID, getLocalPublicKey → getLocalCredentialID, doesDeviceSupportBiometrics → doesDeviceSupportAuthenticationMethod, resetKeysForAccount → deleteLocalKeysForAccount across hooks, pages, selectors, and tests.
• 3DS navigation simplification — useNavigateTo3DSAuthorizationChallenge replaces the per-method switch-case with a single doesDeviceSupportAuthenticationMethod() && allowedAuthenticationMethods.includes(deviceVerificationType) check, removing the previous TODO comment about passkey support.
• Type safety improvements — userVerification narrowed from string to UserVerificationRequirement, pubKeyCredParams.type narrowed from string to PublicKeyCredentialType, AuthTypeInfo.code made optional (passkeys don't use SecureStore codes). Added COSE_ALGORITHM constants (EDDSA, ES256, RS256) to CONST.
• Selector changes — Removed hasBiometricsRegisteredSelector and isAccountLoadingSelector from selectors/Account.ts; added mfaCredentialIDsSelector used by the new useServerCredentials hook.
• Localization — Adds Passkey-related user-facing strings (verifyYourself.passkeys, enableQuickVerification.passkeys, authType.passkey) across all supported languages.
• Tests — Adds unit tests for processRegistration/processScenarioAction (processing.test.ts), NativeBiometrics Expo error decoding (NativeBiometrics/helpers.test.ts), and shared parseHttpRequest (shared/helpers.test.ts). Updates existing test suites for renamed fields and import paths. Removes obsolete Observer.test.ts and old Biometrics/helpers.test.ts.

Fixed Issues

$ #79464
$ #79467
$ #79469
PROPOSAL:

Tests

All of these PRs have already been deployed to production:

Prerequisites: The backend is not yet ready — testing requires the Auth and Web-Expensify PRs:
https://github.com/Expensify/Auth/pull/19657
https://github.com/Expensify/Web-Expensify/pull/51463
https://github.com/Expensify/Auth/pull/20520

Passkeys registration (Web / mWeb):

1. Open Expensify App on Web (Chrome/Safari)
2. Navigate to Settings → Troubleshoot
3. Click on the "Test" button next to the "Passkeys (Not registered)" text
4. Click on the "Test" button in the RHP view
5. Fill the magic code input
6. Click on the "Got it" button
7. Authenticate using your browser's passkey/WebAuthn prompt (e.g. Touch ID, Windows Hello, security key)
8. Verify that the Authentication was successful
9. Verify that the registered label is now displayed

Passkeys authorization (Web / mWeb): 10. Repeat steps 3 and 4 11. Verify that the validate code step is no longer required 12. Authenticate using the passkey prompt 13. Verify that the Authentication was successful

Failure scenarios (Web / mWeb): 14. Cancel the passkey prompt during registration (step 7) — verify the Authentication failed 15. Cancel the passkey prompt during authorization (step 12) — verify the Authentication failed 16. Exit the flow using the back button or by clicking the overlay — verify a confirmation modal is displayed 17. Enter a wrong validate code during registration — verify an error text is displayed and the magic code input is shown again to allow re-entry

NativeBiometrics regression (iOS / Android native): 18. Open Expensify App on a native mobile device 19. Navigate to Settings → Troubleshoot 20. Click on the "Test" button next to the "Biometrics (Not registered)" text 21. Click on the "Test" button in the RHP view 22. Fill the magic code input 23. Click on the "Got it" button 24. Authenticate using device credentials or biometry (Face ID / Touch ID / fingerprint) 25. Verify that the Authentication was successful 26. Verify that the registered label is now displayed 27. Repeat steps 20 and 21 28. Verify that validate code is no longer required 29. Authenticate using device biometrics 30. Verify that the Authentication was successful

• Verify that no errors appear in the JS console

Offline tests

N/A, D - Full Page Blocking UI Pattern for this project.

QA Steps

Same as tests

PR Author Checklist

• I linked the correct issue in the ### Fixed Issues section above
• I wrote clear testing steps that cover the changes made in this PR
  • I added steps for local testing in the Tests section
  • I added steps for the expected offline behavior in the Offline steps section
  • I added steps for Staging and/or Production testing in the QA steps section
  • I added steps to cover failure scenarios (i.e. verify an input displays the correct error message if the entered data is not correct)
  • I turned off my network connection and tested it while offline to ensure it matches the expected behavior (i.e. verify the default avatar icon is displayed if app is offline)
  • I tested this PR with a High Traffic account against the staging or production API to ensure there are no regressions (e.g. long loading states that impact usability).
• I included screenshots or videos for tests on all platforms
• I ran the tests on all platforms & verified they passed on:
  • Android: Native
  • Android: mWeb Chrome
  • iOS: Native
  • iOS: mWeb Safari
  • MacOS: Chrome / Safari
• I verified there are no console errors (if there's a console error not related to the PR, report it or open an issue for it to be fixed)
• I followed proper code patterns (see Reviewing the code)
  • I verified that any callback methods that were added or modified are named for what the method does and never what callback they handle (i.e. toggleReport and not onIconClick)
  • I verified that comments were added to code that is not self explanatory
  • I verified that any new or modified comments were clear, correct English, and explained "why" the code was doing something instead of only explaining "what" the code was doing.
  • I verified any copy / text shown in the product is localized by adding it to src/languages/* files and using the translation method
    • If any non-english text was added/modified, I used JaimeGPT to get English > Spanish translation. I then posted it in #expensify-open-source and it was approved by an internal Expensify engineer. Link to Slack message:
  • I verified all numbers, amounts, dates and phone numbers shown in the product are using the localization methods
  • I verified any copy / text that was added to the app is grammatically correct in English. It adheres to proper capitalization guidelines (note: only the first word of header/labels should be capitalized), and is either coming verbatim from figma or has been approved by marketing (in order to get marketing approval, ask the Bug Zero team member to add the Waiting for copy label to the issue)
  • I verified proper file naming conventions were followed for any new files or renamed files. All non-platform specific files are named after what they export and are not named "index.js". All platform-specific files are named for the platform the code supports as outlined in the README.
  • I verified the JSDocs style guidelines (in STYLE.md) were followed
• If a new code pattern is added I verified it was agreed to be used by multiple Expensify engineers
• I followed the guidelines as stated in the Review Guidelines
• I tested other components that can be impacted by my changes (i.e. if the PR modifies a shared library or component like Avatar, I verified the components using Avatar are working as expected)
• I verified all code is DRY (the PR doesn't include any logic written more than once, with the exception of tests)
• I verified any variables that can be defined as constants (ie. in CONST.ts or at the top of the file that uses the constant) are defined as such
• I verified that if a function's arguments changed that all usages have also been updated correctly
• If any new file was added I verified that:
  • The file has a description of what it does and/or why is needed at the top of the file if the code is not self explanatory
• If a new CSS style is added I verified that:
  • A similar style doesn't already exist
  • The style can't be created with an existing StyleUtils function (i.e. StyleUtils.getBackgroundAndBorderStyle(theme.componentBG))
• If new assets were added or existing ones were modified, I verified that:
  • The assets are optimized and compressed (for SVG files, run npm run compress-svg)
  • The assets load correctly across all supported platforms.
• If the PR modifies code that runs when editing or sending messages, I tested and verified there is no unexpected behavior for all supported markdown - URLs, single line code, code blocks, quotes, headings, bold, strikethrough, and italic.
• If the PR modifies a generic component, I tested and verified that those changes do not break usages of that component in the rest of the App (i.e. if a shared library or component like Avatar is modified, I verified that Avatar is working as expected in all cases)
• If the PR modifies a component related to any of the existing Storybook stories, I tested and verified all stories for that component are still working as expected.
• If the PR modifies a component or page that can be accessed by a direct deeplink, I verified that the code functions as expected when the deeplink is used - from a logged in and logged out account.
• If the PR modifies the UI (e.g. new buttons, new UI components, changing the padding/spacing/sizing, moving components, etc) or modifies the form input styles:
  • I verified that all the inputs inside a form are aligned with each other.
  • I added Design label and/or tagged @Expensify/design so the design team can review the changes.
• If a new page is added, I verified it's using the ScrollView component to make it scrollable when more elements are added to the page.
• I added unit tests for any new feature or bug fix in this PR to help automatically prevent regressions in this user flow.
• If the main branch was merged into this PR after a review, I tested again and verified the outcome was still expected according to the Test steps.

Screenshots/Videos

Android: Native

Android: mWeb Chrome

iOS: Native

iOS: mWeb Safari

MacOS: Chrome / Safari

[melvin-bot]

Hey, I noticed you changed src/languages/en.ts in a PR from a fork. For security reasons, translations are not generated automatically for PRs from forks.

If you want to automatically generate translations for other locales, an Expensify employee will have to:

1. Look at the code and make sure there are no malicious changes.
2. Run the Generate static translations GitHub workflow. If you have write access and the K2 extension, you can simply click: [this button]

Alternatively, if you are an external contributor, you can run the translation script locally with your own OpenAI API key. To learn more, try running:

npx ts-node ./scripts/generateTranslations.ts --help

Typically, you'd want to translate only what you changed by running npx ts-node ./scripts/generateTranslations.ts --compare-ref main

[codecov]

Codecov Report

✅ Changes either increased or maintained existing code coverage, great job!

Files with missing lines	Coverage Δ
src/CONST/index.ts	95.20% <ø> (+1.60%)	⬆️
src/components/Icon/chunks/illustrations.chunk.ts	0.00% <ø> (ø)
...tication/biometrics/shared/useServerCredentials.ts	100.00% <100.00%> (ø)
...orAuthentication/biometrics/useNativeBiometrics.ts	100.00% <100.00%> (ø)
...ion/components/AuthenticationMethodDescription.tsx	50.00% <ø> (ø)
...nts/OutcomeScreen/SuccessScreen/defaultScreens.tsx	100.00% <ø> (ø)
...tication/config/scenarios/DefaultUserInterface.tsx	100.00% <ø> (ø)
...ultifactorAuthentication/config/scenarios/names.ts	100.00% <ø> (ø)
...uthentication/observability/trackMFAFlowOutcome.ts	0.00% <ø> (ø)
src/components/TestToolMenu.tsx	90.32% <100.00%> (ø)
... and 26 more
... and 92 files with indirect coverage changes

[JakubKorytko]

some NITs, overall LGTM

[chuckdries]

That worked!!

iOS Safari: success ✅

ios.safari.passkey.success.mp4

[DylanDylann]

Screenshots/Videos

Android: mWeb Chrome

Still got failed

iOS: mWeb Safari

Still got failed

MacOS: Chrome / Safari

Screen.Recording.2026-03-20.at.01.08.42.mov

[github-actions]

🚧 @rafecolton has triggered a test Expensify/App build. You can view the workflow run here.

[github-actions]

🧪🧪 Use the links below to test this adhoc build on Android, iOS, and Web. Happy testing! 🧪🧪
Built from App PR #84610.

Android 🤖	iOS 🍎
⏩ SKIPPED ⏩	⏩ SKIPPED ⏩
The build for Android was skipped	The build for iOS was skipped

Web 🕸️
https://84610.pr-testing.expensify.com

---

👀 View the workflow run that generated this build 👀

[rafecolton]

@Expensify/design please review 🙏

[dubielzyk-expensify]

This feels real lovely! Two things:

1. There's a jump when clicking the button. Let's ensure that the button is accounted for even when it goes away so the shift in layout don't happen.

CleanShot.2026-03-20.at.08.07.13.mp4

2. The spinner thing is a bit too big. Instead of 40x40, can we do 28x28? Curious if @Expensify/design agrees.

cc @Expensify/design

[dubielzyk-expensify]

Also @Expensify/design I know this is our unlock illustration cause in some causes unlock means bad, but I think in this instance having the red is real confusing:

I'd actually suggest we quickly replace this specific one with something like this:

Not override, but add an alternative for when unlock means good.

[rafecolton]

This has conflicts now, probably from #84120 being merged. Once those are resolved and Jon's design comments are addressed, this can be merged 👍

[dariusz-biela]

@dubielzyk-expensify

I have made these changes to this PR:

1. There's a jump when clicking the button. Let's ensure that the button is accounted for even when it goes away so the shift in layout don't happen.
2. The spinner thing is a bit too big. Instead of 40x40, can we do 28x28?

If you decide to do this, I will be very grateful if you send me the appropriate SVG, because I currently cannot find this icon variant in Figma:

Also @Expensify/design I know this is our unlock illustration cause in some causes unlock means bad, but I think in this instance having the red is real confusing:

passkeys.mov

[dannymcclain]

Agree with all your feedback Jon!

[dariusz-biela]

@dannymcclain
Could you send me this illustration as SVG?
Then I would be able to make changes immediately

[dannymcclain]

@dariusz-biela

Try this one!
simple-illustration__unlocked-green-large.svg.zip

@dubielzyk-expensify I made some tweaks to harmonize the colors a bit more 🙃 🤷‍♂️ (also published this version in our Simple Illustrations file)

[github-actions]

🚧 @rafecolton has triggered a test Expensify/App build. You can view the workflow run here.

[github-actions]

🧪🧪 Use the links below to test this adhoc build on Android, iOS, and Web. Happy testing! 🧪🧪
Built from App PR #84610.

Android 🤖	iOS 🍎
https://ad-hoc-expensify-cash.s3.us-east-1.amazonaws.com/rock-artifacts/ad-hoc/rock-android-Adhoc-6e4dc2e-9be7b50-aa48244787d8863913559889813414fafa8ea867/index.html	https://ad-hoc-expensify-cash.s3.us-east-1.amazonaws.com/rock-artifacts/ad-hoc/rock-ios-device-AdHoc-6e4dc2e-9be7b50-c2e4e52dd4c3b18d9aa456573fc568050ff894b6/index.html

Web 🕸️
https://84610.pr-testing.expensify.com

---

👀 View the workflow run that generated this build 👀

[OSBotify]

✋ This PR was not deployed to staging yet because QA is ongoing. It will be automatically deployed to staging after the next production release.

[OSBotify]

🚀 Deployed to staging by https://github.com/rafecolton in version: 9.3.42-0 🚀

platform	result
🕸 web 🕸	success ✅
🤖 android 🤖	success ✅
🍎 iOS 🍎	success ✅

Bundle Size Analysis (Sentry):

• Android
• iOS