Authentication & session management
|
|
| ID |
MOD-068 |
| System |
SD08 |
| Repo |
bank-app |
| Build status |
Deployed |
| Deployed |
Yes |
| Last commit |
bc8ae27c9ecc660c7eb59e321a9936d2a0c54463 |
Authentication and session management is the security boundary between the internet and all customer-facing and operator-facing surfaces of the platform. It handles the full ceremony of proving identity — biometric gesture, passkey assertion, MFA challenge — and converts a successful proof into a scoped, time-limited session token that all downstream modules rely on.
The module maintains a device registry: each device used to access the platform is fingerprinted and assigned a trust level on first use after a full authentication ceremony. Recognised trusted devices can use biometric-only login; new or suspicious devices are challenged with additional factors. Step-up authentication is triggered automatically by the payment initiation and operations modules when a high-risk action is requested — the user is re-challenged in-flow before the action proceeds.
Session tokens are short-lived and silently refreshed in the background; the module revokes all active sessions for a customer on logout, password change, or when the fraud scorer raises a suspicious-activity flag. Designed against FIDO2 / WebAuthn standards with phishing-resistant credentials as the primary factor.
Module dependencies
Depends on
| Module |
Title |
Required? |
Contract |
Reason |
| MOD-044 |
JWT role-based access control |
Required |
— |
Session tokens are issued as JWTs validated by the RBAC module — token issuance is coordinated with the JWT signing infrastructure. |
| MOD-045 |
Secrets & key management |
Required |
— |
Session signing keys and FIDO2 credential keys are managed by the secrets and key management module. |
| MOD-104 |
AWS shared infrastructure bootstrap |
Required |
— |
AWS shared infrastructure provisioned by MOD-104 (EventBridge buses, S3, KMS, Kinesis, Cognito) is required before this module can be deployed. |
| MOD-103 |
Neon database platform bootstrap |
Required |
— |
Neon database and schema provisioned by MOD-103 must exist before this module can read or write Postgres. |
| MOD-075 |
Internal API gateway |
Required |
— |
Internal HTTP API gateway (MOD-075) must be deployed before MOD-068 can register its /auth/* routes and receive inbound requests from the mobile app. |
| MOD-043 |
EventBridge domain event governance |
Required |
— |
EventBridge Schema Registry (MOD-043) must be deployed before MOD-068 can register the bank.app.session_created and bank.app.session_revoked event schemas at deploy time. |
Required by
| Module |
Title |
As |
Contract |
| MOD-024 |
Device & session intelligence |
Hard dependency |
— |
| MOD-049 |
Open banking consent management |
Hard dependency |
— |
| MOD-050 |
Disclosure enforcement module |
Hard dependency |
— |
| MOD-052 |
Role-scoped data access |
Hard dependency |
— |
| MOD-053 |
Case & complaint management module |
Hard dependency |
— |
| MOD-069 |
Customer app shell |
Hard dependency |
— |
| MOD-070 |
Transaction history & search |
Hard dependency |
— |
| MOD-071 |
Payment initiation |
Hard dependency |
— |
| MOD-072 |
Customer profile & settings |
Hard dependency |
— |
| MOD-077 |
Account dashboard & insight feed |
Hard dependency |
— |
| MOD-078 |
Card & account controls |
Hard dependency |
— |
| MOD-148 |
Privacy access request (DSAR) workflow |
Hard dependency |
— |
| MOD-151 |
Risk case console |
Hard dependency |
— |
| MOD-155 |
Target Market Determination (AU DDO) |
Hard dependency |
— |
| MOD-164 |
Facility component self-service |
Hard dependency |
— |
| MOD-177 |
SD06 risk dashboard renderer |
Hard dependency |
— |
Policies satisfied
| Policy |
Title |
Mode |
How |
| DT-002 |
Cybersecurity Policy |
GATE |
Enforces multi-factor authentication and device trust checks as a prerequisite for session establishment — no session is issued without passing cybersecurity controls. |
| PRI-001 |
Privacy Policy |
GATE |
Access to customer data requires a valid, unrevoked session tied to a verified identity — no anonymous data access is permitted. |
Capabilities satisfied
| Capability |
Title |
Mode |
How |
| CAP-024 |
Biometric login (Face ID / fingerprint) |
GATE |
Biometric gesture (Face ID / fingerprint) is evaluated by the device OS and the result is attested to the session engine before a token is issued. |
| CAP-036 |
Passkey / FIDO2 authentication |
GATE |
Registers and authenticates FIDO2/passkey credentials against stored device-bound keys — password-less login with phishing resistance. |
| CAP-037 |
Step-up authentication for high-value transactions |
GATE |
Re-challenges with biometric or passkey when a high-value transaction triggers a step-up requirement before execution is permitted. |
| CAP-108 |
Device registration & trust |
GATE |
Registers the device fingerprint and assigns a trust level — untrusted devices are limited to read-only until a full MFA ceremony is completed. |
| CAP-109 |
Session lifecycle management |
AUTO |
Issues short-lived access tokens and silent refresh tokens, revoking all sessions on logout or suspicious activity detection. |
Part of SD08 — Customer App & Back Office Platform
Compiled 2026-05-22 from source/entities/modules/MOD-068.yaml