Biometric Authentication in Kotlin Multiplatform and Koncierge: A 2026 Deep Dive
In the rapidly evolving landscape of mobile and cross-platform development, secure and seamless user authentication remains a top priority. As of mid-2026, biometric authentication—using fingerprints, facial recognition, or iris scans—has become a standard expectation for modern applications. A recent in-depth technical article on Habr (published July 2026) sheds light on how developers can implement biometric authentication using Kotlin Multiplatform (KMP) and the Koncierge library, offering a practical case study for teams aiming to unify authentication across Android, iOS, and beyond. This article summarizes the key findings, challenges, and solutions presented in that source material, providing an expert overview for cross-platform engineers.
Context and Problem Statement
The article begins by outlining a common challenge: building a cross-platform mobile application that supports biometric authentication on both Android (BiometricPrompt API) and iOS (LocalAuthentication framework) while maintaining a single shared codebase. The developers behind the project initially faced fragmented implementation—each platform required separate native code, leading to increased maintenance costs and inconsistent user experience. The goal was to create a unified, secure authentication flow using Kotlin Multiplatform, a technology that allows sharing business logic across platforms, while leveraging platform-specific biometric APIs.
The core problem was twofold:
1. API divergence: Android's BiometricPrompt (introduced in Android 10, with significant updates in later versions) and iOS's LocalAuthentication (Touch ID / Face ID) have different error handling, permission models, and callback patterns.
2. State management: Biometric authentication is inherently asynchronous and often requires user interaction (e.g., scanning a fingerprint). The team needed a way to handle these async flows in a clean, testable manner within KMP's expect/actual mechanism.
Solution Architecture: Koncierge to the Rescue
The article introduces Koncierge—a Kotlin Multiplatform library specifically designed to abstract biometric authentication across platforms. Koncierge provides a unified API that wraps Android's BiometricPrompt and iOS's LAContext, exposing a simple interface for developers. The key components described in the source include:
BiometricAuthenticator: A common interface that defines methods likeauthenticate(),canAuthenticate(), andcancel(). This allows shared code to call biometric checks without platform-specific branches.BiometricResult: A sealed class representing success, failure, or user cancellation. This eliminates the need to handle platform-specific error codes (e.g.,BIOMETRIC_ERROR_NO_HARDWAREvs.LAError.biometryNotAvailable).- Configuration options: Developers can specify whether to allow device credentials (PIN/pattern) as fallback, set title/subtitle for the system dialog, and handle biometric strength levels (e.g., strong vs. weak on Android).
The article emphasizes that Koncierge is not a black box—it is open-source and relies on Kotlin Multiplatform's expect/actual pattern. The actual implementations for Android use androidx.biometric.BiometricPrompt (version 1.2.0+), while iOS uses LAContext with evaluatePolicy(_:localizedReason:). The library handles lifecycle management (e.g., automatically cancelling authentication when an activity/fragment is destroyed on Android).
Practical Implementation Steps
The source material walks through a concrete example: a banking app that requires biometric authentication before accessing sensitive transaction data. The steps described include:
- Adding dependencies: In
build.gradle.kts, the team addedcom.koncierge:biometric:1.0.0(version current as of mid-2026) and configured the KMP module to targetandroidTargetandiosX64/iosArm64. - Creating a shared repository: A
BiometricRepositoryclass incommonMainthat uses theBiometricAuthenticatorinterface. This repository handles the authentication logic and exposes aFlow<BiometricResult>to the UI layer. - Platform-specific wiring: On Android, an
ActivityorFragmentpasses its lifecycle owner to the actual implementation. On iOS, aUIViewControllerreference is required for the system dialog. - Error handling: The article provides a sample code snippet where the repository catches
BiometricException(a wrapper for platform-specific errors) and maps them to user-friendly messages. For instance, if the device has no biometric hardware, the app falls back to a PIN-based authentication.
One notable challenge highlighted in the article is permission management on iOS. Unlike Android, where biometric permissions are usually implicit, iOS apps must include the NSFaceIDUsageDescription key in Info.plist. The authors note that Koncierge provides a compile-time check for this key, emitting a warning if it's missing.
Results and Performance
The article reports that after migrating to Koncierge, the team reduced the biometric-related code by approximately 60% compared to the previous dual-native approach. The shared code now handles authentication flow, while each platform's actual implementation is only about 30 lines of code. The team also observed faster iteration cycles—changes to the authentication logic in commonMain automatically apply to both platforms without manual synchronization.
Performance-wise, Koncierge adds minimal overhead. The library is written entirely in Kotlin and leverages Kotlin/Native for iOS, ensuring that the authentication calls are nearly as fast as native implementations. The article mentions that the library's size is under 200 KB, making it suitable for production use in resource-constrained apps.
Critical Evaluation and Limitations
While the article praises Koncierge for its simplicity and maintainability, it also discusses several limitations:
- Platform-specific features: Some advanced biometric options (e.g., Android's
BIOMETRIC_STRONGvs.BIOMETRIC_WEAKclassification, or iOS'sLAContextinteraction with Secure Enclave) are not fully exposed by the library. Developers needing fine-grained control may still need to write platform-specific code. - Lifecycle complexity: On Android, the library relies on the host activity's lifecycle. If the app uses Jetpack Compose with no explicit
Activity(e.g., a pure Compose app), the setup becomes more involved. The article suggests usingrememberLauncherForActivityResultas a workaround, but this adds boilerplate. - Testing: The authors note that testing biometric authentication in unit tests is challenging because the actual biometric hardware is not available. They recommend using dependency injection to mock the
BiometricAuthenticatorinterface in tests, but this requires additional setup.
Despite these limitations, the article concludes that Koncierge is a solid choice for most cross-platform projects, especially those already using Kotlin Multiplatform.
Comparison with Alternatives
For context, the article briefly compares Koncierge with other approaches:
| Approach | Pros | Cons |
|---|---|---|
| Koncierge | Unified API, open-source, small footprint | Limited advanced features, lifecycle coupling |
| Native only (Swift + Kotlin) | Full control, access to all platform features | High maintenance, code duplication |
| Flutter with local_auth | Mature plugin, large community | Requires Flutter runtime, not KMP-native |
| Custom expect/actual | Tailored to exact needs | Steep learning curve, time-consuming |
The table illustrates that Koncierge occupies a middle ground—it sacrifices some flexibility for developer productivity.
Security Considerations
Security is a central theme of the article. The authors emphasize that biometric authentication is not a silver bullet—it should be used as a convenience factor, not a sole authentication mechanism. They recommend:
- Fallback to device credentials: Always allow users to authenticate with a PIN or password if biometrics fail or are unavailable.
- Encryption: Biometric secrets (e.g., cryptographic keys) should be stored in the device's hardware-backed keystore (Android's
KeyStoreor iOS'sSecure Enclave). Koncierge supports this via itsgenerateKey()method, which creates a key that can only be unlocked after successful biometric verification. - Anti-spoofing: On iOS, Face ID uses advanced depth mapping; on Android, the library respects the
BIOMETRIC_STRONGflag to ensure only Class 3 (strong) biometrics are used. Developers are advised to avoid using weak biometrics (e.g., some camera-based facial recognition on older Android devices).
The article also references official Android and Apple documentation to back up these recommendations, reinforcing trustworthiness.
Future Directions
The Habr article speculates on future enhancements for Koncierge, including:
- Passkey integration: With the rise of passkeys (FIDO2/WebAuthn), future versions might support biometric-backed passkey authentication across platforms.
- Wearable support: Extending biometric authentication to companion devices like smartwatches.
- Compose Multiplatform: Better integration with Jetpack Compose and Compose Multiplatform for declarative UI apps.
While these are speculative, they align with current industry trends in 2026, where passwordless authentication is becoming mainstream.
Conclusion
The Habr article provides a timely and practical case study for developers looking to implement biometric authentication in Kotlin Multiplatform projects. By leveraging the Koncierge library, the project team successfully unified Android and iOS biometric flows, reducing code duplication and improving maintainability. The article highlights both the strengths (simplified API, small footprint, open-source) and limitations (advanced feature gaps, lifecycle management) of the approach, offering a balanced perspective.
For any cross-platform team evaluating biometric solutions, this source material serves as a valuable reference. The key takeaway is that with proper abstraction and careful handling of platform differences, biometric authentication can be both secure and developer-friendly in a KMP environment. As the ecosystem matures, libraries like Koncierge will likely become standard tools in the cross-platform developer's arsenal.
Comments