Client-Side SpecKit

eToro Plus (React Native) — 2FA feature specification for the mobile app

🧩 React Native Components

src/features/2fa/
├── screens/
│   ├── TwoFASettingsScreen.tsx      # Main 2FA settings hub
│   ├── TOTPSetupScreen.tsx          # TOTP setup wizard (3 steps)
│   ├── TOTPCodeInputScreen.tsx      # 6-digit code entry (login)
│   ├── WebAuthnSetupScreen.tsx      # Passkey registration
│   ├── WebAuthnPromptScreen.tsx     # Passkey auth during login
│   ├── BackupCodesScreen.tsx        # Display & copy backup codes
│   ├── BackupCodeInputScreen.tsx    # Enter backup code (login)
│   └── RecoveryScreen.tsx           # Account recovery form
├── components/
│   ├── QRCodeDisplay.tsx            # Show QR code for authenticator
│   ├── QRScanner.tsx                # Camera-based QR scanner
│   ├── CodeInput.tsx                # 6-digit OTP input with auto-focus
│   ├── BackupCodeCard.tsx           # Single backup code display
│   ├── PasskeyCard.tsx              # Registered passkey item
│   ├── TwoFAMethodPicker.tsx        # Choose TOTP vs Passkey
│   ├── SecurityBanner.tsx           # "2FA not enabled" warning
│   └── CountdownTimer.tsx           # Rate limit countdown
├── hooks/
│   ├── useTwoFA.ts                  # Main 2FA state hook
│   ├── useTOTPSetup.ts              # TOTP setup flow state
│   ├── useWebAuthn.ts               # WebAuthn registration/auth
│   └── useBackupCodes.ts            # Backup code management
├── services/
│   ├── twoFAApi.ts                  # API client for all 2FA endpoints
│   └── webauthnBridge.ts            # @simplewebauthn/browser wrapper
├── context/
│   └── TwoFAContext.tsx             # Global 2FA status provider
├── types/
│   └── twoFA.types.ts               # TypeScript interfaces
└── utils/
    ├── otpauthUri.ts                # Parse otpauth:// URIs
    └── codeFormatter.ts             # Format "123456" → "123 456"

📱 TwoFASettingsScreen

Main hub showing current 2FA status, enabled methods, registered passkeys, and backup code count. Entry point from Account → Security.

// Key sections:
- 2FA Status badge (enabled/disabled)
- TOTP section (enable/disable toggle)
- Passkeys section (list + add new)
- Backup Codes (remaining count + regenerate)
- Recovery options

🔢 CodeInput

Reusable 6-digit OTP input with individual boxes, auto-advance, paste support, and haptic feedback on completion.

interface CodeInputProps {
  length?: 6 | 8;
  onComplete: (code: string) => void;
  error?: string;
  loading?: boolean;
  autoFocus?: boolean;
}

📷 QRScanner

Camera view for scanning authenticator QR codes. Uses react-native-camera. Fallback: manual secret entry.

// Parses otpauth:// URI from QR
// Auto-dismisses on successful scan
// Shows "Enter manually" link below

🔑 PasskeyCard

Shows registered passkey with device name, last used date, and delete option.

interface PasskeyCardProps {
  credential: WebAuthnCredential;
  onDelete: (id: string) => void;
  onRename: (id: string, name: string) => void;
}

🔄 User Flows

Setup TOTP

User navigates to Settings → Security → Two-Factor Authentication

Taps "Enable Authenticator App" — app calls POST /2fa/totp/setup

QR code displayed with otpauth:// URI. "Copy secret" button below for manual entry.

User scans QR with Google Authenticator / Authy / 1Password

User enters 6-digit code from authenticator → POST /2fa/totp/verify

Backup codes displayed — user prompted to save/screenshot. Checkbox: "I've saved these codes"

2FA enabled. Success animation + return to settings.

STEP 3 OF 7

Scan QR Code

QR Code

Scan with your authenticator app

Copy Secret Key

User enters email + password → API returns { requires2FA: true, tempToken }

App navigates to TOTPCodeInputScreen with 6-digit input

User enters code → POST /2fa/totp/validate with temp token

Success: receive tokens, navigate to home. Failure: shake animation + retry.

After 5 failures: countdown timer shown, inputs disabled for 5 min.

Links available: "Use Passkey" and "Use Backup Code"

Setup Passkey (WebAuthn)

User taps "Add Passkey" in 2FA settings

App calls POST /2fa/webauthn/register/options

@simplewebauthn/browser startRegistration() triggers OS biometric prompt

User authenticates with Face ID / Touch ID / PIN

App sends attestation → POST /2fa/webauthn/register/verify

User enters device name (e.g., "My iPhone"). Passkey registered.

After password, "Sign in with Passkey" shown as preferred (green button, above TOTP input)

App calls POST /2fa/passkey/authenticate/options

startAuthentication() triggers biometric prompt (Face ID / fingerprint)

User verifies → assertion sent to POST /2fa/passkey/authenticate/verify

Tokens received. Navigate to home. Show "Signed in with iPhone 15 Pro" toast.

On web: the login page uses mediation: "conditional" to show passkey suggestions in the browser's autofill dropdown — no button click needed.

User navigates to etoro.com/login. Page calls POST /passkey/authenticate/options with empty body.

startAuthentication({mediation: "conditional"}) — browser shows passkey in username autofill: "Sign in as yoni@etoro.com 🔑"

User taps the autofill suggestion → biometric verification

Assertion (with userHandle) sent to verify endpoint → logged in instantly

No username. No password. No OTP. Zero friction.

PASSWORDLESS LOGIN

Welcome to eToro

|🔑 yoni@etoro.com

↑ Browser autofill shows passkey suggestion

When the user is on a device without a registered passkey (e.g., a shared computer), they can use their phone as an authenticator via QR + Bluetooth.

On desktop 2FA screen, user taps "Use a passkey from another device"

Browser displays QR code (contains BLE advertisement + encrypted tunnel info)

User opens phone camera → scans QR → system detects WebAuthn request

Phone checks Bluetooth proximity (prevents remote relay attacks)

Biometric prompt on phone → Face ID / fingerprint

Signed assertion tunneled to desktop browser → logged in on desktop

Manage Passkeys

Settings → Security → Passkeys. Shows all registered passkeys with device info, sync status, and management options.

Screen loads registered passkeys via GET /2fa/passkey/credentials

Each passkey shown as a PasskeyCard: device name, "Synced ☁️" or "This device only", last used date

Swipe left to reveal Rename and Delete actions

Delete requires 2FA verification (enter TOTP code or use another passkey)

"+ Add Passkey" button at bottom → triggers registration flow

MANAGE PASSKEYS

Your Passkeys

🔑 iPhone 15 Pro

Synced ☁️ · Last used 2h ago

⋯

🔑 MacBook Pro

Synced ☁️ · Last used 1d ago

⋯

🔐 YubiKey 5

Device only · Last used 5d ago

⋯

+ Add Passkey

Passkey Nudge — Upgrade Prompt

After successful SMS or TOTP login, show a bottom sheet prompting upgrade to Passkey.

User logs in with SMS or TOTP → success

After 1s delay, bottom sheet slides up with passkey promotion

Shows: "⚡ Sign in 5x faster — Use Face ID instead of codes"

Green button: "Set up Passkey" → navigates to passkey registration

Dim link: "Maybe later" → dismiss. Reappears after 7 days (max 3 times).

POST-LOGIN NUDGE

🔑

Sign in faster with Passkey

Use Face ID or fingerprint instead of typing codes. It's also more secure — immune to phishing attacks.

TOTP

~15s

Passkey

~3s

Set up Passkey

Maybe later

Fallback Flow — Passkey Failure Recovery

When passkey authentication fails (device issue, cancelled, etc.), graceful fallback to alternative methods.

Passkey auth fails or user cancels biometric → "Passkey not available?" message

Show fallback options: ① Enter TOTP code · ② Use backup code · ③ Try another passkey

If TOTP also unavailable: "Use backup code" input shown

If all methods exhausted: "I can't access any method" → links to account recovery

Recovery flow: email verification + ID document → manual security review (24-48h)

Use Backup Code

On 2FA login screen, user taps "Can't access authenticator?"

Navigates to BackupCodeInputScreen — format: XXXX-XXXX

User enters backup code → POST /2fa/backup-codes/verify

If ≤3 codes remaining: warning banner prompting regeneration

Disable 2FA

In 2FA settings, user taps "Disable Two-Factor Authentication"

Confirmation dialog: "This will reduce your account security. Are you sure?"

User must enter current TOTP code or use passkey to confirm

DELETE /2fa/totp called → 2FA disabled, secrets purged

🗃️ State Management

TwoFAContext

interface TwoFAState {
  isEnabled: boolean;
  primaryMethod: 'totp' | 'webauthn' | null;
  totp: {
    enabled: boolean;
    configuredAt: string | null;
  };
  webauthn: {
    enabled: boolean;
    credentials: WebAuthnCredential[];
  };
  backupCodes: {
    remaining: number;
    generatedAt: string | null;
  };
  loading: boolean;
  error: string | null;
}

// Actions
type TwoFAAction =
  | { type: 'SET_STATUS'; payload: TwoFAStatus }
  | { type: 'TOTP_ENABLED' }
  | { type: 'TOTP_DISABLED' }
  | { type: 'PASSKEY_ADDED'; payload: WebAuthnCredential }
  | { type: 'PASSKEY_REMOVED'; payload: string }
  | { type: 'BACKUP_CODES_REGENERATED'; payload: number }
  | { type: 'SET_LOADING'; payload: boolean }
  | { type: 'SET_ERROR'; payload: string | null };

// Provider wraps entire app — populated on login
// Refreshed via GET /2fa/status on each settings screen visit

Login Flow State (in AuthContext)

interface LoginState {
  step: 'credentials' | '2fa_required' | '2fa_input' | 'authenticated';
  tempToken: string | null;
  requires2FA: boolean;
  availableMethods: ('totp' | 'webauthn' | 'backup')[];
  selectedMethod: string | null;
  attemptsRemaining: number;
  lockoutUntil: number | null;  // Unix timestamp
}

🔗 Deep Links & URI Handling

otpauth:// URI Format

otpauth://totp/eToro:user@email.com?secret=JBSWY3DPEHPK3PXP&issuer=eToro&algorithm=SHA1&digits=6&period=30

The app registers as a handler for otpauth:// URIs. When a user taps the URI (e.g., from an email), the app opens directly to the TOTP verification step.

App Deep Links

URI	Screen
`etoroplus://settings/2fa`	TwoFASettingsScreen
`etoroplus://settings/2fa/setup-totp`	TOTPSetupScreen
`etoroplus://settings/2fa/add-passkey`	WebAuthnSetupScreen
`etoroplus://settings/2fa/backup-codes`	BackupCodesScreen
`etoroplus://2fa/recovery?token=xxx`	RecoveryScreen

🫰 Biometric Integration

iOS (Face ID / Touch ID)

WebAuthn uses ASAuthorizationPlatformPublicKeyCredentialProvider
Passkeys synced via iCloud Keychain (cross-device)
Falls back to device PIN if biometric unavailable
Requires NSFaceIDUsageDescription in Info.plist

Android (Fingerprint / Face Unlock)

Uses FIDO2 API via Google Play Services
Passkeys synced via Google Password Manager
Requires android.permission.USE_BIOMETRIC
Minimum: Android 9+ (API 28) for FIDO2

react-native-keychain Usage

import * as Keychain from 'react-native-keychain';

// Store 2FA preference securely
await Keychain.setGenericPassword(
  'twofa_preference',
  JSON.stringify({ method: 'webauthn', skipUntil: Date.now() + 30 * 86400000 }),
  { service: 'com.etoro.plus.2fa', accessControl: Keychain.ACCESS_CONTROL.BIOMETRY_ANY }
);

// Check if biometric is available
const biometryType = await Keychain.getSupportedBiometryType();
// Returns: 'TouchID' | 'FaceID' | 'Fingerprint' | 'Face' | null

📦 Client Dependencies

Package	Version	Purpose	Platform
`@simplewebauthn/browser`	^10.0	WebAuthn client operations	Both
`react-native-camera`	^4.2	QR code scanning	Both
`react-native-keychain`	^8.2	Secure storage + biometric access	Both
`react-native-qrcode-svg`	^6.3	Render QR code for TOTP URI	Both
`react-native-clipboard`	^1.14	Copy secret / backup codes	Both
`react-native-haptic-feedback`	^2.2	Haptics on code entry / success	Both

⚠️ Error States & Edge Cases

Error UI Patterns

Error	UI Response
Invalid code	Shake animation + red border + haptic
Rate limited	Countdown timer, inputs disabled
Account locked	Full-screen lockout message + support link
Network error	Retry button + offline indicator
Biometric failed	"Try again" + fallback to TOTP
No backup codes left	Red warning + "Contact Support"

Edge Cases

App killed during TOTP setup → pending secret cleaned up after 10 min
Time drift on device → show warning if device clock >30s off
Multiple passkeys → show picker if >1 credential matches
Backup code with spaces/dashes → normalize before sending
Jailbroken/rooted device → show security warning, allow proceed
App backgrounded during WebAuthn → challenge valid for 120s

← Research · Architecture · Server SpecKit · Swagger →

Client SpecKit