[UX Regression] Biometric permission prompt no longer shown during wallet creation onboarding

[nakulmk]

Severity

Sev1 — High

Description

The MetaMask mobile app previously prompted the user to enable biometric authentication (Face ID / Touch ID / fingerprint) immediately after creating their wallet password during onboarding. In the latest build, this biometric opt-in prompt no longer appears.

This is a critical regression because:

• Users are not given the opportunity to enable biometrics during the most natural point in the flow (account creation).

Steps to Reproduce

1. Install the latest MetaMask mobile app build.
2. Open the app and begin the Create a new wallet flow.
3. Set a wallet password and confirm it.
4. Proceed through the Secret Recovery Phrase backup steps.
5. Complete onboarding.

Expected Behavior

After the user creates and confirms their password, the app should display a prompt asking whether they want to enable biometric authentication (e.g., "Enable Face ID?" / "Enable biometric login?"). This prompt was consistently present in prior releases.

Actual Behavior

The biometric authentication prompt is not shown at any point during or after password creation. The user completes onboarding without ever being asked to enable biometrics.

Environment

• App: MetaMask Mobile (latest build)
• OS: iOS and Android (both affected)

Impact

• All new users who go through the wallet creation flow are affected.
• Users are left without biometric unlock unless they manually navigate to Settings > Security & Privacy and enable it themselves.
• Reduces security posture and convenience for the majority of mobile users.

Probable Root Cause

This regression was likely introduced in PR #24496 (commit 18232e8), which refactored the Login screen to replace userEntryAuth and appTriggeredAuth with the consolidated unlockWallet method.

While the PR was scoped to the Login screen, it also made changes to shared core modules that affect the onboarding flow:

• SecureKeychain.ts (-64 lines): Removed "iOS immediate prompt logic" and "storage side-effects." Since SecureKeychain is shared infrastructure used by both Login and onboarding, removing the immediate biometric prompt logic likely broke the onboarding flow's ability to trigger the biometric opt-in.
• SecureKeychain.test.ts (-90 lines): Removed test coverage for the biometric prompt behavior, eliminating the safety net that would have caught this regression.
• The PR description explicitly states: "we removed a redundant biometrics prompt when FIRST enabling biometrics toggle upon logging in" — this was intentional for Login, but the side effect on onboarding appears unintentional.
• The manual testing steps in the PR only validated the Login flow; the onboarding/password-creation flow was never tested for biometric prompt behavior.

Additional Context

• The biometric prompt during onboarding was consistently present in releases prior to this change.
• No user-facing changelog entry mentions the removal of this prompt, further suggesting it was unintentional.
• The PR's empty CHANGELOG entry: field indicates no user-facing behavioral changes were planned.