--- taskmaster_id: "4.5" status: "done" priority: "high" depends_on: ["2"] parent_id: "4" source: "taskmaster" generated_at: "2026-05-24T07:26:29.052Z" --- # 4.5 - Decide session, passkey, and admin step-up architecture - [x] 4.5 - Decide session, passkey, and admin step-up architecture #taskmaster #priority/high #status/done ⏫ 🆔 tm-4-5 ⛔ tm-2 ## Metadata | Field | Value | | --- | --- | | Taskmaster ID | 4.5 | | Status | done | | Priority | high | | Dependencies | 2 | | Parent | 4 - Define backend security and refactor strategy from latest audit | ## Description Choose browser session model and high-risk admin authentication requirements. ## Details Completed. Produced `09 - Audits/Session and Authentication Architecture Decision.md`. Decide localStorage versus httpOnly cookies, access/refresh token lifetimes, CSRF strategy, refresh rotation, WebAuthn requirements, OAuth requirements, device/session revocation, and whether payouts/role changes require step-up authentication or two-person approval. ## Verification Decision record lists chosen model, rejected alternatives, migration cost, and required implementation tasks.