To be honest I feel like biometric app unlock has largely made the need for the short tokens banking experience obsolete. I don’t want to change my credential ever 15 minutes, I just want my bank app to verify my biometrics on sensitive operations. The only real reason for short lived bearer “tokens” these days is so you can deploy them in scenarios without revocation lists.
This is how the banking app my team built works -- on Android/iOS devices a hardware-backed keypair is generated and when a login is needed, the keychain is unlocked using local biometrics to perform a signing operation which authenticates the user.
There's a bit more to it than that because we support remote attestation, and you only get a read-only token until you've performed remote attestation (which generally happens quickly).
edit: The authentication results in a short-lived token (5m), a refresh token (20m), but can be re-authenticated with the keypair challenge at any time.
