ALLOWED_AUTHENTICATORS

Authenticators that satisfy the auth-validity window. Class 3 biometrics (StrongBiometric) gate the key the same way the device's own credential (PIN / pattern / password) does — we accept both so PIN works as a fallback when biometric isn't available (e.g. after too many failed fingerprint attempts).