W3C home > Mailing lists > Public > public-webauthn@w3.org > August 2019

[webauthn] Low timeout bounds for inline bio enrollment of FIDO2 keys (#1286)

From: Akshay Kumar via GitHub <sysbot+gh@w3.org>
Date: Tue, 27 Aug 2019 07:36:20 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-485638663-1566891378-sysbot+gh@w3.org>
akshayku has just created a new issue for https://github.com/w3c/webauthn:

== Low timeout bounds for inline bio enrollment of FIDO2 keys ==
We are looking into inline bio enrollment of FIDO2 keys during webauthn calls. Current time bound in webauthn is 15-120 seconds, which when we decided was a guess. Browsers have been hooked up to cancel the transaction when timeout happens. 

Many RPs don't configure the timeout, resulting in 15 seconds. Even 120 seconds is not enough given our user studies where user has to figure out which authenticator he/she wants to use, plug that in, setup PIN if not present, setup fingerprint which requires multiple samples. Last step also depends on how many samples authenticator wants. 

Want to take suggestions on what the typical timeout should be to support this case. I am thinking 180-300 seconds. 

Thoughts?

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1286 using your GitHub account
Received on Tuesday, 27 August 2019 07:36:21 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:59:06 UTC