W3C home > Mailing lists > Public > public-webauthn@w3.org > August 2019

Re: [webauthn] Low timeout bounds for inline bio enrollment of FIDO2 keys (#1286)

From: Adam Langley via GitHub <sysbot+gh@w3.org>
Date: Wed, 28 Aug 2019 20:58:05 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-525919860-1567025883-sysbot+gh@w3.org>
From the call of 2019-08-28:

As I understand it, the primary motivate for RPs wanting a timeout is in the traditional, U2F-like flow where a password is used to establish user verification and the security key touch is user presence (and anti-phishing). In this case, the time between the password and the touch matters because you want to ensure that it's the same person doing both.

However, that argument isn't not at all clear for credential registration (and nor for assertions with UV). Therefore we might be able to set a high timeout floor for registrations without breaking anyone's timeout needs.

-- 
GitHub Notification of comment by agl
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1286#issuecomment-525919860 using your GitHub account
Received on Wednesday, 28 August 2019 20:58:07 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:59:06 UTC