Re: [webauthn] Low timeout bounds for inline bio enrollment of FIDO2 keys (#1286)

From the call of 2019-08-28:

As I understand it, the primary motivate for RPs wanting a timeout is in the traditional, U2F-like flow where a password is used to establish user verification and the security key touch is user presence (and anti-phishing). In this case, the time between the password and the touch matters because you want to ensure that it's the same person doing both.

However, that argument isn't not at all clear for credential registration (and nor for assertions with UV). Therefore we might be able to set a high timeout floor for registrations without breaking anyone's timeout needs.

-- 
GitHub Notification of comment by agl
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1286#issuecomment-525919860 using your GitHub account

Received on Wednesday, 28 August 2019 20:58:07 UTC