Re: [webauthn] Clarity on challenge length (#1803) from Firstyear via GitHub on 2022-09-27 (public-webauthn@w3.org from September 2022)

From: Firstyear via GitHub <sysbot+gh@w3.org>
Date: Tue, 27 Sep 2022 00:11:54 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-1258808604-1664237513-sysbot+gh@w3.org>

Correct, length is not enough but it is still an important factor. You can have a 2 byte challenge from the purest entropy money can buy, and that would be insufficient. You do need a minimum length, and there are production deployments that don't even meet the specifications recommendations today. Constraints are an important element in human interaction psychology, because without them people will make mistakes that have consequences. Introducing a minimum length constraint is good because it guides people to do the right thing.

-- 
GitHub Notification of comment by Firstyear
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1803#issuecomment-1258808604 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Tuesday, 27 September 2022 00:11:56 UTC