Re: [webauthn] How long the relying party should maintain the challenge and related information? (#1848) from Matthew Miller via GitHub on 2023-02-08 (public-webauthn@w3.org from February 2023)

From: Matthew Miller via GitHub <sysbot+gh@w3.org>
Date: Wed, 08 Feb 2023 20:12:10 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-1423181162-1675887129-sysbot+gh@w3.org>

I think in general we could suggest RP's allow challenges to be used _once_ within N minutes, because a user may walk away mid-ceremony and come back, and should be able to immediately re-attempt without needing to request new options. This has been our practical experience working with WebAuthn, mind you, and I suspect other RP's have done something similar without introducing any security issues into the auth flow.

-- 
GitHub Notification of comment by MasterKale
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1848#issuecomment-1423181162 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Wednesday, 8 February 2023 20:12:12 UTC