[webauthn] Pull Request: Recommend duration of challenge validity

emlun has just submitted a new pull request for https://github.com/w3c/webauthn:

== Recommend duration of challenge validity ==
Fixes #1848.

Additions I also considered but decided against:

- Mentioning that the RP MAY enforce a shorter timeout if a shorter `options.timeout` is requested. I think the recommendation of a "similar" timeout probably communicates that this is a vague limit with a lot of wiggle room for such things.
- Recommending that challenges SHOULD NOT be valid past the recommended duration. This is softly implied, and doesn't seem necessary as this section comes from the angle of how long the RP _needs_ to store the challenge, so the RP probably prefers a short time already.
- Recommending allowing only a single verification attempt per challenge/ceremony. While probably a good idea, it shouldn't matter much in practice, and there might be reasons to allow retrying in some cases. It's also perhaps not entirely clear what "once per ceremony" means - once per `navigator.credentials.{create,get}()` call or once per session? - so it might be more confusing than helpful.

See https://github.com/w3c/webauthn/pull/1855


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Monday, 20 February 2023 10:50:06 UTC