Re: [webauthn] Clarify the need for truly randomly generated challenges (#1856) from Fredrik Tolf via GitHub on 2023-02-21 (public-webauthn@w3.org from February 2023)

From: Fredrik Tolf via GitHub <sysbot+gh@w3.org>
Date: Tue, 21 Feb 2023 01:55:38 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-1437753337-1676944536-sysbot+gh@w3.org>

@sbweeden I do realize that conditional mediation doesn't strictly *require* long-lived challenges, but it does seem to be the assumption. For example, [from this very GitHub project](https://github.com/w3c/webauthn/wiki/Explainer:-WebAuthn-Conditional-UI):

> Timeout values should be ignored when using Conditional UI. This is because removing the credentials from the autofill list at an arbitrary time would make for poor UX, and the dialog is triggered directly by the user anyway.

Or [from Yubico's documentation](https://developers.yubico.com/WebAuthn/Concepts/Passkey_Autofill/):

> One of the primary reasons why traditional WebAuthn implementations don’t allow for this non-invasive prompt is due to the timeout of the WebAuthn ceremony. Typically a get() call will remain active for a short duration of time before timing out and requesting the user to trigger a new auth ceremony. Autofill has a longer timeout period, allowing a user to leisurely select their credential if one is available, without the need to reinvoke the authentication ceremony.

Or [from one of Apple's videos](https://developer.apple.com/videos/play/wwdc2022/10092/):

> When you make AutoFill-assisted requests, you should make them early in the page lifetime [...]. AutoFill requests are not modal, so they don't require a user gesture and have a much longer timeout.

I'm sure I could cite more that I've come across, but those are just the ones I remembered off the top of my head.

---

@Firstyear I'm sorry if I'm misunderstanding you, but the fact that conditional challenges are per-page-access rather than per-user is exactly the problem I'm trying to point out, because it means that you can request as many as you'd like, just as if you were using just as many tabs (or browser instances, or machines) to make simultaneous page accesses, and the server wouldn't be the wiser. So you could get as many as you need for "pre-play" signatures.

-- 
GitHub Notification of comment by dolda2000
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1856#issuecomment-1437753337 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Tuesday, 21 February 2023 01:55:40 UTC