Re: [webauthn] Clarify the need for truly randomly generated challenges (#1856) from Emil Lundberg via GitHub on 2023-02-21 (public-webauthn@w3.org from February 2023)

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Tue, 21 Feb 2023 09:22:35 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-1438134048-1676971354-sysbot+gh@w3.org>

@dolda2000 When you say "very long-lived", what do you mean in concrete terms? Minutes, hours, days, months?

I'm guessing that when most of those resources say "long timeout" they mean something like 15 minutes at most - as opposed to the maybe 1 or 2 minutes one might have in second factor authentication flows. While ~15 minutes is long enough that memory exhaustion attacks could be an issue, it's short enough to prevent most "pre-play" attacks.

-- 
GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1856#issuecomment-1438134048 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Tuesday, 21 February 2023 09:22:37 UTC