Re: [webauthn] Clarify the need for truly randomly generated challenges (#1856) from Fredrik Tolf via GitHub on 2023-02-25 (public-webauthn@w3.org from February 2023)

From: Fredrik Tolf via GitHub <sysbot+gh@w3.org>
Date: Sat, 25 Feb 2023 01:24:01 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-1444867359-1677288240-sysbot+gh@w3.org>

>I'm only proposing it for conditional UI requests: [...]

All of your concerns are surely reasonable in practice, but if a challenge callback is going to be part of the spec, I think it should be technically possible to use it for both conditional and modal requests, if only for orthogonality reasons. If the browser wishes to request the challenge before displaying the UI, there should be nothing preventing that (outside of the timeout values used by the RP, of course).

-- 
GitHub Notification of comment by dolda2000
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1856#issuecomment-1444867359 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Saturday, 25 February 2023 01:24:03 UTC