WebAuthn timeout changes in Chrome M120 from Nina Satragno on 2023-10-27 (public-webauthn@w3.org from October 2023)

From: Nina Satragno <nso@google.com>
Date: Fri, 27 Oct 2023 14:17:32 -0400
To: public-webauthn@w3.org
Message-ID: <CAGisG_h8-6q8xbrmf_q8GDrs1QTmVt4X-0QfGB54Sd+Dvr7nAA@mail.gmail.com>

Web Authentication WG,

Starting on M120, Chrome will be making some changes to how timeouts
<https://w3c.github.io/webauthn/#dom-publickeycredentialcreationoptions-timeout>
are
treated in WebAuthn requests to provide better accessibility
<https://w3c.github.io/webauthn/#sctn-accessiblility-considerations>.

   - The minimum timeout is increased from 10 seconds to 3 minutes.
   - The maximum timeout is increased from 10 minutes to 20 hours.
   - The default timeout if left unspecified still matches the maximum
   timeout (so now it will be 20 hours).

This change improves the default experience for everyone, while maintaining
the ability for relying parties to signal that an assertion will not be
accepted past a reasonable time frame.

If there is an active virtual authenticator, the limits are waived. This
lets developers write tests exercising short timeouts without having to
wait for the minimum timeout. This was already the case, but it feels more
important now that the minimum has increased.

Happy hacking,
-- 
Nina Satragno
she/they

Received on Friday, 27 October 2023 18:17:50 UTC