- From: Akshay Kumar <Akshay.Kumar@microsoft.com>
- Date: Mon, 30 Oct 2023 08:13:16 +0000
- To: Nina Satragno <nso@google.com>, "public-webauthn@w3.org" <public-webauthn@w3.org>
- Message-ID: <PSAP153MB048821FACBAE5DDE9F73221186A1A@PSAP153MB0488.APCP153.PROD.OUTLOOK.COM>
Nina, We recently changed the timeout range to 5-10 mins in the WebAuthn spec. Can we update Chrome to have minimum timeout of 5 mins? Thanks, Akshay ________________________________ From: Nina Satragno <nso@google.com> Sent: Friday, October 27, 2023 11:17 AM To: public-webauthn@w3.org <public-webauthn@w3.org> Subject: [EXTERNAL] WebAuthn timeout changes in Chrome M120 Web Authentication WG, Starting on M120, Chrome will be making some changes to how timeouts<https://w3c.github.io/webauthn/#dom-publickeycredentialcreationoptions-timeout> are treated in WebAuthn requests to provide better accessibility<https://w3c.github.io/webauthn/#sctn-accessiblility-considerations>. * The minimum timeout is increased from 10 seconds to 3 minutes. * The maximum timeout is increased from 10 minutes to 20 hours. * The default timeout if left unspecified still matches the maximum timeout (so now it will be 20 hours). This change improves the default experience for everyone, while maintaining the ability for relying parties to signal that an assertion will not be accepted past a reasonable time frame. If there is an active virtual authenticator, the limits are waived. This lets developers write tests exercising short timeouts without having to wait for the minimum timeout. This was already the case, but it feels more important now that the minimum has increased. Happy hacking, -- Nina Satragno she/they
Received on Monday, 30 October 2023 08:13:29 UTC