Timeouts and WebauthN

Hi Folks,

We have an outstanding question<https://github.com/w3c/wcag/issues/1885> on Accessibility Authentication, which is:

If a login with WebauthN is used to pass Accessible Authentication, does that pass 2.2.1 Timing<https://www.w3.org/WAI/WCAG21/Understanding/timing-adjustable.html>?

If you login with WebauthN, there is a timeout setting that defaults to 5 minutes:
https://www.w3.org/TR/webauthn-2/#ref-for-dom-publickeycredentialcreationoptions-timeout

From the timing understanding doc, it goes into detail trying to differentiate the 'content' from server-side/internet time-outs: "Time limits set externally to content, such as by the user agent or by factors intrinsic to the Internet are not under the author's control and not subject to WCAG conformance requirements."

As far as I can tell, the website content is what sets the limit (in WebauthN it is the "Relying Party Server").

My understanding of the scenario is that:

  *   You arrive at a login page;
  *   You start the login process, essentially selecting a button;
  *   You have 5 minutes (by default) to authenticate with your device (e.g. type in a pin, facial recognition);
  *   If you manage to, you are logged in.
  *   If you do not manage to, you have to hit the button again to start the process, and restart the 5 minutes.

So the impact of not authenticating with your device in time is minimal, arguably less than having to hit a dialogue warning you of being logged out.

Given that you are not logged out, could hitting the button again count as extending the time?

Kind regards,

-Alastair

--

@alastc / www.nomensa.com<http://www.nomensa.com>

Received on Tuesday, 13 July 2021 20:56:28 UTC