Re: Timeouts and WebauthN

Hi Alastair

This is a brainstorm without deep knowledge into the details of WebAuth

The language of the SC says "For each time limit that is *set by the
content*, at least one of the following is true..."
Strictly speaking in the bullets for the SC there doesn't seem to be a
passing provision where the user is timed out but can *easily *restart the
timer. We could add that in WCAG 2.2. Now perhaps an author could argue in
court (or to an evaluator) that it really is as easy as hitting a "do you
need more time" button which would make the evaluator or judge say "OK it
passes the spirit of the SC if not the letter of the SC". I think we all
want it to pass, and webauth didn't exist in 2008, but the strict text
doesn't seem to allow that scenario.

As far as conforming to the existing language in 2.1 and 2.0
Digging around the WebAuth spec, I see this section:
https://www.w3.org/TR/webauthn-2/#sctn-sample-registration
It appears the author can set the timeout. I'm not sure where this code
lives.

timeout: 360000,  // 6 minutes
  excludeCredentials: [
    // Don’t re-register any authenticator that has one of these credentials
    {"id": Uint8Array.from(window.atob("ufJWp8YGlibm1Kd9XQBWN1WAw2jy5In2Xhon9HAqcXE="),
c=>c.charCodeAt(0)), "type": "public-key"},
    {"id": Uint8Array.from(window.atob("E/e1dhZc++mIsz4f9hb6NifAzJpF1V4mEtRlIPBiWdY="),
c=>c.charCodeAt(0)), "type": "public-key"}
  ],


If WebAuth defaults to 5 minutes (or 6 minutes) one way to pass would be to
extend that to 50 minutes or 60 minutes in this code. But that could make
security people nervous if it was given to every user. Perhaps there is a
way to link a button to that bit of code to extend it.

Not proposing a solution here, just trying to look at options for
approaches. Here's what I see as our options:

   1. Change the text of timing adjustable for 2.2
   2. Provide two techniques for meeting the current language (1) extend it
   in the code (2) link a button to that code to extend it on a button press
   3. Fudge with the understanding to say that an "easy" restart of the
   process is close enough to an extension of the time out that we will accept
   it as a pass (a little risky to take that approach)

Cheers,
David MacDonald



*Can**Adapt* *Solutions Inc.*
Mobile:  613.806.9005

LinkedIn
<http://www.linkedin.com/in/davidmacdonald100>

twitter.com/davidmacd

GitHub <https://github.com/DavidMacDonald>

www.Can-Adapt.com <http://www.can-adapt.com/>



*  Adapting the web to all users*
*            Including those with disabilities*

If you are not the intended recipient, please review our privacy policy
<http://www.davidmacd.com/disclaimer.html>


On Tue, Jul 13, 2021 at 5:15 PM Korn, Peter <pkorn@lab126.com> wrote:

> Alaistair,
>
>
>
> If the effect is the same as extending the time, and is less effort then
> dealing with a dialogue which interrupts your flow and has to be read and
> consumed, I think it absolutely should be sufficient to satisfy this
> criteria.  We did a similar analysis with the Solaris login, where any
> keyboard press to enter the next character of your username or password,
> reset the timeout. So as long as the user didn't take more than some number
> of minutes to enter their next character, they would be able to get through
> the login process more easily than if they had to get a warning message,
> and deal with that dialogue, and dismiss it, within that same timeout
> period.
>
>
>
> Regards,
>
>
>
> Peter
>
>
>
> *From:* Alastair Campbell <acampbell@nomensa.com>
> *Sent:* Tuesday, July 13, 2021 1:56 PM
> *To:* WCAG list (w3c-wai-gl@w3.org) <w3c-wai-gl@w3.org>
> *Subject:* [EXTERNAL] Timeouts and WebauthN
>
>
>
> *CAUTION*: This email originated from outside of the organization. Do not
> click links or open attachments unless you can confirm the sender and know
> the content is safe.
>
>
>
> Hi Folks,
>
>
>
> We have an outstanding question <https://github.com/w3c/wcag/issues/1885>
> on Accessibility Authentication, which is:
>
>
>
> If a login with WebauthN is used to pass Accessible Authentication, does
> that pass 2.2.1 Timing
> <https://www.w3.org/WAI/WCAG21/Understanding/timing-adjustable.html>?
>
>
>
> If you login with WebauthN, there is a timeout setting that defaults to 5
> minutes:
>
>
> https://www.w3.org/TR/webauthn-2/#ref-for-dom-publickeycredentialcreationoptions-timeout
>
>
>
> From the timing understanding doc, it goes into detail trying to
> differentiate the ‘content’ from server-side/internet time-outs: “Time
> limits set externally to content, such as by the user agent or by factors
> intrinsic to the Internet are not under the author's control and not
> subject to WCAG conformance requirements.”
>
>
>
> As far as I can tell, the website content is what sets the limit (in
> WebauthN it is the “Relying Party Server”).
>
>
>
> My understanding of the scenario is that:
>
>    - You arrive at a login page;
>    - You start the login process, essentially selecting a button;
>    - You have 5 minutes (by default) to authenticate with your device
>    (e.g. type in a pin, facial recognition);
>    - If you manage to, you are logged in.
>    - If you do not manage to, you have to hit the button again to start
>    the process, and restart the 5 minutes.
>
>
>
> So the impact of not authenticating with your device in time is minimal,
> arguably less than having to hit a dialogue warning you of being logged out.
>
>
>
> Given that you are not logged out, could hitting the button again count as
> extending the time?
>
>
>
> Kind regards,
>
>
>
> -Alastair
>
>
>
> --
>
>
>
> @alastc / www.nomensa.com
>
>
>

Received on Wednesday, 14 July 2021 11:26:55 UTC