RE: [External] RE: Timeouts and WebauthN

> “how far in advance of a timeout can the warning be provided?” We are saying that 5 minutes is not too long from getting the message on page load to the timeout occurring and users will be appropriately notified, but what about 20 minutes? I assume that there is a point where the advance notice is too distant from the event, and we may be asked what that is.

In this case I’m not sure the length of the timeout is an important factor because there is only one step.

Once you hit the login button, it hands over to your device, and it is the device which is asking for authentication. If the device doesn’t provide it in time, that is when you’d time out. There isn’t a gap between the warning and the next step.

I recorded a little example from the demo site:
https://alastairc.uk/tmp/webauthn-login.mp4

Alt: An 11 second video from WebAuthn.io. Shows a registration, where you add a username and select a register button. A windows PIN dialogue appears, the pin is entered and it is registered. Then the login button is selected, the PIN request appears again, and then you are logged in.

I think once people understand the interaction, the question doesn’t seem relevant.


> Also, we should have a technique for this scenario.

Yep, just need a volunteer…

-Alastair

Received on Thursday, 15 July 2021 15:52:13 UTC