Low timeout bounds for inline bio enrollment of FIDO2 keys #1286
Comments
|
In the 28 August 2019 call, @agl suggests we set timeout defaults differently for different operations. |
|
From the call of 2019-08-28: As I understand it, the primary motivate for RPs wanting a timeout is in the traditional, U2F-like flow where a password is used to establish user verification and the security key touch is user presence (and anti-phishing). In this case, the time between the password and the touch matters because you want to ensure that it's the same person doing both. However, that argument isn't as clear for credential registration (and nor for assertions with UV). Therefore we might be able to set a high timeout floor for registrations without breaking anyone's timeout needs. |
|
We are doing some user studies around this and will come back on a recommendation of appropriate time. |
|
What we are seeing is the typical timeouts for bio-enrollment + User verifications it taking around 4 minutes. Suggesting: Opened PR #1317. |
We are looking into inline bio enrollment of FIDO2 keys during webauthn calls. Current time bound in webauthn is 15-120 seconds, which when we decided was a guess for a single touch or PIN input. Browsers have been hooked up to cancel the transaction when timeout happens.
Many RPs don't configure the timeout, resulting in 15 seconds. Even 120 seconds is not enough given our user studies where user has to figure out which authenticator he/she wants to use, plug that in, setup PIN if not present, setup fingerprint which requires multiple samples. Last step also depends on how many samples authenticator wants.
Want to take suggestions on what the typical timeout should be to support this case. I am thinking 180-300 seconds.
Thoughts?
The text was updated successfully, but these errors were encountered: