You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We are looking into inline bio enrollment of FIDO2 keys during webauthn calls. Current time bound in webauthn is 15-120 seconds, which when we decided was a guess for a single touch or PIN input. Browsers have been hooked up to cancel the transaction when timeout happens.
Many RPs don't configure the timeout, resulting in 15 seconds. Even 120 seconds is not enough given our user studies where user has to figure out which authenticator he/she wants to use, plug that in, setup PIN if not present, setup fingerprint which requires multiple samples. Last step also depends on how many samples authenticator wants.
Want to take suggestions on what the typical timeout should be to support this case. I am thinking 180-300 seconds.
Thoughts?
The text was updated successfully, but these errors were encountered:
As I understand it, the primary motivate for RPs wanting a timeout is in the traditional, U2F-like flow where a password is used to establish user verification and the security key touch is user presence (and anti-phishing). In this case, the time between the password and the touch matters because you want to ensure that it's the same person doing both.
However, that argument isn't as clear for credential registration (and nor for assertions with UV). Therefore we might be able to set a high timeout floor for registrations without breaking anyone's timeout needs.
What we are seeing is the typical timeouts for bio-enrollment + User verifications it taking around 4 minutes.
Suggesting:
For User presence only operations: 30 seconds to 180 seconds with a default value of 120 seconds.
For user verifications operations: 30 seconds to 600 seconds with a default value of 300 seconds.
We are looking into inline bio enrollment of FIDO2 keys during webauthn calls. Current time bound in webauthn is 15-120 seconds, which when we decided was a guess for a single touch or PIN input. Browsers have been hooked up to cancel the transaction when timeout happens.
Many RPs don't configure the timeout, resulting in 15 seconds. Even 120 seconds is not enough given our user studies where user has to figure out which authenticator he/she wants to use, plug that in, setup PIN if not present, setup fingerprint which requires multiple samples. Last step also depends on how many samples authenticator wants.
Want to take suggestions on what the typical timeout should be to support this case. I am thinking 180-300 seconds.
Thoughts?
The text was updated successfully, but these errors were encountered: