Comments (9)
IMO the RP provided timeout is how long to keep the challenge valid. The client knows this time and client side javascript can be used to obtain a new challenge as the timeout approaches. For autofill ui, you should be able to cancel a pending call, then start a new one. This was broken on Safari last time I tried but worked on Chrome (on Mac anyway).
from webauthn.
@Kieun we should definitely add some clarity around the timeout and challenge, but I think the text around canceling a pending request is more deployment guidance, and not spec text. We can add this to passkeys.dev eventually.
from webauthn.
We could potentially align the challenge validity with the RP requested timeout value, but since that is only a hint to the client, it may not be perfect. But at a minimum, it would at least provide a max window.
from webauthn.
If the browser aligns the RP requested timeout value, then anyway RP could invalidate expired challenge without worrying so much.
But in other aspects, after the request is timed out from RP and browser, then how the RP triggers Auto-Fill UI again?
from webauthn.
@sbweeden If it is the case, then the RP client should handle such timeout to cancel the pending request and this needs to be explained in somewhere in the spec.
from webauthn.
I think this example, already in the spec, covers how to abort an in-progress request: https://w3c.github.io/webauthn/#sctn-sample-aborting
from webauthn.
@sbweeden I know the abort example was already there and we've been implementing it on our demo, but it would be good to indicate or explain to recommend aborting pending operation for auto-fill UI.
from webauthn.
I think in general we could suggest RP's allow challenges to be used once within N minutes, because a user may walk away mid-ceremony and come back, and should be able to immediately re-attempt without needing to request new options. This has been our practical experience working with WebAuthn, mind you, and I suspect other RP's have done something similar without introducing any security issues into the auth flow.
from webauthn.
I too recently grappled with this situation and eventually decided to use one global challenge per web session, unbounded by time, that is "consumed" when one (of potentially several) conditional sessions actually complete. I consider this a very imperfect solution, but I found it to be the least bad of the options I considered.
Unless it's too late, I would suggest changing/amending conditional mediation to a two-stage process, where a call is made back into the website script when a user actually decides to interact with the conditional mediation session, at which time a challenge can be fetched from the server. Just my two cents.
from webauthn.
Related Issues (20)
- > HOT 1
- Inconsistent Passkey Authentication in Google Chrome HOT 5
- rp.name, user.name and user.displayName length limit does not state binary encoding HOT 2
- How is an RP to know if a packed attestation root certificate is used for multiple authenticator models? HOT 2
- Wrong type of encrypted content specified for credentialId under "Credential Storage Modality" section HOT 1
- Cambios por abuso HOT 2
- Consider replacing "Github" with "GitHub" HOT 2
- Conditional UI support by WebAuthn WebDriver Extension HOT 2
- Refine JSON serialization to use UTF-8 encoding for `user.id` and `userHandle` HOT 10
- Clarify usage of credentialRecord.transports HOT 5
- Revised txAuthSimple extension HOT 1
- Reflect caching of user gestures in WebAuthn assertion HOT 7
- Make user.displayName optional? HOT 2
- Invoking the authenticatorMakeCredential operation clarification HOT 2
- Defining new OIDs to facilitate WebAuthn interoperability with CMS HOT 1
- Section 13.1 makes confusing statement saying `CredentialID` is unsigned, where it's actually signed in some cases. HOT 2
- Numbering in the step needs update in 7.1. Registering a New Credential HOT 1
- New Authenticator Extension: Time Since UV HOT 6
- Show only passkey based autofill HOT 7
- How to guarantee created resident key is actually received by RP in adverse networking conditions? HOT 7
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from webauthn.