webauthn icon indicating copy to clipboard operation
webauthn copied to clipboard

Published 20 hours ago verified publisher icon w3c

New Authenticator Extension: Time Since UV

Open timcappalli opened this issue 11 months ago • 6 comments

Proposed Change

As discussed on multiple working group calls, this would be an alternative approach to address the user verification caching concerns raised by passkey providers and relying parties.

This approach does not change the meaning or operation of user verification and authenticators would still be required to respond truthfully about UV at the time of the ceremony.

This extension, tentatively identified as timeSinceUv, will allow an authenticator to include the time since UV was performed. The value is expressed in milliseconds for consistency with the rest of the spec.

Relying Parties who want the UX benefits of UV preferred, but would like additional context for post-authentication business logic can request the extension.

Example

Request UV = preferred Extensions = [ timeSinceUv ]

Authenticator State User verification was performed 5 minutes ago

Response UV = false Extension.timeSinceUv = timeSinceUv: 300000

timcappalli avatar Feb 28 '24 18:02 timcappalli