Rick Mann
unread,Mar 17, 2024, 8:20:41 PMMar 17Sign in to reply to author
Sign in to forward
You do not have permission to delete messages in this group
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
to FIDO Dev (fido-dev)
I have a WebAuthn question that might be in the weeds a bit. Passkeys have two operations: Registration and Sign In (Authentication). Both a have two steps: Step 1) request a challenge (some random data) from the server, and Step 2) sign it with your private key, and return the challenge and signature to the server.
The server then compares the challenge with the one it generated in Step 1, and verifies the signature. I don’t want to store that generated challenge from Step 1, so I'm thinking this would work:
In Step 1, the server generates the challenge and a short expiry date for it, signs both of those together, and sends them to the client along with the signature.
The client sends back this whole bundle along with its WebAuthn signature, and the server then validates the challenge and the WebAuthn signature.
Is this less secure than storing it on the server? I think it’s just like a JWT, so it should be just as secure, right?