Is step 1 of the registration ceremony really necessary?

45 views
Skip to first unread message

Rick Mann

unread,
Mar 17, 2024, 9:49:30 PMMar 17
to FIDO Dev (fido-dev)
According to this [guide](https://webauthn.guide/#registration), the step 1 challenge is needed to prevent replay attacks. But it seems to me that if in Step 2 the server verifies that the credentialID does not already exist, and that you are creating a new User record, then a replay attack can't work, right?

Adam Langley

unread,
Mar 18, 2024, 11:20:21 AMMar 18
to FIDO Dev (fido-dev), Rick Mann
On Sunday, March 17, 2024 at 6:49:30 PM UTC-7 Rick Mann wrote:
According to this [guide](https://webauthn.guide/#registration), the step 1 challenge is needed to prevent replay attacks. But it seems to me that if in Step 2 the server verifies that the credentialID does not already exist, and that you are creating a new User record, then a replay attack can't work, right?

During create() calls, the challenge is used to show freshness of the attestation. If there isn't an attestation, or you aren't processing it, then the challenge is indeed irrelevant.

(That is obviously not true for get() calls.)


Cheers

AGL
Reply all
Reply to author
Forward
0 new messages