Is step 1 of the registration ceremony really necessary?

47 views

Skip to first unread message

Rick Mann

unread,

Mar 17, 2024, 9:49:30 PMMar 17

to FIDO Dev (fido-dev)

According to this [guide](https://webauthn.guide/#registration), the step 1 challenge is needed to prevent replay attacks. But it seems to me that if in Step 2 the server verifies that the credentialID does not already exist, and that you are creating a new User record, then a replay attack can't work, right?

Adam Langley

unread,

Mar 18, 2024, 11:20:21 AMMar 18

to FIDO Dev (fido-dev), Rick Mann

On Sunday, March 17, 2024 at 6:49:30 PM UTC-7 Rick Mann wrote:

According to this [guide](https://webauthn.guide/#registration), the step 1 challenge is needed to prevent replay attacks. But it seems to me that if in Step 2 the server verifies that the credentialID does not already exist, and that you are creating a new User record, then a replay attack can't work, right?

During create() calls, the challenge is used to show freshness of the attestation. If there isn't an attestation, or you aren't processing it, then the challenge is indeed irrelevant.

(That is obviously not true for get() calls.)

Cheers

AGL

Reply all

Reply to author

Forward

0 new messages