According to this [guide](https://webauthn.guide/#registration), the step 1 challenge is needed to prevent replay attacks. But it seems to me that if in Step 2 the server verifies that the credentialID does not already exist, and that you are creating a new User record, then a replay attack can't work, right?