During the registration ceremony, how does the Challenge improve security?

[JetForMe]

According to this guide, the challenge issued by the server during Step 1 of the registration ceremony prevents replay attacks. But the way I implemented my server, in Step 2 I check to make sure the credential ID doesn’t already exist, and I create a new User record.

An attacker who replayed Step 2 would get an error. It doesn’t seem like it would be a useful exploit.

[adam-fowler]

As I understand it you need step 1 so that step 2 isn't a fixed target. If you only have step 2, it is no more secure than a username, password with a long complex password. Step 1 ensures the attacker can't use the results of previous authentication attempts as an indication of whether the next attempt will be successful.

[JetForMe]

I'm referring to the registration, not authentication. I think, but I'm not sure, that only doing step 2, and ensuring that the same credential ID and/or public key can't be used a second time, it would just be first-past-the-post-wins. And all that would do is create a new, empty account (at least in my case). In fact, even with step 1 and step 2, I don't see a way to prevent a MITM from getting first-past-the-post.

[adam-fowler]

Sorry misread that.

[dimitribouniol]

I think it is in place so a compromised connection, either residing on the server side (ie. behind a load balancer) or client side (compromised browser/OS), or even holding on to already encrypted TLS traffic, could replay a registration request even after a user deletes their account. I also think this gives the server one more opportunity to control the account creation flow without the potentially costly operations involved with validating attestation data, but that's less of a concern for this library.

[dimitribouniol]

Found some more loosy-goosy explanations in the spec, but for the most part it seems to stem from cryptographic best practices more than anything, rather than being specifically useful for registration:

• https://www.w3.org/TR/webauthn-2/#sctn-cryptographic-challenges
• Why does WebAuthn require a challenge when asking the client to register a new credential? w3c/webauthn#1355

[JetForMe]

Yeah, that's the sense I get, too. I thought this was interesting:

But in general, WebAuthn credential keys are "trust on first use"

Which is sort of what I’m doing with my account creation.

If a user deletes their account, then my server should delete all their related records. It occurs to me that in this case, I should delete everything else but keep the user record (to reserve the user ID), wipe the fields, and mark it as deleted.

[JetForMe]

Oh, this might be the key: "The challenge does have some value for the other attestation statement formats," which, if I understand attestation statements correctly,, might actually make sense.