Re: [webauthn] Add a way to use webauthn without Javascript (#1255) from Emil Lundberg via GitHub on 2020-05-25 (public-webauthn@w3.org from May 2020)

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Mon, 25 May 2020 09:57:32 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-633489734-1590400651-sysbot+gh@w3.org>

>prerendering old dynamic stuff, like challenge for registration forms.

You should never reuse a [`challenge`](https://www.w3.org/TR/2019/WD-webauthn-2-20191126/#dom-publickeycredentialcreationoptions-challenge), it should be uniquely generated for each registration/authentication ceremony. See [§13.4.1. Cryptographic Challenges
](https://www.w3.org/TR/2019/WD-webauthn-2-20191126/#sctn-cryptographic-challenges) (and pardon me if I misinterpreted what you meant).

-- 
GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1255#issuecomment-633489734 using your GitHub account

Received on Monday, 25 May 2020 09:57:33 UTC