Re: [webauthn] Why does WebAuthn require a challenge when asking the client to register a new credential? (#1355)

The video didn't answer my question.. He said that the challenge and origin are signed by the client, which is not true as far as I understand, and he probably was just not precise and meant "by authenticator". But IMO there are signed only via attestation, and it is surprising to me, because there are different attestation methods (including "none") and attacker could sign the data by his attestation certificate in case of Anonymous CI method, etc. So, IMO you can not trust origin or challenge sent back to the back-end during registration ceremony (unless you trust attestation, but usually it is not used in popular websites such as Google, Facebook, etc.). Maybe it is not a big problem, because there are no good attack vectors against registration. The authentication ceremony is safe as data is always signed by the private key.

I tested it on https://webauthn.io/ (the same way as he tested his case on the video) via js console. I was able to change the challenge in JS console, just before sending it to the authenticatior. Afterwards I changed the response (I updated only the challenge without touching the public key) from the authenticator just before sending it to the backend. So, in the other words, I believe I would be able to use a stale response from the authenticator just by changing the challenge.

-- 
GitHub Notification of comment by marekciupak
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1355#issuecomment-907621516 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Saturday, 28 August 2021 12:43:35 UTC