Re: [webauthn] Clarify the need for truly randomly generated challenges (#1856) from Arian van Putten via GitHub on 2023-02-21 (public-webauthn@w3.org from February 2023)

From: Arian van Putten via GitHub <sysbot+gh@w3.org>
Date: Tue, 21 Feb 2023 18:29:01 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-1438923661-1677004140-sysbot+gh@w3.org>

Storing the challenge client-side in a JWT opens you up for replay-attacks in the validity window  of the JWT.   Challenges should be "use-exactly-once" which JWTs (or encrypted cookie; or signed cookie) will not give you.  I'd say storing the challenge server-side is a must for security.

-- 
GitHub Notification of comment by arianvp
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1856#issuecomment-1438923661 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Tuesday, 21 February 2023 18:29:03 UTC