Re: [webauthn] Clarify the need for truly randomly generated challenges (#1856) from John Bradley via GitHub on 2023-06-12 (public-webauthn@w3.org from June 2023)

From: John Bradley via GitHub <sysbot+gh@w3.org>
Date: Mon, 12 Jun 2023 13:52:59 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-1587387292-1686577977-sysbot+gh@w3.org>

In the case of enterprise attestation the attestation contains a serial number for an authenticator given to a specific individual.  In that case the challenge is important to be unique and not replayed.  Some large enterprises may also have custom AAGUID restricting registration to company provided authenticators.  

In general without attestation the    challenge in the response is mostly to link the request and response. It is not providing security if unsigned or signed by a self signed batch certificate. 

-- 
GitHub Notification of comment by ve7jtb
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1856#issuecomment-1587387292 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Monday, 12 June 2023 13:53:00 UTC