- From: Adam Langley via GitHub <sysbot+gh@w3.org>
- Date: Wed, 25 Sep 2024 22:46:20 +0000
- To: public-webauthn@w3.org
> You can get away with generating client-side challenges if they're based on a timestamp. Each step away from "randomly generated at the server" costs some bit of security: | Method | Characteristics | |--------|-----------------| | Randomly generated at the server | Best | | Server-encrypted timestamp | Assertions can be replayed within the accepted time window | | Client-generated timestamp | Same reply is possible but also attackers with transient access can generate assertions that will be valid in the future. (This also depends on client–server clock sync.) | | Fixed challenge | Degrades to being a bearer token, like a password | -- GitHub Notification of comment by agl Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2152#issuecomment-2375400518 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Wednesday, 25 September 2024 22:46:21 UTC