Replies: 1 comment
-
Actually, I wrote it that way to reflect the wording of the RFC which mandates it. Interestingly, there was also a recent discussion challenging this aspect of the specs here: w3c/webauthn#1856 From my point of view, strict randomness is not required either. It is rather a best practice recommendation. The important thing is to not reuse challenges to avoid "eavesdropping and replay" attacks. On another hand, as long as the RFC says |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Readme - Remark section contains below text, which is not 100% correct for all cases.
The challenge must be a random value. Otherwise, your implementation might become vulnerable to replay attacks.
I have been using webauthn to sign transaction data (on top of ethereum) to verify signatures on blockchain side. I believe replay attacks can also be prevented via auto-incremental nonce which would apply challenge as a message to be signed.
Are there any points that I am missing or is this something we should point out?
Beta Was this translation helpful? Give feedback.
All reactions