LOGBOOK

HELP

Quiz Entry - updated: 2026.07.05

What is the purpose of the challenge that the relying party sends in WebAuthn, and how does it relate to challenge-response authentication?

The challenge is a fresh random value the authenticator must sign; signing it proves possession of the private key right now and blocks replay attacks.

This is classic challenge-response authentication:

  1. The server (relying party) issues a random, single-use challenge.
  2. The authenticator signs it with the private key.
  3. The server verifies the signature with the stored public key.

Because the challenge is new and unpredictable every time, a captured response (signature) is worthless later — it only matches that one challenge. This defeats replay attacks, where an attacker resends previously sniffed authentication data.

The challenge's role is the same at registration and login — prove live possession of the key and prevent replay. The difference: at registration the key is brand new (the server has no public key yet and learns it now); at login the server already has the public key and uses it to verify.

Tip: "Challenge-response" beats "send your secret": you never transmit the secret itself, only fresh proof that you hold it.

Go deeper:

From Quiz: INTROL / Web Authentication: Cookies, OAuth 2.0 / OIDC & WebAuthn | Updated: Jul 05, 2026