2fa attestation object for non-repudiation

Question

I am reading on digital signatures:

A valid digital signature gives a recipient reason to believe that the message was created by a known sender (authentication), that the sender cannot deny having sent the message (nonrepudiation), and that the message was not altered in transit (integrity).

I'm using for 2FA a hardware key (e.g. Yubikey, Key-id) to authenticate a user with Webauthn and also later require user's confirmation to take certain sensitive actions.

Question: if I store on the server the challenge and the AuthenticatorAttestationObject returned by the hardware key, can that serve for non-repudiation?

Rephrase: can the user claim that an action that required pressing the Yubikey button was not initiated by him, but was fabricated e.g. from server side?

Answer 1

Non-repudiation is much harder to achieve than some would have you believe. In general, a signature is tied to a key with a very high degree of confidence, but tying the key to a specific person and their intent is much harder. With WebAuthn though, you can't achieve any of this.

A signature is over specific data. For your goal you'd want that data to be something along the lines of "I [user] consent to the server performing [sensitive action] at time [time]". What you're actually getting though is something like "I am definitely the user known by [website] as [user]". Not terribly helpful, because as you pointed out, the user could just claim that the server performed a different action at a different time than the one he intended to authorize.

Even if you were able to solve that problem though, and you could get a signature for a statement authorizing a certain action at a certain time, the signature isn't really coming from the user, it's coming from software using the key. Problem is, the software is your software; they could just claim the JavaScript sent to them was modified to create a signature without their consent.

And of course, there's always the possibility of claiming "my key was stolen" or "that's not my key, it's a key that was fabricated by the server". In the end, it's really up to who a jury (or whomever you're trying to prove this to) believes is trustworthy.