FIDO: what is the benefit of the challenge parameter?

Question

In the enrollment stage an attacker could intercept the message and answer with a signature based on the correct challenge.
I know that normally you include a symmetric secret in such a challenge, but here there is only a random value which will be signed. I do not see the advantage of using this scheme. I think you can just do the authentication without this challenge. You can prevent replay attacks with it. So did I overlook anything? Is there a good explanation why FIDO does it the way it is specified?

Answer 1

The challenge-response model is primarily designed to help prevent against replay attacks, in which an attacker sniffs an authentication packet and then replays it within their own session to gain unauthorised access.

As you noted, a server-controlled random token (called a "server nonce" in most protocols) which must be signed in order to authenticate makes it almost infinitely unlikely that an attacker would be able to replay an authentication packet to gain access.

However, one additional benefit is that the scheme forms a kind of zero-knowledge password proof, in which knowledge of a secret can be proven to the server, without ever actually transferring the actual secret over the network. This means that a network eavesdropper must break the challenge-response scheme (e.g. by bruteforce attack) in order to discover the secret.

Thomas Pornin provided an excellent summary of both server nonces and client nonces in another question, which summarises it much more clearly than I could hope to.

Answer 2

FIDO is a lame and unnecessarily complex technology that was only created because a bunch of corporations need something to make money off of. You should investigate SQRL instead, which is not intended to create profits for corporations.

SQRL makes authenticating yourself easy and safe. It will make passwords go away but no corporation or government will control it. FIDO however could be used in theory to lock you out of your own computer...

If you care about privacy, security, and truly owning what you buy, use SQRL.