Unless I am reading the code incorrectly, it appears that the static salt "passwordless-login"
is used for every credential for every user. According to WebAuthn Level 3, “If the evaluation inputs are unpredictable then even an attacker who could satisfy user verification, and who had time-limited access to the authenticator, could not learn the encryption key without also knowing the correct PRF input”. Additionally CTAP 2.2 requires HMACGetSecretInput
to contain “32-byte random data” for salt1
and salt2
when using the hmac-secret
extension (which PRF sit on top of).
Based on this information, wouldn’t it be better if a random salt were created per credential per user? All the server would need to do is store these salts to pass back to the user.