I am reading on digital signatures:
A valid digital signature gives a recipient reason to believe that the message was created by a known sender (authentication), that the sender cannot deny having sent the message (nonrepudiation), and that the message was not altered in transit (integrity).
I'm using for 2FA a hardware key (e.g. Yubikey, Key-id) to authenticate a user with Webauthn and also later require user's confirmation to take certain sensitive actions.
Question: if I store on the server the challenge and the AuthenticatorAttestationObject returned by the hardware key, can that serve for non-repudiation?
Rephrase: can the user claim that an action that required pressing the Yubikey button was not initiated by him, but was fabricated e.g. from server side?
Non-repudiation is much harder to achieve than some would have you believe. In general, a signature is tied to a key with a very high degree of confidence, but tying the key to a specific person and their intent is much harder. With WebAuthn though, you can't achieve any of this.
A signature is over specific data. For your goal you'd want that data to be something along the lines of "I [user] consent to the server performing [sensitive action] at time [time]". What you're actually getting though is something like "I am definitely the user known by [website] as [user]". Not terribly helpful, because as you pointed out, the user could just claim that the server performed a different action at a different time than the one he intended to authorize.
And of course, there's always the possibility of claiming "my key was stolen" or "that's not my key, it's a key that was fabricated by the server". In the end, it's really up to who a jury (or whomever you're trying to prove this to) believes is trustworthy.
External links referenced by this document: