Prevent unauthorized users from registering with webauthn server

[witwaycorp]

All,

Testing this server and looks like many other folks are using/testing as well. Wondering how you prevent unauthorized random people from registering with your webauthn server given the URL is public? I am using a separate process by which I register an organization and generate a unique ID (org ID) and only allow users to register if they pass in the org ID along side an Office 365 JWT token but the process feels heavy. Thanks.

[wparad]

@witwaycorp , let's say you have a sign up form page that supports emails and password. How would you prevent random people from signing up? Is that not the same problem?

[MasterKale]

@witwaycorp I think this section of the Passkeys docs might help reveal a path forward for you:

https://simplewebauthn.dev/docs/advanced/passkeys#remembering-challenges

Your use case is a bit advanced for the path I propose for handling registration. But just on what I'm reading above it sounds kinda like you're already using "Sign in with M365" for something on your site? If so you could make your registration flow use that same flow, and your OAuth callback URL is what creates a session on your site that's blessed to proceed with new user creation. If someone hits your registration URL without such a session then you could reject their attempts to submit anything. 🤔

With this setup M365 becomes your site's Identity Provider, which takes care of validating that someone is a "real/trusted person" as opposed to some attacker if you left registration open to anyone.

[witwaycorp]

The O365 auth is only allowed if the tenant ID is found on our backend so that's why I have a separate flow to do that first bit. Appreciate the link and suggestion @MasterKale! Was just curious what others folks are doing to minimize the risk of random folks registering as I did not see any restrictions in any of the docs. Sounds like our approach is not too out of left field after all. Many thanks again.