How to properly manage WebAuthn challenges?
I'm in the process of evaluating adding WebAuthn/Passkey support to a website, and I'm not really sure how to properly manage challenge nonces.
My understanding is that the main reason for using challenge nonces is to prevent replay attacks, but that implies that challenges need to have some sort of lifetime, and the lifetime to use isn't obvious to me, especially with the new Conditional Mediation mechanism that was added to support the easier login flow associated with Passkeys. Without conditional mediation, challenge management doesn't perhaps seem particularly difficult, I could easily imagine just keeping a fixed maximum number of challenges around and invalidating them with a reasonably short timeout.
With conditional mediation, however, I'm less sure. My understanding is that Conditional Mediation is basically supposed to be running as long as a page with an option for login is open, and it seems to me that any number of pages with an option to log in could be kept open by a user for days or months, basically indefinitely. It seems unreasonable to me that the login challenge should arbitrarily stop working just because the user has held the page open for longer than the arbitrary timeout I've set. Further, if many pages have a low-key option for logins, that seems like a potential lot of challenges to maintain.
The only option I can think of is to simply not manage "active challenges", but rather just generate random challenges, perhaps even on the client side without the server even knowing about them, and rather have the server keep track of challenges that were actually used for a WebAuthn transaction, but wouldn't that conversely require keeping track of such used challenges forever?
I mean, I realize that even thousands of authentications wouldn't generate a significant amount of data to store on today's systems, but it still seems inefficient, doesn't it?
I'm also not sure if allowing any previously unused challenge could have some sort of security implications (the specification states that challenges should be generated in a trusted environment, but I'm not sure why).
Am I missing a more sane option? Are there any recommendations/best practices around how to manage WebAuthn challenges, particularly when using conditional mediation?
