Simulation of FIDO2/Webauthn

[Snbig]

Hello everybody,

We are going to use Webauthn/FIDO2 to achieve strong authentication but there is a problem!
Some bet websites abuse our API by Reverse Engineering to transact money for their illegal bet websites.
Till now we were using SMS 2FA for registration and login (No passwords) but abusers (bad customers) give their TOTP code to bet websites to log in as their accounts and transfer money to the bet wallet website.
AFAIK Webauthn is based on TOFU, which means that the first acceptable registration could happen on the side of an illegal bet website, not necessarily abusers.
If so abusers going to buy new SIM cards and give their mobile number and TOTP code to bet website to register as their identity even Webauthn has been activated.

The question is that can an illegal bet website simulate webauthn/FIDO2 Client and Authenticator automatically and create pair key and sign challenge of Relay Party?

[cpholguera]

Hi @Snbig, I'm not sure if the MSTG is the right place for this question. At least for me, it sounds more like a backend issue. The focus of the MSTG is the mobile apps.

Maybe you can contact the ASVS team: https://owasp.org/www-project-application-security-verification-standard/

Join their Slack here: https://join.slack.com/share/enQtMjk3NjY4Njk5MzA1Ni05OTY2ZTcwNzRkNzVjZGU2MWM5ZWZkOWNhNzM4OGRiZmIxNDIxNjlhMTc0YTNhMThkYTk2ODQzYzc5NzRkMmZm