I am reading on digital signatures:
A valid digital signature gives a recipient reason to believe that the message was created by a known sender (authentication), that the sender cannot deny having sent the message (nonrepudiation), and that the message was not altered in transit (integrity).
I’m using for 2FA a hardware key (e.g. Yubikey, Key-id) to authenticate a user with Webauthn and also later require user’s confirmation to take certain sensitive actions.
Question: if I store on the server the challenge and the AuthenticatorAttestationObject returned by the hardware key, can that serve for non-repudiation?
Rephrase: can the user claim that an action that required pressing the Yubikey button was not initiated by him, but was fabricated e.g. from server side?