In the enrollment stage an attacker could intercept the message and answer with
ID: 655786 • Letter: I
Question
In the enrollment stage an attacker could intercept the message and answer with a signature based on the correct challenge.
I know that normally you include a symmetric secret in such a challenge, but here there is only a random value which will be signed. I do not see the advantage of using this scheme. I think you can just do the authentication without this challenge. You can prevent replay attacks with it. So did I overlook anything? Is there a good explanation why FIDO does it the way it is specified?
Explanation / Answer
The challenge-response model is primarily designed to help prevent against replay attacks, in which an attacker sniffs an authentication packet and then replays it within their own session to gain unauthorised access.
As you noted, a server-controlled random token (called a "server nonce" in most protocols) which must be signed in order to authenticate makes it almost infinitely unlikely that an attacker would be able to replay an authentication packet to gain access.
However, one additional benefit is that the scheme forms a kind of zero-knowledge password proof, in which knowledge of a secret can be proven to the server, without ever actually transferring the actual secret over the network. This means that a network eavesdropper must break the challenge-response scheme (e.g. by bruteforce attack) in order to discover the secret.
Thomas Pornin provided an excellent summary of both server nonces and client nonces in another question, which summarises it much more clearly than I could hope to.