Replay Attack
An attack where a valid authentication or transaction message is captured and retransmitted to trick a system into accepting it as a new legitimate request.
Also known as: authentication replay, token replay
Last reviewed: 10 June 2026
In a replay attack, an attacker intercepts a legitimate communication — a session token, an authentication handshake, or a transaction authorisation — and resubmits it later to the same or a different system. The system, which cannot distinguish the retransmitted message from a fresh one, accepts it and grants access or processes the transaction again.
Replay attacks against authentication are mitigated by time-limited tokens, nonces (single-use random values embedded in messages), and challenge-response protocols that require a fresh response for each authentication attempt. FIDO2/WebAuthn passkeys use a server-generated challenge for each login, so capturing and replaying a past authentication response is useless.
In payment systems, replay attacks are addressed through transaction identifiers and idempotency keys that ensure the same transaction cannot be processed twice. Consumers are most directly exposed to replay risks through poorly designed authentication systems, which is another reason to prefer services that implement modern cryptographic authentication standards.