You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Authenticators SHOULD implement a signature counter feature.
The signature counter is incremented for each successful authenticatorGetAssertion operation by some positive value,
and its value is returned to the WebAuthn Relying Party within the authenticator data. The signature counter's purpose
is to aid Relying Parties in detecting cloned authenticators. Clone detection is more important for authenticators
with limited protection measures.
A Relying Party stores the signature counter of the most recent authenticatorGetAssertion operation.
Upon a new authenticatorGetAssertion operation, the Relying Party compares the stored signature counter value with
the new signCount value returned in the assertion’s authenticator data. If this new signCount value is less than or equal
to the stored value, a cloned authenticator may exist, or the authenticator may be malfunctioning.
Detecting a signature counter mismatch does not indicate whether the current operation was performed by a cloned authenticator
or the original authenticator. Relying Parties should address this situation appropriately relative to their individual
situations, i.e., their risk tolerance.
To accomplish this it would be great if we could supply our stored counter to the verifyAuthenticatorAssertion method which would then check whether the supplied counter is less than the counter on the authenticator.
The text was updated successfully, but these errors were encountered:
To accomplish this it would be great if we could supply our stored counter to the
verifyAuthenticatorAssertionmethod which would then check whether the supplied counter is less than the counter on the authenticator.The text was updated successfully, but these errors were encountered: