Re: [webauthn] Sign counter alg 507

> If the user logs in first, after the attacker cloned the device but before the attacker uses the cloned device, it is the current login (from the attacker) that is the problem.

Yes, that cloning event will be missed. But, as noted above, there are several scenarios where the signature counter will miss a cloning event. I suppose one could argue that the fewer the better.

(I don't know whether any existing tokens are already depending on zero being ignored. So far I've not observed any that don't have a single, global counter.) 

-- 
GitHub Notification of comment by agl
Please view or discuss this issue at https://github.com/w3c/webauthn/pull/539#issuecomment-328526180 using your GitHub account

Received on Monday, 11 September 2017 13:18:48 UTC