- From: Adam Langley via GitHub <sysbot+gh@w3.org>
- Date: Tue, 05 Sep 2017 21:13:00 +0000
- To: public-webauthn@w3.org
> Why would it be a signal about a previous login and not the current one? In the ideal case, where the token maintains a perfect, per-key counter, then an attacker who clones a token with a counter of n, will impersonate the victim by using a counter of n+1, because they want the attack to succeed. The victim will later try to authenticate and also use n+1, because that's the correct value for them, and trigger a counter mismatch. But the attempt with the bad counter value wasn't the attack, it was the victim tripping over the state change that the attack caused. -- GitHub Notification of comment by agl Please view or discuss this issue at https://github.com/w3c/webauthn/pull/539#issuecomment-327305129 using your GitHub account
Received on Tuesday, 5 September 2017 21:13:01 UTC