- From: Firstyear via GitHub <sysbot+gh@w3.org>
- Date: Sun, 29 May 2022 23:55:50 +0000
- To: public-webauthn@w3.org
> Should we also consider offering advice to RP's on what to do if an authenticator _stops_ providing a non-zero counter in subsequent authentications? Touch ID registered via Chrome on macOS used to return responses with (atomic?) timestamps for a counter, but now those kinds of responses return `0`. I think Chrome only returns zeroes now so perhaps it's less of an issue, but that's not to say this scenario can't play out again with future authenticators. Webauthn-RS rejects any credential where it was registered with a counter of 0, and then attempts to authenticate with a counter of > 0, since this changes the dynamic of the trust relationship we had between registration to authentication. We can't rule out some kind of tampering or forgery, so it's rejected. I think we should definitely have advice related to this scenario. -- GitHub Notification of comment by Firstyear Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1734#issuecomment-1140549987 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Sunday, 29 May 2022 23:55:51 UTC