- From: Firstyear via GitHub <sysbot+gh@w3.org>
- Date: Sun, 29 May 2022 23:59:07 +0000
- To: public-webauthn@w3.org
> @MasterKale Are you saying that signature counters are going away? That would be a pity because they add one element to secure replay detection when FIDO is used for payment authorizations. This is a core feature of EMV (secure payment cards). > > Android still supports signature counters. Single-device bound credentials tend to still have counters, IE yubikeys, or a touchid from apple that is attested and device bound. However passkeys do NOT have the ability to synchronise their counters in real time and so they have counters always == 0. So IMO there are two states we should have in the standard. At registration you register a counter of 0, indicating you will never use a counter with this device and it will always be 0 (and likely a passkey ....). At registration you register with a count of non-zero, meaning the counter will increment as authentications proceed and the RP should update the counter state over time. The counter will always be non-zero. In the states of registration is counter == 0 and auth has non-zero counter, or counter is non zero at registration and during authentication it goes to 0, both should be RP security choices (recommending to reject). -- GitHub Notification of comment by Firstyear Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1734#issuecomment-1140550429 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Sunday, 29 May 2022 23:59:09 UTC