- From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
- Date: Mon, 30 May 2022 08:58:49 +0000
- To: public-webauthn@w3.org
> Webauthn-RS rejects any credential where it was registered with a counter of 0, and then attempts to authenticate with a counter of > 0 It is valid for the authenticator to begin the counter at 0 during registration and increment it to 1 in the first assertion - in fact, this is the [specified behaviour](https://www.w3.org/TR/webauthn/#ref-for-signature-counter%E2%91%A0%E2%91%A4) for per-credential counters. So you may want to adjust that behaviour to instead reject credentials that attempt to authenticate with >0 after ever _authenticating_ with =0. > So IMO there are two states we should have in the standard. > > At registration you register a counter of 0, indicating you will never use a counter with this device and it will always be 0 (and likely a passkey ....). So unfortunately this would be a breaking change, at least formally. It might happen to be compatible with existing implementations, but I don't think there is strong enough reason to change it since there is still a simple and concise validation rule as described above. -- GitHub Notification of comment by emlun Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1734#issuecomment-1140890926 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Monday, 30 May 2022 08:58:50 UTC