[webauthn] Should race condition be added as a reason for a signature counter not increasing? (#2172) from philomathic_life via GitHub on 2024-10-01 (public-webauthn@w3.org from October 2024)

From: philomathic_life via GitHub <sysbot+gh@w3.org>
Date: Tue, 01 Oct 2024 20:30:12 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-2560155169-1727814610-sysbot+gh@w3.org>

zacknewman has just created a new issue for https://github.com/w3c/webauthn:

== Should race condition be added as a reason for a signature counter not increasing? ==
Currently [§ 6.1.1.](https://w3c.github.io/webauthn/#sctn-sign-counter) only states the following as reasons for why a signature counter does not increase:

> If either is non-zero, and the new [`signCount`](https://w3c.github.io/webauthn/#authdata-signcount) value is less than or equal to the stored value, a cloned authenticator may exist, or the authenticator may be malfunctioning.

However it's possible an older response is processed after a newer one since there is no guarantee that data that is sent from the client before other data sent from the same client will be received let alone processed before the other. This primarily affects passkey flows and not second-factor ones; since for the latter, RPs can either force at most one active ceremony per credential or use the `signCount` at the time the ceremony began to compare to.

Is this deemed too unlikely to warrant mention?

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2172 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Tuesday, 1 October 2024 20:30:13 UTC