- From: Matthew Miller via GitHub <noreply@w3.org>
- Date: Wed, 19 Nov 2025 00:04:50 +0000
- To: public-webauthn@w3.org
MasterKale has just created a new issue for https://github.com/w3c/webauthn: == Virtual authenticator should allow `counter` to always be `0` == ## Proposed Change It doesn't seem possible today, with the currently defined WebAuthn virtual authenticator API, to emulate use of synced passkey credential managers. The authenticator data `signCount` always increments in authentication responses. This makes it impossible to use the virtual authenticators to test scenarios in which `signCount` is always `0` in auth responses. Poking around the spec, it's possible to set an initial sign count when you add a credential to a virtual authenticator: https://w3c.github.io/webauthn/#sctn-automation-add-credential However this signCount always increments in subsequent authentications. If an RP backend keeps track of the counter, a test script that wants to automate the instantiation of a virtual authenticator and its credential would need to query the backend for its current `signCount` for that credential, or subsequent auth responses from the authenticator would have a signCount lower than what's in the DB, and the response would get rejected. Maybe we can expand the [Set Credential Properties](https://w3c.github.io/webauthn/#sctn-automation-set-credential-properties) endpoint to enable a credential response to always return with a `signCount` of 0 🤔 I'd like to talk about how we might enhance the virtual authenticator API to allow for better emulation of synced passkey providers. Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2363 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Wednesday, 19 November 2025 00:04:51 UTC