- From: Matthew Miller via GitHub <noreply@w3.org>
- Date: Tue, 27 Jan 2026 23:01:28 +0000
- To: public-webauthn@w3.org
> Would it make sense to make the virtual authenticator treat the sign counter as fixed to 0 by default to match the majority of real world implementations?
I agree it would be nicer if the default behavior reflected the majority behavior in which passkeys are being synced and `signCount` is almost always `0`. However my concern with such a change is that it'd break all of the existing use of virtual authenticators that RPs have written into their automated tests that expect the sign count to increment automatically because of current virtual authenticator behavior. That's why it seems best to handle this with the addition of an opt-in change to virtual authenticator signature count behavior.
> If we really wanted to support testing other values, Set Credential Properties could pass in a different (fixed) value, and the caller could manually increment in whatever steps it wants to test.
This is giving me the idea of a new "`freezeSignCount`" boolean that could be added to the **Set Credential Properties** parameters. Combined with the new `signCount` I'm proposing in #2382, an RP could then hypothetically pass in...
```
{ "signCount": 0, "freezeSignCount": true }
```
...to this endpoint for a specific credential, at which point every subsequent use of that credential would yield a WebAuthn auth response with `authData.signCount: 0` 🤔
--
GitHub Notification of comment by MasterKale
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2363#issuecomment-3807974728 using your GitHub account
--
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Tuesday, 27 January 2026 23:01:29 UTC