The current doAuthenticate only checks the counter and if the signature is
valid. It should also check if the response challenge is the request
Thank you for noticing this!
fix coming shortly.
check the request challenge on authenticate
This may still leave the challenge parameter at some level of risk. Need to lock out tokens that have a good signature but a bad challenge. (see https://twitter.com/KevinSMcArthur/status/528204854875783169 thread for discussion)