hard-rejecting valid webauthn assertions because the signature counter did not increase breaks synced/multi-device passkeys.
webauthn level 3 says a non-increasing counter is only “a signal, but not proof” of cloning, and whether to fail authentication is rp-specific. simplewebauthn also notes that some authenticators, like touch id on macos, may always return 0, leaving the rp unable to do counter-based clone detection, especially for multi-device credentials.
https://x.com/Szyszke_/status/2057549580506673341
hard-rejecting valid webauthn assertions because the signature counter did not increase breaks synced/multi-device passkeys.
webauthn level 3 says a non-increasing counter is only “a signal, but not proof” of cloning, and whether to fail authentication is rp-specific. simplewebauthn also notes that some authenticators, like touch id on macos, may always return
0, leaving the rp unable to do counter-based clone detection, especially for multi-device credentials.