top | item 44368131

(no title)

agl | 8 months ago

Setting a signature counter to constant zero is explicitly supported[1] and it's not a bug that it works. Google does not require the signature counter to increment; it's something else invalid about the response that's tripping it up.

The security story for signature counters is subtle[2] and the vast (vast) majority of sites are correct not to require them.

Using the Chrome virtual authenticator indeed works, and from the DevTools UI directly (three dots -> More Tools -> WebAuthn), no sockets required. It's not a vulnerability that it works. If it didn't, Apple, Google, and Microsoft would be effectively the only possible passkey providers. You can lock it down in enterprise environments if you need[3].

[1] https://www.w3.org/TR/webauthn-3/#sctn-sign-counter [2] https://www.imperialviolet.org/tourofwebauthn/tourofwebauthn... [3] https://www.imperialviolet.org/tourofwebauthn/tourofwebauthn...

discuss

diggernet|8 months ago

Interesting. If the counter can be zero, does that mean passkeys can be non-resident keys? And which party gets to decide the counter value?