[dimonomid]

I just realized that there IS a reliable solution to this issue with the counter. Accordingly to ATECC508A datasheet, its counters can count only up to 2097151, but the whole range of U2F counter is 0xffffffff (which is more than 4 000 000 000). So, the counter boost should be set to the value larger than 2097151, and then, the primary token would never be able to return counter which is that large. So once backup token is used, the primary one is invalidated for good.

Ok cool, I’ll update the article with that important detail.

[scott00]

Wouldn't that also invalidate your backup token after first use?

[dimonomid]

No, of course not. In backup, we basically use this as a counter: `hardware_counter_value + 2000000000`. We don't care that `hardware_counter_value` cannot be larger than `2097151`; the value we use for calculations is 32-bit, so effectively, for the backup token, the values will start at `2000000000` and the maximum possible value will be `2002097151`.

But the primary token uses just `hardware_counter_value`, so its range is from `0` to `2097151`.

The important part is that the ranges of primary and backup tokens don't intersect.