| > The counter is maintained by the ATECC508A chip In the u2fzero implementaiton, the counter is not used internally by the ATEC5508A in the signature generation. It's merely used as stable storage. It's used much like unix advisory file locking. As long as you are not using it adversarially, it will work "correctly". Once you attack the device, it's absolutely trivial to use any counter value you care to, not at all connected to the (yes, secure-enough) counter internally stored in the ATEC5508A. Apologies about my incorrect statement about any site's usage of the counter. I was mistakenly thinking about the allowance of the counter to increase by any increment. Still, this is a weakness of the U2F spec. In fact, there is no spec for counter usage on the RP (relying party) side, just an implementation consideration: > Relying parties should implement their own remediation strategies if they suspect token cloning due to non-increasing counter values. So you, the conscientious user, would need to verify with each site that they don't allow the counter to reset. Well, you would need to if the counter were implemented correctly with u2fzero. |
Could you elaborate more on that? How exactly I could use any counter value?