|
|
|
|
|
|
by agl
360 days ago
|
|
|
Setting a signature counter to constant zero is explicitly supported[1] and it's not a bug that it works. Google does not require the signature counter to increment; it's something else invalid about the response that's tripping it up. The security story for signature counters is subtle[2] and the vast (vast) majority of sites are correct not to require them. Using the Chrome virtual authenticator indeed works, and from the DevTools UI directly (three dots -> More Tools -> WebAuthn), no sockets required. It's not a vulnerability that it works. If it didn't, Apple, Google, and Microsoft would be effectively the only possible passkey providers. You can lock it down in enterprise environments if you need[3]. [1] https://www.w3.org/TR/webauthn-3/#sctn-sign-counter
[2] https://www.imperialviolet.org/tourofwebauthn/tourofwebauthn...
[3] https://www.imperialviolet.org/tourofwebauthn/tourofwebauthn... |
|
|