Closed igorlogvin closed 2 years ago
I found some info about signature count into spec
Authenticators SHOULD implement a signature counter feature.
The signature counter is incremented for each successful authenticatorGetAssertion operation by some positive value, and subsequent values are returned to the WebAuthn Relying Party within the authenticator data again.
But from iOS (iPhone, Mac etc.) sign counter is always 0. Is that bug in iOs?
Edit: Okay, i found some info in here
The signature counter is not implemented and therefore it is always zero. Secure Enclave is used to prevent the credential private key from leaking instead of a software safeguard.
Hi! This is allowed by the spec. Step 9 in §6.3.3. The authenticatorGetAssertion Operation reads:
[...] If the authenticator does not implement a signature counter, let the signature counter value remain constant at zero.
But thanks for pointing this out - I've opened w3c/webauthn#1734 to make this a bit more clear in section §6.1.1 too.
Hi @emlun Emil! I have some problem with signature count in assertion operation. After registration it's 0, is ok. But in assertion in first time and second time, signature count 0 again. UserHandle into
allowCredentials
is same for assertion operations. Here is mypublicKeyCredentialRequestOptions
And after my iPhone read my face, i get this response
And after java-webauthn-server parse
authenticatorData
, then signature count is 0. I dont understand why. Can you, please, explain me for that? We had such a process: we registered a credential in the database with signatureCount 0. Then we completed attestation and saved the new signatureCount (here it was valid, higher than what is stored in the database). Then we re-attested with new options with new challenge (logout and re-login with faceId), but the authenticator returned signatureCount = 0. Maybe it has something to do with what I write below.We testing Web authentication with java-webauthn-server on multiple devices and for some of them
response.userHandle
from the authenticator response, what i brought earlier, is null forpublicKeyCredentialRequestOptions
which you saw above. In what cases does this happen?